I am trying to mount the EFS with EC2 and what I have done is created the EFS on private subnet and EC2 on public subnet. The private and public subnets are in different availability regions for example us-east-1 and us-east-2.
I am able to connect the EC2 and EFS if putting both of them in public network.As per the official AWS docs its says
"Ensure that there's an Amazon EFS mount target in the same
Availability Zone as the Amazon EC2 instance"
I don't want to put the EFS in public subnet.
When mounting the EFS to the EC2 I am getting this error message:
sudo mount -t nfs4 -o nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport fs-b3XXXXXXXXXXXXXXXXX.amazonaws.com:/ /mnt/wordpress
mount.nfs4: Failed to resolve server fs-b3XXXXXXXXXXXXXXXXX.amazonaws.com: No address associated with hostname
The dhcp and dns related settings for VPC are all turned on.
I don't want to put the EFS in public subnet.
That's good. You shouldn't, although it technically would not matter because EFS endpoints are still private even when placed in a public subnet.
But if you only have two subnets -- one public, one private -- in a VPC, then they almost certainly should be in the same availability zone. Traffic crossing AZ boundaries is billable per gigabyte, and this is exactly why you should never try to mount EFS across zone boundaries. This error appears to be protecting you from yourself.
As noted, you probably shouldn't have one subnet one AZ and one in another, without a compelling reason, so fixing that is one solution. Another solution is to simply add a new private subnet in the correct zone. EFS has no problem crossing subnet boundaries within a zone, and there is no bandwidth charge in that case.
Related
I am trying to mount to a shared efs in one account's vpc with another ec2(s) in another account's vpc.
I have a transit gateway set up with the relevant routing in place.
I am trying to mount with dns , the efs dns is only resolvable in the account where it resides and I am trying to steer away from using IPs because the ec2s can be in different in availabilty zones.
Is there any way to resolve the dns with a single dns entry that will resolve to the mount target in the correct availability zone ?
Authorizing hosted zones between is not an issue , I am just struggling to find a clean way of doing this . I've thought of trying efs-a.example.com and it's respective az mount target ip . But I'd still like something that can be like efs.example.com to resolve the respective azs efs ip.
Is using IPs the only way to mount correctly based on azs besides the solution the above yet similar solution ?
My issue is basically what is said in this question, except it's about EFS, rather than EC2, and I can't solve my problem with Route 53, as it's suggested.
I have an EFS instance and I try to mount it locally on my Windows machine (over WSL running Ubuntu 22.04.1 LTS) like so:
sudo mount -t efs -o tls,accesspoint=fsap-08fa969084c23b344 fs-003f3467bf1e15b13:/ efs
This results in the following:
Failed to resolve "fs-003f3467bf1e15b13.efs.us-east-1.amazonaws.com" - check that your file system ID is correct, and ensure that the VPC has an EFS mount target for this file system ID.
See https://docs.aws.amazon.com/console/efs/mount-dns-name for more detail.
Attempting to lookup mount target ip address using botocore. Failed to import necessary dependency botocore, please install botocore first.
It seems that the issue arises from the fact that I'm not trying to access EFS from an EC2 instance in my VPC, but from the public internet, where the DNS fs-003f3467bf1e15b13.efs.us-east-1.amazonaws.com and the private IP 172.31.43.109 obviously can't be resolved.
Therefore, I want to assign a static Elastic IP to the network interface of EFS, so I can access it publicly, but I get the following error:
Failed to associate address with eni-0fa8cf69d68b7bb01: You do not have permission to access the specified resource.
I don't think that I "do not have permission" because I'm the owner of the account and I have the AdministratorAccess IAM policy.
Is there a way to make EFS publicly accessible or mount it in any other way on my own machine?
Therefore, I want to assign a static Elastic IP to the network interface of EFS, so I can access it publicly, but I get the following error:
That's not a supported configuration on AWS. You can't assign a public IP to EFS. You need to look into SSH tunneling, or a VPN connection into the VPC, in order to mount an EFS volume from outside the VPC.
My guess is that AWS doesn't allow me to make EFS publicly available because that might make their AWS Transfer Family product obsolete, since it seems to solve the same problem - using EFS outside the cloud.
That's a very cynical take on things. In actuality Amazon simply designed EFS to be a service that complemented their compute services (EC2, ECS, EKS, Fargate, and Lambda). They did not design it to be a global, public NFS mountable file system.
I have an EFS file system. I have created two mounts one for us-east-1a and another for us-east-1b and both are in the same VPC. Now I have a requirement to add a mount point and it's in a different VPC but in the same account. When I try to create the mount target I get the below error
aws efs create-mount-target --file-system-id fs-abcdef --subnet-id subnet-156fd195808k8l --security-groups sg-99b88u518a368dp
An error occurred (MountTargetConflict) when calling the CreateMountTarget operation: requested subnet for new mount target is not in the same VPC as existing mount targets
is there a way I can use the EFS in two different VPCs?
VPC peering OR Transit Gateway is enough in order for NFS client from different VPC to connect to EFS in separate VPC.
Only one mount target for a certain EFS is needed per AZ. The error shows that you already have mount target for the specific EFS.
To connect your NFS client you can follow the AWS provide documentation
Is it possible to use an EFS in AWS for several instances located in different regions?
If not, is it possible to do somethink like that using AWS console?? Doesn't matter latency or throughput between EC2 instance and network volume.
EFS can be accessed through Direct Connect or VPN. Estabilsh VPN connection between regions and you can mount EFS with the IP address of the corresponding mount target.
I would like to create EFS in AWS and it is said in documentation, that I can attach it only to instances, which have the same security group as my VPC.
How to know security group of my VPC?
Suppose it is default and my instances have different security groups, created at different times by different wizards. How can it be, that instance is belong to VPC but has different security group, than that VPC?
Amazon Elastic File System(EFS) is a regional service. If you create an EFS in a particular region (eg: us-east-1) then you can create multiple EC2 instances in different availability zones in the same us-east-1 region to access the EFS to read and write data.
All the EC2 instances in a particular region (eg: us-east-1) must belong to a VPC and a subnet.(Unless you use EC2-Classic). A VPC maps to a region and A subnet maps to an availability zone. You can setup mount targets in the availability zones of your VPC, So that EC2 instances can connect to EFS via a mount target and share the same file system.
Have a look at the following image from AWS Documentation.
Now, how can we make sure that our EFS can only be accessed by certain set of EC2 instances and not all the instances from all the subnets?
This is where the security groups come in handy. We can assign security groups to the EFS mount points such that only EC2s that the given security group is attached can access EFS via the mount target. Any other EC2 instances that are in a different security group cannot access the EFS. This is the way we restrict access to EFS.
So, when you are mounting the EFS to an EC2 instance, we have to add the same security group of the EFS to the EC2 instance.
Both an Amazon EC2 instance and a mount target have associated security groups. These security groups act as a virtual firewall that controls the traffic between them. If you don't provide a security group when creating a mount target, Amazon EFS associates the default security group of the VPC with it.
Regardless, to enable traffic between an EC2 instance and a mount target (and thus the file system), you must configure the following rules in these security groups:
The security groups you associate with a mount target must allow inbound access for the TCP protocol on the NFS port from all EC2 instances on which you want to mount the file system.
Each EC2 instance that mounts the file system must have a security group that allows outbound access to the mount target on the NFS port.
Read more about EFS security groups here.
Hope this helps.