Tutorials#

Mounting a file system#

To mount EFS on an instance, first create the file system and mount target. The latter should be in the subnet of the same VPC as the instance itself. Moreover, the instance OS should support NFS 4.1 protocol.

In order for the instance to connect to the mount target, the latter should be configured correctly by setting outbound rules for the instance’s security group and inbound rules for the mount target. If the instance and the mount target are assigned a default security group and there are no changes in the default outbound and inbound rules (all outbound traffic is allowed and all inbound traffic from group members is allowed), then no additional action is required.

Attention

If the default security group rules have not been changed, all instances to which this security group is assigned can access the file system.

Mount a file system on an instance#

The instructions below assume that Ubuntu or CentOS is installed on the instance. The instructions for other Linux operating systems differ only in the procedure for installing the NFS utility package (if required). For mounting, you will need the IP address or DNS name of the mount target. These can be found on the mount target page.

  1. Connect to the instance via SSH.

  2. Install the NFS client (see for more details, for example, the usage of NFS on Ubuntu)

    sudo apt update
sudo apt install nfs-common

    sudo yum install nfs-utils -y

  3. Create a directory where the file system will be mounted:

    sudo mkdir /mnt/efs-mount-point

  4. Mount the file system by specifying the DNS name of the mount target:

    # Пример DNS-имени: ru-msk-vol51.fs-B8C952E6.efs.vpc-73d5fea1.internal

  sudo mount -t nfs -o nfsvers=4.1 mount-target-DNS:/   /mnt/efs-mount-point

    or the IP address of the mount target:

    sudo mount -t nfs -o nfsvers=4.1 mount-target-ip:/   /mnt/efs-mount-point

  5. For the file system to be automatically mounted at the instance restart, add the following line to /etc/fstab file:

    az_name.file_system_id.efs.vpc_id.internal:/ /mnt/efs-mount-point nfs4 nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport,_netdev 0 0

    where az_name is the availability zone name, file_system_id – file system ID, vpc_id – VPC ID, and ~/efs-mount-point – the directory where the file system is mounted.

Configure an outbound rule for an instance#

If the security group rules restrict outbound traffic, add an outbound rule for TCP traffic to the NFS port of the mount target, if necessary.

Several security groups can be assigned to an instance. Their rules are aggregated in a single set of rules. Therefore, you can add an outbound rule to any group assigned to an instance. (However, if that group is assigned to other instances, the rule will be valid for them as well).

In this example, we will create a separate group for outbound EFS traffic. To define the rule, we will need the IP address of the mount target. It can be found on the mount target page.

  1. Create security group with EfsOut name.

  2. Go to the group page and open Inbound rules tab.

  3. Delete the default rule that allows outbound traffic to all addresses for all protocols.

  4. Click Add.

  5. In the dialog window:

    • Add a rule description (optional).

    • In the Protocol field, select TCP.

    • In Ports field, enter 2049 (the field is available when To specific option is selected).

    • For Grant access parameter, keep To all IP addresses option selected.

    • In Network field, specify the IP address of the mount target.

    • Click Add to create the rule.

Assign the created security group to instance (if the instance has multiple network interfaces, you can assign the group to any of them).

Configure an inbound rule for a mount target#

In this example, we will create a separate security group EfsIn for the mount target to limit access to only the instances that are assigned the EfsOut group (see previous section).

  1. Create a security group

  2. Go to the group’s page and open the Inbound rules tab

  3. Click Add.

  4. In the dialog window:

    • Add a rule description (optional).

    • In the Protocol field, select TCP.

    • In Ports field, enter 2049 (the field is available when To specific option is selected).

    • For the Grant access option, select From security group.

    • In Security group field, select the security group assigned to the instance (EfsOut, see the previous section).

    • Click Add to create the rule.

Assign the created security group to the mount target instead of the default one.