Managing mount targets - Amazon Elastic File System

Managing mount targets

You mount your file system on Amazon EC2 or other AWS compute instance in your virtual private cloud (VPC) using a mount target that you create for the file system. Managing file system network accessibility refers to managing a file system's mount targets.

After you create an Amazon EFS file system, you can create mount targets. For Amazon EFS file systems that use Regional storage classes, you can create a mount target in each Availability Zone in an AWS Region. For One Zone file systems, you can only create a single mount target in the same Availability Zone as the file system. Then you can mount the file system on compute instances, including Amazon EC2, Amazon ECS, and AWS Lambda in your virtual private cloud (VPC).

The following diagram shows a Regional file system with mount targets created in all Availability Zones in the VPC. The illustration shows three EC2 instances launched in different VPC subnets accessing an Amazon EFS file system. The illustration also shows one mount target in each of the Availability Zones (regardless of the number of subnets in each Availability Zone).

You can create only one mount target per Availability Zone. If an Availability Zone has multiple subnets, as shown in one of the zones in the illustration, you create a mount target in only one of the subnets. As long as you have one mount target in an Availability Zone, the EC2 instances launched in any of its subnets can share the same mount target.

Regional file system with mount targets in three Availability Zones within a VPC on EC2 instances.

The following diagram shows a One Zone file system, with a single mount target created in the same Availability Zone as the file system. Accessing the file system by using the EC2 instance in the us-west2c Availability Zone incurs data access charges because it is located in a different Availability Zone than the mount target.

One Zone file system with a single mount target created in the same Availability Zone.

The mount target security group acts as a virtual firewall that controls the traffic. For example, it determines which clients can access the file system. This section explains the following:

  • Managing mount target security groups and enabling traffic.

  • Mounting the file system on your clients.

  • NFS-level permissions considerations.

    Initially, only the root user on the Amazon EC2 instance has read-write-execute permissions on the file system. This topic discusses NFS-level permissions and provides examples that show you how to grant permissions in common scenarios. For more information, see Working with users, groups, and permissions at the Network File System (NFS) level.

Managing mount targets refers to these activities:

  • Creating and deleting mount targets in a VPC – At a minimum, you should create a mount target in each Availability Zone from which you want to access the file system.

  • Updating the mount target configuration – When you create a mount target, you associate security groups with the mount target. A security group acts as a virtual firewall that controls the traffic to and from the mount target. You can add inbound rules to control access to the mount target, and thus the file system. After creating a mount target, you might want to modify the security groups assigned to them.

You can create mount targets for a file system by using the AWS Management Console, AWS CLI, or programmatically by using the AWS SDKs. When you're using the console, you can create mount targets when you first create a file system or after the file system is created. For instructions to create mount targets by using the Amazon EFS console when creating a file system, see Create a file system with custom settings (console).

Use the following procedure to add or modify mount targets for an existing Amazon EFS file system.

To manage mount targets on an Amazon EFS file system
  1. Sign in to the AWS Management Console and open the Amazon EFS console at https://console.aws.amazon.com/efs/.

  2. In the left navigation pane, choose File systems. The File systems page displays the EFS file systems in your account.

  3. Choose the file system that you want to manage mount targets for by choosing its Name or the File system ID to display the file system details page.

  4. Choose Network to display the list of existing mount targets.

  5. Choose Manage to display the Availability Zone page and make modifications.

    On this page, for existing mount targets, you can add and remove security groups, or delete the mount target. You can also create new mount targets.

    Note

    For One Zone file systems, you can only create a single mount target that is in the same Availability Zone as the file system.

    • To remove a security group from a mount target, choose X next to the security group ID.

    • To add a security group to a mount target, choose Select security groups to display a list of available security groups. Or, enter a security group ID in the search field at the top of the list.

    • To queue a mount target for deletion, choose Remove.

      Note

      Before deleting a mount target, first unmount the file system.

    • To add a mount target, choose Add mount target. This option is available only for file systems that use EFS Regional storage classes, and if mount targets do not already exist in each Availability Zone for the AWS Region.

  6. Choose Save to save any changes.

To change the VPC for an Amazon EFS file system (console)

To change the VPC for a file system's network configuration, you must delete all of the file system's existing mount targets.

  1. Open the Amazon Elastic File System console at https://console.aws.amazon.com/efs/.

  2. In the left navigation pane, choose File systems. The File systems page shows the EFS file systems in your account.

  3. For the file system that you want to change the VPC for, choose the Name or the File system ID. The file system details page is displayed.

  4. Choose Network to display the list of existing mount targets.

  5. Choose Manage. The Availability zone page appears.

  6. Remove all mount targets displayed on the page.

  7. Choose Save to save changes and delete the mount targets. The Network tab shows the mount targets status as deleting.

  8. When all the mount targets statuses show as deleted, choose Manage. The Availability Zone page appears.

  9. Choose the new VPC from the Virtual Private Cloud (VPC) list.

  10. Choose Add mount target to add a new mount target. For each mount target you add, enter the following:

    • An Availability zone

    • A Subnet ID

    • An IP address, or keep it set to Automatic

    • One or more Security groups

  11. Choose Save to implement the VPC and mount target changes.

Note

For One Zone file systems, you can only create a single mount target that is in the same Availability Zone as the file system.

To create a mount target (CLI)
  • To create a mount target, use the create-mount-target CLI command (corresponding operation is CreateMountTarget), as shown following.

    $ aws efs create-mount-target \ --file-system-id file-system-id \ --subnet-id subnet-id \ --security-group ID-of-the-security-group-created-for-mount-target \ --region aws-region \ --profile adminuser

    The following example shows the command with sample data.

    $ aws efs create-mount-target \ --file-system-id fs-0123467 \ --subnet-id subnet-b3983dc4 \ --security-group sg-01234567 \ --region us-east-2 \ --profile adminuser

    After successfully creating the mount target, Amazon EFS returns the mount target description as JSON as shown in the following example.

    { "MountTargetId": "fsmt-f9a14450", "NetworkInterfaceId": "eni-3851ec4e", "FileSystemId": "fs-b6a0451f", "LifeCycleState": "available", "SubnetId": "subnet-b3983dc4", "OwnerId": "23124example", "IpAddress": "10.0.1.24" }
To retrieve a list of mount targets for a file system (CLI)
  • You can also retrieve a list of mount targets created for a file system by using the describe-mount-targets CLI command (the corresponding operation is DescribeMountTargets), as shown following.

    $ aws efs describe-mount-targets --file-system-id fs-a576a6dc
    { "MountTargets": [ { "OwnerId": "111122223333", "MountTargetId": "fsmt-48518531", "FileSystemId": "fs-a576a6dc", "SubnetId": "subnet-88556633", "LifeCycleState": "available", "IpAddress": "172.31.25.203", "NetworkInterfaceId": "eni-0123456789abcdef1", "AvailabilityZoneId": "use2-az2", "AvailabilityZoneName": "us-east-2b" }, { "OwnerId": "111122223333", "MountTargetId": "fsmt-5651852f", "FileSystemId": "fs-a576a6dc", "SubnetId": "subnet-44223377", "LifeCycleState": "available", "IpAddress": "172.31.46.181", "NetworkInterfaceId": "eni-0123456789abcdefa", "AvailabilityZoneId": "use2-az3", "AvailabilityZoneName": "us-east-2c" }, { "OwnerId": "111122223333", "MountTargetId": "fsmt-5751852e", "FileSystemId": "fs-a576a6dc", "SubnetId": "subnet-a3520bcb", "LifeCycleState": "available", "IpAddress": "172.31.12.219", "NetworkInterfaceId": "eni-0123456789abcdef0", "AvailabilityZoneId": "use2-az1", "AvailabilityZoneName": "us-east-2a" } ] }
To delete an existing mount target (CLI)
  • To delete an existing mount target, use the delete-mount-target AWS CLI command (corresponding operation is DeleteMountTarget), as shown following.

    Note

    Before deleting a mount target, first unmount the file system.

    $ aws efs delete-mount-target \ --mount-target-id mount-target-ID-to-delete \ --region aws-region-where-mount-target-exists

    The following is an example with sample data.

    $ aws efs delete-mount-target \ --mount-target-id fsmt-5751852e \ --region us-east-2 \
To modify the security group of an existing mount target
  • To modify security groups that are in effect for a mount target, use the modify-mount-target-security-group AWS CLI command (the corresponding operation is ModifyMountTargetSecurityGroups) to replace any existing security groups, as shown following.

    $ aws efs modify-mount-target-security-groups \ --mount-target-id mount-target-ID-whose-configuration-to-update \ --security-groups security-group-ids-separated-by-space \ --region aws-region-where-mount-target-exists \ --profile adminuser

    The following is an example with sample data.

    $ aws efs modify-mount-target-security-groups \ --mount-target-id fsmt-5751852e \ --security-groups sg-1004395a sg-1114433a \ --region us-east-2

For more information, see Tutorial: Create an EFS file system and mount it on an EC2 instance using the AWS CLI.