Replicating EFS file systems
For expanded resilience and data protection, you can replicate your EFS file system in an AWS Region. When you enable replication on an EFS file system, Amazon EFS automatically and transparently replicates the data and metadata on the source file system to a destination file system. In the event of a disaster or when performing game day exercises, you can fail over to your replica file system. To resume operations, you can then fail back to the primary file system.
To manage the process of creating the destination file system and keeping it synced with the source file system, Amazon EFS uses a replication configuration.
After you create the replication configuration, Amazon EFS automatically keeps the source and destination file systems synchronized. Changes made to the source file system are not transferred to the destination file system in a point-in-time consistent manner. Instead they're transferred based on the Last synced time for the replication. The Last sync time indicates when the last successful sync between the source and destination was completed. Changes made to your source file system as of the last synced time are replicated to the destination file system, while changes made to the source file system after the last synced time may not be replicated. For more information, see Viewing replication details.
Replication is available in all AWS Regions in which Amazon EFS is available. To replicate an EFS file system in a Region that is disabled by default, you must first opt in to the Region. For more information, see Specify which AWS Regions your account can use in the AWS General Reference Guide. If you opt out of a Region later, Amazon EFS pauses all replication activities for the Region. To resume replication activities for the Region, opt in to the AWS Region again.
Note
Replication does not support using tags for attribute-based access control (ABAC).
Topics
Costs
To facilitate replication, Amazon EFS creates hidden directories and metadata on the destination file system. These equate to approximately 12 mebibytes (MiB) of metered data for which you are billed. For more information about metering file system storage, see How Amazon EFS reports file system and object sizes.
Replication performance
When you create new replications or reverse the direction of existing replications during the failback process, Amazon EFS performs an initial sync, which includes a series of one-time setup actions to support the replication. The amount of time that the initial sync takes to finish depends on factors such as the size of the source file system and the number of files in it.
After the initial replication is finished, Amazon EFS maintains a Recovery Point Objective (RPO) of 15 minutes for most file systems. However, if the source file system has files that change very frequently and has either more than 100 million files or files that are larger than 100 GB, replication may take longer than 15 minutes. For information about monitoring when the last replication successfully finished, see Viewing replication details.
You can monitor when the last successful sync occurred using the console, the AWS Command Line Interface (AWS CLI), the API, and Amazon CloudWatch. In CloudWatch, use the TimeSinceLastSync EFS metric. For more information, see Viewing replication details.
Required IAM permissions
Amazon EFS uses either the EFS service-linked role named
AWSServiceRoleForAmazonElasticFileSystem
or the IAM role that you specify to
synchronize replication between the source and destination file systems. To provide an IAM
role, the IAM user or role creating the replication configuration must have
iam:PassRole
permission. For more information, see Grant a user permissions to pass a role to
an AWS service in the AWS Identity and Access Management User Guide.
-
For more information about the
iam:CreateServiceLinkedRole
, see the example in Using service-linked roles for Amazon EFS. -
For more information about a custom IAM role – see Create an IAM role with a custom trust policy.
Note
If you are performing cross-account replication, then you must provide an IAM role when you create the replication configuration. Using the service-linked role is not permitted. For more infomraiton, see Replicating EFS file systems across AWS accounts.
The service-linked role or IAM role that you provide when creating the replication configuration must have the following permissions for replication.
-
elasticfilesystem:DescribeFileSystem
-
elasticfilesystem:CreateFileSystem
-
elasticfilesystem:CreateReplicationConfiguration
-
elasticfilesystem:DeleteReplicationConfiguration
-
elasticfilesystem:DescribeReplicationConfigurations
You can use the AmazonElasticFileSystemFullAccess
managed policy to
automatically get all required EFS permissions. For more information, see AWS managed policy: AmazonElasticFileSystemFullAccess.