Mounting EFS file systems from another AWS account or VPC - Amazon Elastic File System

Mounting EFS file systems from another AWS account or VPC

You can mount your Amazon EFS file system using IAM authorization for NFS clients and EFS Access Points using the EFS mount helper. By default, the EFS mount helper uses domain name service (DNS) to resolve the IP address of your EFS mount target. If you are mounting the file system from a different account or virtual private cloud (VPC), you need to resolve the EFS mount target manually.

Following, you can find instructions for determining the correct EFS mount target IP address to use for your NFS client. You can also find instructions for configuring the client to mount the EFS file system using that IP address.

Mounting using IAM or access points from another VPC

When you use a VPC peering connection or transit gateway to connect VPCs, Amazon EC2 instances that are in one VPC can access EFS file systems in another VPC, even if the VPCs belong to different accounts.

Prerequisites

Before using the following the procedure, take these steps:

  • Install the Amazon EFS client, part of the amazon-efs-utils set of utilities on the compute instance you're mounting the EFS file system on. You use the EFS mount helper, which is included in amazon-efs-utils, to mount the file system. For instructions on installing amazon-efs-utils, see Using the amazon-efs-utils tools.

  • Allow the ec2:DescribeAvailabilityZones action in the IAM policy for the IAM role you attached to the instance. We recommend that you attach the AWS managed policy AmazonElasticFileSystemsUtils to an IAM entity to provide the necessary permissions for the entity.

  • When mounting from another AWS account, update the file system resource policy to allow the elasticfilesystem:DescribeMountTarget action for the principal ARN of other AWS account. For example:

    { "Id": "access-point-example03", "Statement": [ { "Sid": "access-point-statement-example03", "Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::555555555555"}, "Action": "elasticfilesystem:DescribeMountTargets", "Resource": "arn:aws:elasticfilesystem:us-east-2:111122223333:file-system/fs-12345678" } ] }

    For more information about EFS file system resource policies, see Resource-based policies within Amazon EFS.

  • Install botocore. The EFS client uses botocore to retrieve the mount target IP address when the file system DNS name cannot be resolved when mounting a file system in another VPC. For more information, see Install botocore in the amazon-efs-utils README file.

  • Set up either a VPC peering connection or a VPC transit gateway.

    You connect the client's VPC and your EFS file system's VPC using either a VPC peering connection or a VPC transit gateway. When you use a VPC peering connection or transit gateway to connect VPCs, Amazon EC2 instances that are in one VPC can access EFS file systems in another VPC, even if the VPCs belong to different accounts.

    A transit gateway is a network transit hub that you can use to interconnect your VPCs and on-premises networks. For more information about using VPC transit gateways, see Getting Started with transit gateways in the Amazon VPC Transit Gateways Guide.

    A VPC peering connection is a networking connection between two VPCs. This type of connection enables you to route traffic between them using private Internet Protocol version 4 (IPv4) or Internet Protocol version 6 (IPv6) addresses. You can use VPC peering to connect VPCs within the same AWS Region or between AWS Regions. For more information on VPC peering, see What is VPC Peering? in the Amazon VPC Peering Guide.

To ensure high availability of your file system, we recommend that you always use an EFS mount target IP address that is in the same Availability Zone as your NFS client. If you're mounting an EFS file system that is in another account, ensure that the NFS client and EFS mount target are in the same Availability Zone ID. This requirement applies because AZ names can differ from one account to another.

To mount an EFS file system in another VPC using IAM or an access point
  1. Connect to your EC2 instance:

    • To connect to your instance from a computer running macOS or Linux, specify the .pem file for your SSH command. To do this, use the -i option and the path to your private key.

    • To connect to your instance from a computer running Windows, you can use either MindTerm or PuTTY. To use PuTTY, install it and convert the .pem file to a .ppk file.

    For more information, see the following topics in the Amazon EC2 User Guide for Linux Instances:

  2. Create a directory for mounting the file system using the following command.

    $ sudo mkdir /mnt/efs
  3. To mount the file system using IAM authorization, use the following command:

    $ sudo mount -t efs -o tls,iam file-system-dns-name /mnt/efs/

    For more information about using IAM authorization with EFS, see Using IAM to control file system data access.

    To mount the file system using an EFS access point, use the following command:

    $ sudo mount -t efs -o tls,accesspoint=access-point-id file-system-dns-name /mnt/efs/

    For more information about EFS access points, see Working with Amazon EFS access points.

Mounting Amazon EFS file systems from a different AWS Region

If you are mounting your EFS file system from another VPC that is in a different AWS Region than the file system, you will need to edit the efs-utils.conf file. In /dist/efs-utils.conf, locate the following lines:

#region = us-east-1

Uncomment the line, and replace the value for the ID of the region in which the file system is located, if it is not in us-east-1.

Mounting from another AWS account in the same VPC

Using shared VPCs, you can mount an Amazon EFS file system that is owned by one AWS account from Amazon EC2 instances that are owned by a different AWS account. For more information about setting up a shared VPC, see Working with shared VPCs in the Amazon VPC Peering Guide.

After you set up VPC sharing, the EC2 instances can mount the EFS file system using Domain Name System (DNS) name resolution or the EFS mount helper. We recommend using the EFS mount helper to mount your EFS file systems.