Setting up AWS EFS with best practices and efficiently

ByKenneth Attard

February 14, 2021 , , ,

Amazon EFS, AWS EFS, or AWS Elastic File System, is a fully AWS-managed file storage service. AWS EFS provides a scalable and highly available NFS share that can be used for storage and sharing files. The EFS file system supports multi-AZ or single-AZ configurations depending on the needs. As per best practices, multi-AZ is better to use. AWS EFS has the option to perform automatic backups and support lifecycle management, and data is automatically moved to Infrequent Access (IA) and transitioned to archive. From a data security perspective, EFS supports data encryption at rest.

Steps required:

  1. Create the necessary security groups to access the EFS share
  2. Create the file system
  3. Attach and mount the file system on the ec2 instance

Step 1: Create the security groups required:

  1. In the AWS Management Console search bar, enter EC2, and click the EC2 result under Services and click Security Groups under the Network & Security menu
AWS security groups

2.Click Create Security group

3. Fill in the security group name & description and choose the appropriate VPC

4.The next step is to set up the inbound rules required for the security group. In this case, we need to allow the NFS protocol ports. Click add rule from the inbound rules section

5. Choose NFS in the type list

6. Choose Source needed. In our case, we will choose custom and we will use the VPC range (which is 172.31.0.0/16) and click Add rule and delete any extra rules created

7. Click the Create security group to save the security group

Once the security group is created, you should have a similar rule set as per below:

Step 2: Create the file share:

  1.  Go to the Elastic File System console from the services menu:

2. Click File systems under the Elastic File system menu:

3. Click the Create file system button and

4. Create a Name for the file system in our case we will use NFS share as the name. Choose the VPC required and click on Customise button

5. Choose whether you want automatic backups and whether to enable lifecycle management. Based on the last access, storage is moved automatically to EFS infrequent access storage. In our case, we will choose 30 days and allow automatic backups.  Infrequent storage access is essential to reduce storage costs.

6. In the performance mode, the General purpose option is usually enough but you can choose higher throughput by selecting the Max I/O option. In our case, the default option is enough.

7. With Bursting Throughput mode, throughput on the Amazon EFS scales as the size of your file system in the standard storage class grows. While with Provisioned Throughput mode, you can instantly provision the throughput of your file system (in MiB/s) independent of the amount of data stored.  If the provisioned throughput mode is used make sure to monitor the throughput usage to minmize cost

In our case, the default the Bursting Option is enough

8. The next step is to encrypt the EFS share. You can use the default KMS key or create a custom one

In our case, we will use the default KMS key

9. Click Next and choose the previously created security group for each Availability zone the share will be used

10. Click Next and choose Enforce in-transit encryption for all clients

For security reasons you can also choose prevent anonymous access and prevent root access by default

Once all the options needed are selected, click Next

11. Review the option chosen and click create at the bottom of the page

Once the file share is available the state should change Available

 

Step 3: Attach and Mount the file share to the Ec2 instances:

1. Choose the file share created

2. Click the attach button

3. Take note of the command shown. In my case, I need to use the following commands

sudo mount -t efs -o tls fs-27860723:/ efs

sudo mount -t nfs4 -o nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport fs-27860723.efs.us-west-2.amazonaws.com:/ efs

4. SSH to your ec2 instances and run the following commands:

sudo yum install -y nfs-utils

5.Create a new folder to mount the file system. In this case, we will use the home folder of the ec2-user for a mount point. Type the following command to create a folder called efs:

mkdir efs

6. Mount the file system. In our case we will use the nfs client option

sudo mount -t nfs4 -o nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport fs-27860723.efs.us-west-2.amazonaws.com:/ efs

Run the mount command to verify the file system was mounted

7. The next step is to change the permissions of the efs folder so that a non-root account can write in the NFS file share. The current permissions are as follows:

Run ls -l and the current permissions shown as root and change the permissions as required. In our case, we will change the ownership to ec2-user and make the share writable to everyone

 

8. Run the following commands to change the permissions:

sudo chown ec2-user efs

sudo chmod 777 efs

and re run ls -l to verify the changed permissions

9. Create a file in the nfs share. Ensure you are in the efs folder and download some files from the internet. In my case, I am using the AWS CLI zip file

curl “https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip” -o “awscliv2.zip”

10. To verify the operation, I am using another machine and repeat the above steps and the awscliv2.zip is available in the other EC2 instance withe the same timestamp and size

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.