Amazon EFS (Elastic File System) is a fully managed, cloud-native file storage service for your Amazon EC2 instances. It provides a simple, scalable, and shared file system that grows and shrinks automatically as you add and remove files, so you only pay for the storage you use. Based on the NFSv4 protocol, it allows multiple EC2 instances to connect to and access the same data concurrently, making it ideal for content management, web serving, and shared application data.
Key Takeaways
- EFS is a managed NFS file system. It provides shared file storage that can be accessed by thousands of EC2 instances simultaneously.
- It is elastic and scales automatically. You don’t need to provision storage in advance; it grows and shrinks as needed.
- EFS is a regional service. To provide high availability, you create Mount Targets in different Availability Zones (AZs) within your VPC.
- Access is controlled at the network level using VPC Security Groups. You must allow NFS traffic (TCP port 2049) between your EC2 instances and the EFS mount targets.
- EFS offers different storage tiers, like Standard and Infrequent Access (IA), with lifecycle policies to automatically move data and optimize costs.
AWS EFS Explained
In our last lesson, we learned about EBS volumes, which provide block storage for a single EC2 instance. But what if you have a fleet of web servers that all need access to the same set of web content files? Attaching an EBS volume to each and keeping the data in sync would be a nightmare. This is the exact problem Amazon EFS is designed to solve. Let’s explore how it works.
EBS vs. EFS: A Quick Comparison
The easiest way to understand EFS is to compare it with EBS:
- Amazon EBS (Elastic Block Store): Provides block-level storage. It’s like a virtual hard drive (a disk volume) that you attach to one EC2 instance at a time in a specific Availability Zone.
- Amazon EFS (Elastic File System): Provides a file-level storage system using the NFS protocol. It’s like a shared network drive that can be mounted by many EC2 instances simultaneously, even across different Availability Zones within a region.
How EFS Works: Mount Targets
EFS is a regional service. When you create a file system, you create it within a specific VPC. To make the file system accessible to your EC2 instances, EFS places an endpoint called a Mount Target in the subnets you specify. Each mount target gets a private IP address from its subnet.
Your EC2 instances then use standard NFS client software to mount the file system using the mount target’s IP address. By placing mount targets in multiple AZs, you create a highly available file system. If one AZ becomes unavailable, your instances in other AZs can continue to access the data without interruption.
Securing Your File System with Security Groups
Security is critical, and EFS integrates directly with VPC Security Groups. Access to your file system is controlled at the network level. The configuration is straightforward:
- You create a security group for your EFS mount targets (e.g., `efs-sg`).
- You have a security group for your EC2 instances that need access (e.g., `ec2-sg`).
- In the EFS security group (`efs-sg`), you add an inbound rule to allow traffic on the NFS port (TCP 2049) from the EC2 security group (`ec2-sg`) as the source.
This rule explicitly allows only the instances in `ec2-sg` to communicate with the EFS mount targets on the correct port. This is a common place for configuration errors, so always double-check your security group rules!
Let’s Create and Mount an EFS File System
Let’s walk through the steps to set up and test a shared file system. We’ll launch two EC2 instances and have them both mount the same EFS file system.
1. Create the EFS File System: In the AWS Console, navigate to the EFS service and click Create file system. Give it a name, select your VPC, and choose the “Regional” storage class for high availability. One-click creation is often sufficient for standard setups.
2. Configure Security Groups: Create two security groups. For our `ec2-sg`, allow inbound SSH (port 22) from your IP. For `efs-sg`, create an inbound rule for “NFS” (port 2049) and set the source to be the `ec2-sg` security group ID. Attach this `efs-sg` to your EFS mount targets under the “Network” tab.
3. Launch EC2 Instances: Launch two `t2.micro` Amazon Linux instances, one in each of two different AZs (e.g., `us-east-1a` and `us-east-1b`). Make sure to assign the `ec2-sg` security group to both instances during launch.
4. Mount the File System on Both Instances: Connect to each instance via SSH. First, we install the NFS client, create a directory to be our mount point, and then mount the EFS file system. The EFS console provides the exact mount command for you!
# Run these commands on BOTH EC2 instances
# Install the NFS client
sudo yum install -y nfs-utils
# Create a directory for the mount point
sudo mkdir /mnt/efs
# Mount the EFS file system (replace file-system-id)
# You can find this command in the EFS console by clicking "Attach"
sudo mount -t nfs4 -o nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport FILE_SYSTEM_ID.efs.REGION.amazonaws.com:/ /mnt/efs5. Verify the Shared Access: Now for the magic. On your first EC2 instance, create a test file:
# On Instance 1
sudo touch /mnt/efs/test_from_instance1.txtNow, on your second EC2 instance, list the contents of the EFS directory:
# On Instance 2
ls -l /mnt/efs
# Output:
# -rw-r--r-- 1 root root 0 Dec 1 12:00 test_from_instance1.txtSuccess! Both instances see the same file because they are both connected to the same shared file system.
Conclusion
In this lesson, we explored Amazon EFS, a powerful, fully managed, and scalable NFS file system for the cloud. We learned that its key a-ha moment is providing shared storage for multiple EC2 instances, a common requirement for scalable applications. We covered its architecture using mount targets, its security model based on security groups, and walked through a practical example of mounting a file system from two different instances. Understanding when to use EFS instead of EBS is a key skill for designing resilient and cost-effective solutions on AWS.