How to Mount AWS EFS (Elastic File System) Outside AWS via VPN or Direct Connect


1 views

Mounting AWS EFS to an external server presents unique infrastructure challenges since EFS was designed primarily for AWS VPC environments. The key obstacles include:

  • Network isolation: EFS endpoints are only accessible within the configured VPC
  • Security requirements: IAM roles and security groups must be properly configured
  • Protocol limitations: NFSv4.1 protocol requirements for EFS mounting

Two proven approaches exist for external EFS access:

1. AWS Direct Connect (Recommended for production)
   - Physical network connection between on-prem and AWS
   - Provides consistent latency and bandwidth
   - Supports private VPC routing

2. Site-to-Site VPN (Alternative for dev/test)
   - Uses IPsec tunnels over public internet
   - Requires AWS Virtual Private Gateway
   - Lower cost but variable performance

Here's how to configure a VPN-connected EFS mount:

# On AWS side:
1. Create a Customer Gateway for your external server's public IP
2. Configure Virtual Private Gateway in your VPC
3. Set up Site-to-Site VPN Connection
4. Update route tables to include your on-prem network

# On external server:
1. Install NFS client utilities:
   sudo yum install nfs-utils (RHEL/CentOS)
   sudo apt-get install nfs-common (Ubuntu)

2. Create mount directory:
   sudo mkdir /mnt/efs

3. Mount EFS (replace with your endpoint):
   sudo mount -t nfs4 -o nfsvers=4.1,rsize=1048576,wsize=1048576,hard,\
   timeo=600,retrans=2,noresvport fs-12345678.efs.us-west-1.amazonaws.com:/ /mnt/efs

Critical security measures for external EFS access:

# EFS Security Group Rules:
Inbound: NFS (2049) from your on-prem network CIDR

# Network ACL Configuration:
Allow bidirectional traffic between:
- Your on-prem network range
- EFS mount target subnets

# IAM Policy Example:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "elasticfilesystem:ClientMount",
        "elasticfilesystem:ClientWrite"
      ],
      "Resource": "arn:aws:elasticfilesystem:region:account-id:file-system/fs-id"
    }
  ]
}
  • Use EFS mount helper for automatic recovery: sudo yum install amazon-efs-utils
  • Implement caching for frequently accessed files
  • Consider EFS Infrequent Access tier for cost savings
  • Monitor throughput metrics and adjust performance mode if needed

Frequent challenges and solutions:

# Connection Timeouts:
1. Verify VPN tunnel status in AWS console
2. Check security group and NACL rules
3. Test basic network connectivity:
   telnet fs-12345678.efs.us-west-1.amazonaws.com 2049

# Permission Errors:
1. Ensure external server's IP is allowed in EFS security group
2. Verify IAM permissions for any AWS API calls
3. Check file system permissions on the EFS volume

AWS Elastic File System (EFS) is designed primarily for EC2 instances within the same VPC. However, many developers need to access EFS volumes from on-premise servers or other cloud providers. The solution lies in establishing secure network connectivity between external infrastructure and AWS VPC.

To mount EFS externally, you'll need:

  • A properly configured VPC with EFS mounted to at least one EC2 instance
  • VPN connection between your external server and AWS VPC
  • Network security groups allowing NFS traffic (port 2049)
  • DNS resolution configured in both environments

First, set up a Site-to-Site VPN connection:

# AWS CLI command to create VPN connection
aws ec2 create-vpn-connection \
    --type ipsec.1 \
    --customer-gateway-id cgw-0a12b345c67d89e0f \
    --vpn-gateway-id vgw-01a23bc4def56gh78 \
    --options "{\"StaticRoutesOnly\":true}"

Then configure your external server's firewall to allow IPSec traffic (UDP 500 and 4500, ESP protocol).

Once VPN connectivity is established:

# Install NFS client utilities
sudo apt-get install nfs-common  # For Debian/Ubuntu
sudo yum install nfs-utils       # For CentOS/RHEL

# Create mount point
sudo mkdir /mnt/efs

# Mount EFS (replace with your EFS DNS name)
sudo mount -t nfs4 -o nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport fs-12345678.efs.us-east-1.amazonaws.com:/ /mnt/efs

VPN connections may introduce latency. Consider these optimizations:

  • Use AWS Direct Connect for better throughput
  • Implement caching solutions like AWS Storage Gateway
  • Adjust NFS mount options based on your workload patterns

If mounting fails, check:

  1. VPN connection status in AWS Console
  2. Security group rules allowing NFS traffic
  3. Network ACLs in both VPC and on-premise network
  4. DNS resolution between environments