Increasing Your Security Posture when Using Amazon S3
S3 Encryption Mechanisms
Amazon S3 Lifecycle Configurations
Introduction to Amazon EFS
EFS in Practice
Amazon Elastic Block Store (EBS)
AWS Storage Gateway
Performance Factors Across AWS Storage Services
The course is part of this learning path
This section of the AWS Certified Solutions Architect - Professional learning path introduces you to the core storage concepts and services relevant to the SAP-C02 exam. We start with an introduction to AWS storage services, understand the options available, and learn how to select and apply AWS storage services to meet specific requirements.
- Obtain an in-depth understanding of Amazon S3 - Simple Storage Service
- Learn how to improve your security posture in S3
- Get both a theoretical and practical understanding of EFS
- Learn how to create an EFS file system, manage EFS security, and import data in EFS
- Learn about EC2 storage and Elastic Block Store
- Learn about the different performance factors associated with AWS storage services
Hello and welcome to this lecture, which will be a demonstration on how to create and mount your EFS file system from within the AWS Management Console. But before I show you the demonstration, I just want to discuss the mounting process first, just to make it a little bit easier to follow as we go through the demonstration.
EFS offers two methods to connect your Linux-based EC2 instance to your EFS file system. Both use a process called mounting whereby you mount a target to the EFS file system on your instance. The original method available with EFS used the standard Linux NFS client to perform the mount. Since then, a new method has been developed, and this newer method is now the preferred option, and this uses the EFS mount helper.
For the remainder of this lecture, I shall be focusing on mounting your EFS file system via the EFS mount helper. For more information on how to mount your file system using the Linux NFS client, please see the following link: https://docs.aws.amazon.com/efs/latest/ug/mounting-fs-old.html
The EFS mount helper is a utility that has to be installed on your EC2 instance. This utility has been designed to simplify the entire mount process by using predefined recommended mounting options that are commonly used within the NFS client. It also provides built-in login capabilities to help with any troubleshooting that might be required and are stored in the following location:
In addition to mounting an EFS file system to running instances, you can also use the EFS mount helper to automatically connect to EFS during the boot process, as well as by editing the /etc/fstab configuration file. Before using the EFS mount helper to connect to your EFS file system from your EC2 instances, there are a couple of prerequisites required to be in place. First and foremost, you need to ensure that you have created and configured your EFS file system, in addition to your EFS mount targets. You must have an EC2 instance running with the EFS mount helper installed, and this instance will be used to connect to the EFS file system.
The instance must also be in the VPC and configured to use the Amazon DNS servers with DNS hostnames enabled. You must have a security group configured allowing the NFS file system NFS access to your Linux instance, and you must also be able to connect to your Linux instance. I now want to provide a quick demonstration on how to create an EFS file system from within the AWS Management Console. During the demonstration, I'll cover configuration points related to the following: EC2 security groups, mount targets, lifecycle management, throughput mode, performance mode, and encryption. And once our EFS file system's created, I'll then show you how to mount EFS using the EFS mount helper.
Let's take a look. Just before I dive into the demonstration, I just wanna show the infrastructure that I've already pre-built for this. So I've created my VPC already, and within this VPC, I have a public subnet with an Internet gateway attached. And inside this public subnet, I have two instances, one here and one here. And I'll be using these in the demonstration just to show you how EFS is working.
Now, I've also created a security group that associates these two instances that allows me to click to these instances using SSH. So it's a very simple setup, just a VPC with a public subnet, with a couple of instances running in them with a security group associated to them, allowing me SSH access. Now, over here, we have EFS itself, and during the demonstration, I'm going to create another security group for EFS.
Now, this security group is going to allow NFS access from these two instances into my EFS mount points that I'll be creating. So that would be the first part of the demonstration of creating this new security group, allowing my instances to write to EFS using the NFS protocol. Okay, let's get started.
Okay, so I'm at the AWS Management Console, and as already discussed, I have my two EC2 instances created with the security group allowing me to SSH to them, but now I need to create a security group for EFS, that needs to be associated with the mount points to allow the EC2 instances to write to the EFS file system.
So let's go ahead and create that now. So if I go to EC2 to my security groups, and down the left side here, click on security groups, now I need to create my security group by clicking on the Create Security Group button. Let's call this my EFS security group, and the same for the description, just make sure I have the right VPC selected. Now, for the inbound rule, I need to click on Add Rule, and for the type, if I scroll down to NFS and leave the default port range as 2049. Now the source needs to be the EC2 instances that will be writing to the file system. I already have a security group created that both of my EC2 instances are associated with so I can just select that security group there. Alternatively, you could have selected the IP addresses or the IP network range that the EC2 instances are associated with.
Once you've configured that, simply click on Create. Okay, so now we have our security group created, now we can go ahead and create our elastic file system. So if we go to Services, type in EFS, now, if you've not used EFS before, this will just create a splash screen. So firstly, we need to create a file system by clicking on the blue button. And as you can see, there are three different steps to creating your file system.
Firstly, we need to configure the file system access. And we can see here that it says, "An Amazon EFS file system is accessed by EC2 instances running inside one of your VPCs. Instances connect to your file system using a network interface called a mount target. Each mount target has an IP address, which we (AWS) will assign automatically or you can simply specify your own."
So firstly, I need to select the VPC that I want this to be associated with, and then down here, we can select our mount targets. Now, for this demonstration, I'm just going to be using the EC2 instances that are within my public subnet, but if you have multiple availability zones across your region, then you can create a mount target within each one, but like I say, for this demonstration, I'm just going to be using the public subnet.
Now, here the security group, this is where you want to add the security group that I just created, and I named that EFS Security Group, so here it is here. So as per this security group, this mount target will allow inbound NFS traffic from the source specified in the security group, which were my EC2 instances. So that allows those EC2 instances to write to the EFS file system. Click on Next.
Now, we're on to Step Two, where we can configure optional settings. You can add tags if you wish, so we have a name, so we can call this My_EFS. Lifecycle management, which, as I discussed in the previous lecture, we can select 14 days, 30, 60 or 90. Let's just select 30 for this demonstration. So what that means is any files that are not accessed for 30 days will be moved to the Infrequent Access storage class to save on cost. And then as soon as they are accessed again, then it will be moved back into the Standard storage class. Here we have our two throughput modes, Bursting or Provisioned.
If you select Provisioned, then you can enter your range of throughput in there. For this demonstration, I'm just going to leave it as Bursting. Then we have our performance mode, General Purpose, or Max I/O. Again, for this demonstration, we're just gonna leave it the default General Purpose. And then finally, we can enable encryption at rest, simply by selecting this tickbox. And as you can see, EFS has selected this default KMS master key. And as we can see, this is the default master key that will be used by EFS. If we had our own master key that we wanted to select, then they'll be within that list there, we can select an alternate one, or if you want to use a KMS from a different account, then you can simply enter the ARN/ID there. For this demonstration, let's just leave it as the default KMS master key that EFS has selected, then click on Next Step.
Now, this is the final step where we can review and create our EFS file system. As we can see, we just review the options we've selected, make sure we have the right availability zones selected, the security group, and also optional settings as well. Once you're happy, simply scroll down and click on Create File System.
And there we have it, success. So our EFS file system is now created. And we can see here this is the name we gave it, the file system ID, account size, and the number of mount targets, which is just one, because we just wanted it to be available within our public subnet. The different options that we selected during its creation, and down here we can see that the mount target is currently being created. We give that a refresh to see if it's been done now. Unfortunately, that's still creating. So whilst that's still creating, let me just show you something else.
Over here we have our DNS name of our file system as well. And here AWS gives you some instructions on how to mount your EC2 instances to your newly created EFS file system. So let's take a look at this because this is what we're going to be doing, we're going to be mounting EC2 from our local VPC. So the first couple of steps just explain that you need to create your EC2 instances and set up the relevant security groups, allowing you to connect to your client using SSH, etc.
The next step relates to the EFS mount helper, which is what I discussed previously. And here we have the command to install the EFS mount helper. Okay, so let me now just flip across to my two instances, and we'll install the EFS mount helper using this command here. So if I just copy that. Now, here I have my two instances, I've just changed the colors just to make it easier to follow.
So on the yellow one, let's just change to superuser, we'll paste in that command, which will install the EFS mount helper, and that's done, and then we'll just do the same on this one as well. So now we have the EFS mount helper installed on both of my instances. So if we go back to EFS, we can check the next step. We didn't have to worry about these two commands here because this is only used if we're not using the EFS mount helper, but we are, so we don't have to worry about that.
Now, this section shows how to actually mount your file system. Firstly, we need to create a directory that will be associated with EFS. Now, you can name this directory anything you want. In this example, they're just using EFS, so let's just use the same. So let's create a directory for both of these. So on that instance, and also the green instance. So now we have our directories created. If we go back to EFS, now, the final command is actually the mounting of the EFS itself to that new directory. So we have two commands here we can use. So we have this one at the top here, which we'll use the EFS mount helper to mount our newly created EFS file system, or if we want to add TLS encryption, then we can use this option here.
For this demonstration, I'm just going to use the top one. So what this will do, it will mount our newly created file system to the directory that we just created. So let me go back to our two instances. Just paste in that command, and again, on the green instance, and that's now done. So what I have now is two EC2 instances with the EFS mount helper installed, we've created an EFS directory, and we've mounted our mount target from our file system to be associated with that EFS directory.
Now, let me just clear the screen in both of these to make it a little clearer, and we'll test this out. So on the yellow instance, let's change to the EFS directory, and let's create a new file. So I'm just gonna call this stu.txt. And I'm just going to create a file saying, "This is created on the yellow instance." And if I escape, colon and quit. So now I've created that text file on the yellow instance. In theory, the green instance should be able to see that same text file because it's associated to the same EFS mount point. So if I change to the EFS directory here, and then list the files, we can see that we have the stu.txt file. And that's because both of the EFS directories on each EC2 instance is now associated to my EFS mount target.
Now what we can do from this green instance is we can edit that file. So if we go into the file, and as we can see, this is the file that we created on the yellow instance. Now, here I can just say, "This has been updated by the green instance." And again, if I escape out of that and quit, and if I go back over to the yellow instance, and take a look at that same file, we should see that it's been updated. And there you have it! So that shows that this file is being stored on EFS and not locally on each of your two instances. So it's a shared location, and all we've done is simply created a new directory on each of those instances, and associated the EFS file server with each of those directories. And it's as simple as that. Thank you.
Danny has over 20 years of IT experience as a software developer, cloud engineer, and technical trainer. After attending a conference on cloud computing in 2009, he knew he wanted to build his career around what was still a very new, emerging technology at the time — and share this transformational knowledge with others. He has spoken to IT professional audiences at local, regional, and national user groups and conferences. He has delivered in-person classroom and virtual training, interactive webinars, and authored video training courses covering many different technologies, including Amazon Web Services. He currently has six active AWS certifications, including certifications at the Professional and Specialty level.