In this blog post, we are going to talk about another AWS Storage service – Elastic File System. This blog post is part of a series of blog posts called the AWS Storage Series. In the previous two posts, we discussed AWS S3(Object Storage) and AWS Glacier(Archival). Amazon Elastic File System(EFS) provides simple and scalable file storage that can be used by other AWS services like EC2. Amazon EFS provides a web services infrastructure that allows you to create and configure file systems quickly. EFS is also a managed service, so you don’t have to worry about maintaining, scaling and patching the file systems that you create. It allows you to create your own file system, mount it on EC2 instances and then start doing read and write operations. Keep in mind that as of this blog post, EFS doesn’t support the Amazon EC2 Windows instances. EFS supports NFS version 4.0 and 4.1 (NFSv4) protocols, which can be tricky as everyone is used to use NFSv3.
Amazon EFS is designed to be highly available and durable. Each Amazon EFS file system object (i.e. directory, file, and link) is redundantly stored across multiple Availability Zones. Amazon EFS allows you to mount the same file system on multiple instances, so if you need to access the same data from multiple instances at the same time, you can do that using EFS. Users were not able to do this using Amazon Elastic Block Store. You can have instances running in multiple Availability Zones(AZs) access the same file system, but we need to make sure that all the AZs belong to the same region. But, keep in mind, that your instances need to be in a single VPC for them to be able to access this newly created file system.
Another thing that you need to keep in mind is Mount Targets. To access the EFS file system, you need to create one or more mount targets. A Mount Target provides an IP address at which you can mount the file system. AWS recommends to have one mount target per AZ, and if you have multiple subnets in that AZ, then one mount target per subnet. All the instances in one AZ will share the mount target to access the file system. Mount Targets are natively highly available, so you don’t have to create two mount targets in the same AZ.
You can access the EFS file system from either Amazon EC2 instances running in the same region, or you can also access the file system from your on-prem datacenters if you are using AWS Direct Connect. The only requirement when using on-prem datacenters is that you should be able to reach to the mount targets and add a security group rule to allow incoming traffic to NFS port 2049 from your on-prem servers.
The following images show how you can access the EFS file system from EC2 instances and On-prem servers respectively:
Authentication and Access Control: AWS locks down the access to the EFS file systems, so in need to access it, you need to have valid credentials. In addition to the credentials being valid, they also need to have the correct set of permissions. You can use the AWS root account credentials or you can create a new IAM user for every user who wants to access the file system. You can also use IAM federation services to allow users to access the file system using their existing FB or Gmail accounts. If you don’t want to use your user credentials to access the file system from EC2 instances, you can also create IAM roles and then assign those roles to EC2 instances. This way you don’t have to store user credentials on the EC2 instance. Having valid credentials is only half the battle, next you also need to make sure that those users have appropriate permissions in order to access the file system. You can use IAM policies to assign specific users or roles access to specific operations on the file system. Use the following link for specific examples and templates that you can use in your IAM policies:
Encryption: With AWS EFS, you can create both an encrypted and an unencrypted file system. But, keep in mind that you have to decide this at the time of file system creation. An unencrypted file system cannot be converted into an encrypted file system at a later stage. You will have to create a new file system and then copy over the data to the new file system in that case. In an encrypted filesystem, all the data and metadata is encrypted before being written to the file system, and it is decrypted before being read by your application. These encryption and decryption operations are handled by EFS, so you don’t have to modify your applications in order to take advantage of this feature. Note: AWS EFS uses AES-256 algorithm to encrypt your data and metadata.
Pricing: With AWS EFS, you only pay for what you use. There is no commitment like Amazon EBS. There isn’t any setup fee as well. You pay per-GB of data that you store in EFS per month. The following is a table of the cost per GB per month for each region:
All done!! Now you have enough knowledge to start having discussions about using AWS EFS for your instances.