efs
Amazon Elastic File System (EFS) is a scalable, cloud-native NFS file system for use with AWS Cloud services and on‑premises resources. This document provides a hands-on EFS training structure and a detailed Ubuntu 22.04 LTS demo guide suitable for workshops.
EFS Practical Session — Structure
Introduction to Amazon EFS
Explain what EFS is, its features, and core use cases.
Compare EFS with other AWS storage solutions (EBS, S3).
Setting Up EFS: Demo overview
Prerequisites:
An AWS account with appropriate permissions
At least two Amazon EC2 instances in the same VPC
High-level demo steps:
Create a file system
Configure mount targets (one per AZ)
Install NFS utilities on EC2 instances
Mount the EFS file system
Test file sharing
(Optional) Basic performance testing
Best Practices and Security
Manage permissions with AWS IAM and POSIX.
Backup strategies (AWS Backup).
Network security (restrict access, encryption options).
Tips for running the session:
Prepare resources (EC2 instances, IAM roles) in advance.
Use diagrams to illustrate architecture and data flow.
Let participants follow along and perform steps themselves.
Pause for questions frequently and highlight troubleshooting tips.
Provide a quick reference sheet for key CLI commands and console actions.
Scenario-based discussion table (use these to drive discussion):
Multiple web servers must serve the same static content
How would you set up EFS so files are accessible and writable by all servers?
A user reports high latency from one EC2 instance accessing EFS
What troubleshooting steps would you follow?
You need to restrict access to EFS only to certain applications/servers
Which security mechanisms (AWS and OS level) would you use to enforce this?
Unexpectedly high storage costs are observed with EFS
What tools/features help monitor and control EFS storage costs?
A requirement mandates all file transfers be encrypted in transit
Does EFS support encryption in transit, and how would you enable and verify it?
A file system needs backup and recovery support
How can you integrate EFS with AWS native backup and disaster recovery solutions?
Amazon EFS Hands-On Demo Guide (Ubuntu)
This guide walks through a production-grade hands-on demo on Ubuntu 22.04 LTS EC2 instances. It covers networking and security, mounting (including TLS), automount, benchmarking, monitoring, troubleshooting, and cleanup.
Time estimate: 40–60 minutes for the full workflow (including benchmark and cleanup).
Overview / Goals
Build a secure, multi‑AZ architecture where two Ubuntu servers share the same filesystem.
Install and compare the EFS mount helper (
amazon-efs-utils) and the native NFS client (nfs-common).Enable encryption in transit (TLS).
Persist mounts across reboots via
/etc/fstab.Run
fiobenchmarks.Collect CloudWatch metrics and set alerts.
Troubleshoot common errors (e.g.,
mount.nfs4: Connection timed out).
Architecture (logical)
VPC (10.0.0.0/16) with two subnets in different AZs.
EFS file system with one mount target per AZ.
Security groups:
sg-ec2for EC2 instances (outbound TCP 2049 allowed).sg-efsfor mount targets (inbound TCP 2049 fromsg-ec2).
IAM role
EC2EFSRolewithAmazonElasticFileSystemsUtilsfor mount helper logs and optional CloudWatch publishing.
Step 2 — Create the EFS File System
Open EFS Console ➜ Create file system.
Choose Quick create or Customize:
Performance mode: General Purpose.
Throughput mode: Elastic (default).
Encryption at rest: enabled by default.
Lifecycle management: default.
Click Create. Status shows Creating then Available within ~60 seconds.
Note: Mount targets are auto-provisioned for selected subnets.
Step 4 — Launch Two Ubuntu 22.04 EC2 Instances
EC2 Console ➜ Launch instance.
AMI: Ubuntu Server 22.04 LTS.
Instance type: t3.micro (demo scale).
Network/subnet:
EC2-A → Subnet-A (AZ 1).
EC2-B → Subnet-B (AZ 2).
IAM role:
EC2EFSRole.Security group: attach
sg-ec2.Storage: default 8 GiB gp3.
Launch and note public IPs for SSH.
Step 11 — Monitor with CloudWatch
EFS emits CloudWatch metrics; add to a dashboard.
Important metrics:
BurstCreditBalance — remaining credits (Bursting mode).
PercentIOLimit — I/O utilization (General Purpose).
DataReadIOBytes, DataWriteIOBytes — throughput aggregates.
Typical alert thresholds:
BurstCreditBalance < 20%
PercentIOLimit > 80% for 15 minutes
Consider installing the CloudWatch agent on EC2 to capture per‑instance metrics.
Troubleshooting Checklist
mount.nfs4: Connection timed out
Missing NFS 2049 in either security group
Reverify rules: inbound on sg-efs, outbound on sg-ec2
aws: error: EFS mount helper missing
amazon-efs-utils not installed
sudo apt-get install -y amazon-efs-utils
Access denied by server
POSIX UID/GID mismatch when using Access Points
Align UID/GID or use EFS Access Point with appropriate config
Slow writes, high latency
Exceeded PercentIOLimit (General Purpose)
Switch to Elastic/Provisioned throughput or Max I/O
Reboot loses mount
fstab entry missing _netdev or wrong FS type
Use efs type with _netdev,tls
Scenario-Based Quiz (expand to view answers)
New compliance rule mandates TLS for all data in transit — Which single mount option enforces this and how do you verify it?
Answer:
Mount option:
-o tls(with the EFS mount helper or in /etc/fstab asefs ... _netdev,tls).Verify: check that the mount is using the EFS mount helper (mount output) and inspect logs at
/var/log/amazon/efs/mount.log; network traffic is proxied through local stunnel (ports 20049–21049).
Your workload spikes to 250 MiB/s for 10 minutes every hour — Which throughput mode minimizes cost without throttling?
Answer:
Consider Provisioned throughput if sustained throughput is required and predictable.
If bursts are short and your stored data size accrues enough baseline throughput, Elastic or Bursting may suffice. Choose based on cost vs predictable sustained throughput needs.
Server team reports intermittent `stale file handle` errors — List investigation steps specific to EFS NFSv4.1 semantics.
Answer:
Check network stability between the client and mount target.
Verify mount options and NFS version; remount with correct options.
Examine server-side lifecycle events (file system or mount target changes).
Check for client-side caching, stale mounts, or re-created inodes (e.g., deleted and re-created files).
You must restrict write access to a single application user while letting others read — Which combination of POSIX permissions, EFS Access Point, and IAM would you choose and why?
Answer:
Use an EFS Access Point configured with the required POSIX UID/GID and root directory permissions, ensuring the application connects via that access point.
POSIX permissions on files/directories restrict write access.
IAM can control who can create/delete access points or manage EFS resources, but POSIX+Access Point enforce runtime access.
After moving to Max I/O mode, latency doubled — Explain why and propose remediation.
Answer:
Max I/O optimizes throughput and metadata scaling but can increase latency due to higher parallelism and distributed metadata.
Remediation: revert to General Purpose for latency-sensitive workloads, or tune the application for higher concurrency and avoid small synchronous writes.
Appendix — Latency & Storage Class Table
EFS Standard
250 µs
2.7 ms
CMS, CI/CD, home directories
EFS Infrequent Access
~10–50 ms
~10–50 ms
Archive, disaster recovery
EFS Archive
~tens of ms
~tens of ms
Regulatory cold storage
If you want, I can:
Produce a shorter one-page cheat sheet of key CLI commands for the workshop.
Convert the stepper into separate GitBook pages per step.
Generate an /etc/fstab example file with multiple options for different scenarios.