https://github.com/rbilleci/aws-endpoint-service-efs

This AWS CloudFormation shows how to make EFS accessible to another account using VPC Endpoint Services.
https://github.com/rbilleci/aws-endpoint-service-efs

aws cloudformation efs privatelink vpc-endpoint vpc-endpoints

Last synced: about 1 month ago
JSON representation

This AWS CloudFormation shows how to make EFS accessible to another account using VPC Endpoint Services.

• Host: GitHub
• URL: https://github.com/rbilleci/aws-endpoint-service-efs
• Owner: rbilleci
• Created: 2021-10-19T10:06:01.000Z (over 4 years ago)
• Default Branch: master
• Last Pushed: 2021-10-25T06:26:00.000Z (over 4 years ago)
• Last Synced: 2024-09-06T15:27:08.952Z (almost 2 years ago)
• Topics: aws, cloudformation, efs, privatelink, vpc-endpoint, vpc-endpoints
• Homepage:
• Size: 46.9 KB
• Stars: 0
• Watchers: 1
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

README

          
# AWS VPC Endpoint Service for EFS

`NOTICE: This project is an example and not intended for production deployments.`

This AWS CloudFormation shows how to make EFS accessible to another account using VPC Endpoint Services.

![EFS Example](diagram.png)

### Instructions

1. The template should be deployed in the AWS account managing the EFS volume. You will need to provide the following 

   as inputs:

   - Account Number for the AWS account that will use the EFS volume.

   - VPC ID where the EFS volume will be deployed to

   - VPC Subnets for the EFS mount targets.

   - VPC CIDR Range, used to restrict access to the EFS volume

2. When the template is deployed, the AWS CloudFormation Outputs shows the `service name` of the VPC Endpoint Service. 

  Provide this service name to the consumer account. 

3. In the consumer account, create a new VPC Endpoint, using the `service name`.

   Specify a Security Group that allows ingress to port 2049.

   The consumer must wait for acceptance.

4. In the service account, accept the connection request. It may take a few minutes for the consumer to see

   the acceptance.

5. In the consumer account, the VPC Endpoint connection is now established.

   The VPC Endpoint will have a DNS name that clients can use to mount the volume.

   You need to use a mount command like:

   

   `sudo mount -t nfs4 -o nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport VPC_ENDPOINT_DNS_NAME:/ efs`

   Make sure to replace `VPC_ENDPOINT_DNS_NAME`

### Optimizations

- **Availability** - this example demonstrates deployment of EFS and the NLB to two Availability Zones. 

For production, you may want to deploy to three or more Availability Zones.

- **EFS Performance** - the EFS volume is configured to use the default settings. You may need to adjust the throughput and mode of the volume

for your use case.

- **Network Load Balancer / Cross Zone Load Balancing** - you may want to review this setting and adapt.

- **Network Load Balancer / Sticky Sessions** - you may want/need to enable sticky sessions based on source ip address.