2

I am trying to create a Fargate container with a mounted EFS volume via access point, all being created through cloudformation. I see the EFS created in the portal however the ECS task is failing with:

Failed to resolve "fs-XXX.efs.eu-west-2.amazonaws.com" - check that your file system ID is correct

Before adding the accesspoint the mounting worked. I need the accesspoint since the container is using non-root user.

The VPC has DNS and hostname lookup enabled.

Here is the cloudformation template: https://pastebin.com/CgtvV17B

itaysk
  • 5,852
  • 2
  • 33
  • 40

2 Answers2

3

the problem was missing EFS Mount Target https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-efs-mounttarget.html

itaysk
  • 5,852
  • 2
  • 33
  • 40
  • 1
    One thing can be useful. When we have more than one subnet (e.g. for multi zones), it's required to add "mount target" for each subnet. – Jacek Labuda Jan 22 '22 at 15:20
2

I think the fargate tasks can't reach the EFS system, check that the EFS subnets are reachable from the Fargate ( deployed in the same subnets at least), and the route tables are well configured. The security group of the ECS and EFS are well configured ( check if your EFS authorize the TCP 2049).

Also check the version of the Fargate, I think its working with EFS just for the version > 1.4

Try to deploy an instance EC2 with the same configuration ( same VPC and subnet properties ) and check if it can reach the EFS.

Hatim
  • 1,116
  • 1
  • 8
  • 14
  • "check that the EFS is in the same VPC" - is EFS in VPC? I don't see any VPC related config in https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-efs-filesystem.html – itaysk Dec 23 '21 at 17:52
  • "route tables are well configured" - there is only the default route table that includes: `10.0.0.0/16 > local` and `0.0.0.0/0 > internet gateway` I don't think this is a problem right? – itaysk Dec 23 '21 at 17:56
  • "check if your EFS authorize the TCP 2049" - the EFS has just the default created security groups, which allows: `NFS/TCP/2049` – itaysk Dec 23 '21 at 18:02
  • "Try to deploy an instance EC2 with the same configuration" - I did create an instance and mounted it to the EFS and it worked. BUT there was no way to specify an EFS accesspoint which is probably the culprit in my case – itaysk Dec 23 '21 at 18:09
  • @itaysk EFS mount targets are in the VPC: https://docs.aws.amazon.com/efs/latest/ug/accessing-fs.html – Mark B Dec 23 '21 at 18:45
  • @itaysk, I edited my answer to be more clear, when you create an EFS, you choose the subnets related to your configuration multi-AZ, Then you may check that the fargate subnets can reach the EFS or deployed in the same subnet. and I think the version must be > 1.4 – Hatim Dec 24 '21 at 08:57
  • In my case the ingress rule for the NFS(2049) port was missing – Niko Jun 08 '23 at 10:55