-1

My issue is basically what is said in this question, except it's about EFS, rather than EC2, and I can't solve my problem with Route 53, as it's suggested.

I have an EFS instance and I try to mount it locally on my Windows machine (over WSL running Ubuntu 22.04.1 LTS) like so:

sudo mount -t efs -o tls,accesspoint=fsap-08fa969084c23b344 fs-003f3467bf1e15b13:/ efs

This results in the following:

Failed to resolve "fs-003f3467bf1e15b13.efs.us-east-1.amazonaws.com" - check that your file system ID is correct, and ensure that the VPC has an EFS mount target for this file system ID.
See https://docs.aws.amazon.com/console/efs/mount-dns-name for more detail.
Attempting to lookup mount target ip address using botocore. Failed to import necessary dependency botocore, please install botocore first.

It seems that the issue arises from the fact that I'm not trying to access EFS from an EC2 instance in my VPC, but from the public internet, where the DNS fs-003f3467bf1e15b13.efs.us-east-1.amazonaws.com and the private IP 172.31.43.109 obviously can't be resolved.

Therefore, I want to assign a static Elastic IP to the network interface of EFS, so I can access it publicly, but I get the following error:

Failed to associate address with eni-0fa8cf69d68b7bb01: You do not have permission to access the specified resource.

AWS EC2 admin console showing the error

I don't think that I "do not have permission" because I'm the owner of the account and I have the AdministratorAccess IAM policy.

Is there a way to make EFS publicly accessible or mount it in any other way on my own machine?

dodov
  • 5,206
  • 3
  • 34
  • 65

1 Answers1

1

Therefore, I want to assign a static Elastic IP to the network interface of EFS, so I can access it publicly, but I get the following error:

That's not a supported configuration on AWS. You can't assign a public IP to EFS. You need to look into SSH tunneling, or a VPN connection into the VPC, in order to mount an EFS volume from outside the VPC.

My guess is that AWS doesn't allow me to make EFS publicly available because that might make their AWS Transfer Family product obsolete, since it seems to solve the same problem - using EFS outside the cloud.

That's a very cynical take on things. In actuality Amazon simply designed EFS to be a service that complemented their compute services (EC2, ECS, EKS, Fargate, and Lambda). They did not design it to be a global, public NFS mountable file system.

Mark B
  • 183,023
  • 24
  • 297
  • 295
  • 1. What would an SSH tunneling approach consist of? I don't have *any* access to EFS, including SSH. Do you mean using something like a jump server? 2. I understand that EFS was designed for totally different use cases, but it appears odd that I can't simply map one IP to another. That's a networking thing, not an EFS thing. It looks like a business decision, rather than a technical limitation. But since I haven't worked on EFS myself, I can't talk about what's what. Perhaps there's a lot more complexity going on than I can imagine. – dodov Dec 05 '22 at 15:43
  • 1
    1. Yes a jump server. 2. I imagine there are technical limitations to exposing an NFS service over a NATed Internet IP address. – Mark B Dec 05 '22 at 16:21