I would like to create EFS in AWS and it is said in documentation, that I can attach it only to instances, which have the same security group as my VPC.
How to know security group of my VPC?
Suppose it is default and my instances have different security groups, created at different times by different wizards. How can it be, that instance is belong to VPC but has different security group, than that VPC?
Amazon Elastic File System(EFS) is a regional service. If you create an EFS in a particular region (eg: us-east-1) then you can create multiple EC2 instances in different availability zones in the same us-east-1 region to access the EFS to read and write data.
All the EC2 instances in a particular region (eg: us-east-1) must belong to a VPC and a subnet.(Unless you use EC2-Classic). A VPC maps to a region and A subnet maps to an availability zone. You can setup mount targets in the availability zones of your VPC, So that EC2 instances can connect to EFS via a mount target and share the same file system.
Have a look at the following image from AWS Documentation.
Now, how can we make sure that our EFS can only be accessed by certain set of EC2 instances and not all the instances from all the subnets?
This is where the security groups come in handy. We can assign security groups to the EFS mount points such that only EC2s that the given security group is attached can access EFS via the mount target. Any other EC2 instances that are in a different security group cannot access the EFS. This is the way we restrict access to EFS.
So, when you are mounting the EFS to an EC2 instance, we have to add the same security group of the EFS to the EC2 instance.
Both an Amazon EC2 instance and a mount target have associated security groups. These security groups act as a virtual firewall that controls the traffic between them. If you don't provide a security group when creating a mount target, Amazon EFS associates the default security group of the VPC with it.
Regardless, to enable traffic between an EC2 instance and a mount target (and thus the file system), you must configure the following rules in these security groups:
The security groups you associate with a mount target must allow inbound access for the TCP protocol on the NFS port from all EC2 instances on which you want to mount the file system.
Each EC2 instance that mounts the file system must have a security group that allows outbound access to the mount target on the NFS port.
Read more about EFS security groups here.
Hope this helps.
