aws efs 挂载时连接超时

Question

I am following this tutorial to mount efs on AWS EC2 instance but when Iam executing the mount command

sudo mount -t nfs4 -o vers=4.1 $(curl -s http://169.254.169.254/latest/meta-data/placement/availability-zone).[EFS-ID].efs.[region].amazonaws.com:/ efs

I am getting connection time out every time.

mount.nfs4: Connection timed out

What may be the problem here?

Thanks in advance!

Answer 1

I found the accepted answer here to be incorrect & insecure, and Bao's answer above is very close - except you don't need NFS Inbound on your EC2 (mount target) security group. You just need a security group assigned to your EC2 (even with no rules) so that your EFS Security group can be limited to that security group... you know, for security! Here's what I found works:

• Create a new security group for your EC2 instance. Name it EFS Target , and leave all the rules blank
• Create a new security group for your EFS Mount. Name it EFS Mount , and in this one add the inbound rule for NFS. Set the SOURCE for this rule to the EFS Target security group you created above. This limits EFS to only being able to connect to EC2 instances that have the EFS Mount security group assigned (See below). If you're not worried about that, you can select "Any" from the Source dropdown and it'll work just the same, without the added level of security
• Go to the EC2 console, and add the EFS Target group to your EC2 instance, assuming you're adding the extra security
• Go to the EFS Console, select your EFS and choose Manage File System Access
  • For each EFS Mount Target (availability zone), you need to add the EFS Mount security group and remove the VPC Default group (if you haven't already)
• The mount command in the AWS documentation should work now

I don't like how they mixed vernacular here in terms of EC2 being a mount-target, but also EFS has individual mount-targets for each availability zone. Makes their documentation very confusing, but following the steps above allowed me to mount an EFS securely on an Ubuntu server.

Answer 2

Add type with NFS and port 2049 to the Inbound of your security group that your EC2 instances and EFS running on. It works for me.

Bao

Answer 3

A different answer here, as I faced a very similar error and none of the answers fit.

I was trying to mount a NFS like below (in my case EKS was doing that on my behalf, but I tested the very same command manually in the worker node with the same result):

[root@host ~]# mount -t nfs fs-abc1234.efs.us-east-1.amazonaws.com:/persistentvolumes /mnt/test

Output was: mount.nfs: Connection timed out

When I simply tried the same command, but using / as the path:

[root@host ~]# mount -t nfs fs-abc1234.efs.us-east-1.amazonaws.com:/ /mnt/test

It worked like a charm!

I really do not understand how a possible wrong or missing path can lead to a time out kind of error, but that was the only thing that could fix the problem for me, all the network configuration remained the same.

As I was using EKS/Kubernetes, I dedcided to mount / , which works, and then use subPath to change the volume mounting point in the container configuration.

Answer 4

I had the same problem and following the Amazon AWS guides it worked for one server of mine but another one didn't want to mount the EFS volume. Analyzing the local server messages log I've found that the outgoing TCP traffic was BLOCKED even if the associated Security Group was set to allow any outgoing traffic (on any port, any external address etc.). Setting a rule on the Security Group to allow TCP connections from EC2 host to EFS service on port 2049 didn't get any effect while instead setting a specific rule on the local iptable firewall got the job and resolved the issue. I can't figure out why there was this discrepancy but it worked for me. As far as I know the local iptables fw should not be touched and it should obtain the rules directly from the SG from AWS console.

Answer 5

Same issue here. After a while I noticed it picks 3 randoms subnets for the mount-points, one per AZ.

I was unlucky one of these subnets didn't had the correct NACL. After assigning the correct subnet/SG per mount point it worked immediately fine using DNS and IP.

Answer 6

I got the Answer. This is happening when the subnet is blocking the flow. Go to subnets (which you have selected while creating the EFS) and allow the traffic to particular target systems.

1. checkthe EFS file systems subnet.
2. go to subnet
3. add a rule
4. allow all-traffic ( you can give specific to your target systems)

This worked in my case

Answer 7

Step 1 - Create a security group allowing NFS traffic inbound. Step 2 - The EC2 which will be used for mounting - note down the respective region. Step 3 - Go to EFS - select FileSystem - Network - Edit the security group corresponding to the EC2 region (Step 2) - add security group from Step1

Answer 8

For me it was simply that the an EC2 disk was full .

I've cleaned it, reboot the instance and it worked.

To check your disk use: df -h or du -h --max-depth=1 /

Answer 9

The Connection timed out on EFS happens due to not adding the Security group with Port 2049 open to security group of the EC2 instance to the EC2 instance on which you are mounting the EFS. Adding that sec grp will make the issue go.

Edit:

Along with opening the port 2049 you need to add VPC's default security group for efs to connect to ec2 instance. As mentioned in the tutorial

This ensures that the instance is a member of the security group that the Amazon EFS file system mount target will authorize for connection in Step 2: Create Your Amazon EFS File System.

PS: I forgot to add default security group to the instance thats why I was getting connection timeout error.