aws efs connection timeout at mount
A different answer here, as I faced a very similar error and none of the answers fit.
I was trying to mount a NFS like below (in my case EKS was doing that on my behalf, but I tested the very same command manually in the worker node with the same result):
[root@host ~]# mount -t nfs fs-abc1234.efs.us-east-1.amazonaws.com:/persistentvolumes /mnt/test
Output was: mount.nfs: Connection timed out
When I simply tried the same command, but using /
as the path:
[root@host ~]# mount -t nfs fs-abc1234.efs.us-east-1.amazonaws.com:/ /mnt/test
It worked like a charm!
I really do not understand how a possible wrong or missing path can lead to a time out
kind of error, but that was the only thing that could fix the problem for me, all the network configuration remained the same.
As I was using EKS/Kubernetes, I dedcided to mount /
, which works, and then use subPath to change the volume mounting point in the container configuration.
I found the accepted answer here to be incorrect & insecure, and Bao's answer above is very close - except you don't need NFS Inbound on your EC2 (mount target) security group. You just need a security group assigned to your EC2 (even with no rules) so that your EFS Security group can be limited to that security group... you know, for security! Here's what I found works:
- Create a new security group for your EC2 instance. Name it
EFS Target
, and leave all the rules blank - Create a new security group for your EFS Mount. Name it
EFS Mount
, and in this one add theinbound
rule for NFS. Set the SOURCE for this rule to theEFS Target
security group you created above. This limits EFS to only being able to connect to EC2 instances that have theEFS Mount
security group assigned (See below). If you're not worried about that, you can select "Any" from the Source dropdown and it'll work just the same, without the added level of security - Go to the EC2 console, and add the
EFS Target
group to your EC2 instance, assuming you're adding the extra security - Go to the EFS Console, select your EFS and choose Manage File System Access
- For each EFS Mount Target (availability zone), you need to add the
EFS Mount
security group and remove the VPC Default group (if you haven't already)
- For each EFS Mount Target (availability zone), you need to add the
- The mount command in the AWS documentation should work now
I don't like how they mixed vernacular here in terms of EC2 being a mount-target, but also EFS has individual mount-targets for each availability zone. Makes their documentation very confusing, but following the steps above allowed me to mount an EFS securely on an Ubuntu server.
Add type with NFS and port 2049 to the Inbound of your security group that your EC2 instances and EFS running on. It works for me.
Bao