Follow these steps to create a secure filesystem and mount points that can be attached to your EC2 instances:
- Open your favorite text editor and start a new CloudFormation template by defining AWSTemplateFormatVersion and Description:
AWSTemplateFormatVersion: "2010-09-09"
Description: Create an EFS file system and endpoints.
- Create a top-level Parameters section and define the required parameters, VpcId and SubnetIds, inside it:
VpcId:
Description: VPC ID that contains the subnets that will
access the file system
Type: AWS::EC2::VPC::Id
SubnetIds:
Description: Subnet IDs allowed to access the EFS file system
Type: List<AWS::EC2::Subnet::Id>
- Create a top-level Resources property, which will contain all the resources we've defined.
- Under the Resources property, add the EFS FileSystem resource:
FileSystem:
Type: AWS::EFS::FileSystem
Properties:
FileSystemTags:
- Key: Name
Value:
Fn::Sub: "${AWS::StackName} EFS File System"
PerformanceMode: generalPurpose
- Add some mount target resources so that they can connect to the filesystem you just created:
MountTargetA:
Type: AWS::EFS::MountTarget
Properties:
FileSystemId:
Ref: FileSystem
SecurityGroups:
- Fn::GetAtt: MountTargetSecurityGroup.GroupId
SubnetId:
Fn::Select: [ 0, Ref: SubnetIds ]
MountTargetB:
Type: AWS::EFS::MountTarget
Properties:
FileSystemId:
Ref: FileSystem
SecurityGroups:
- Fn::GetAtt: MountTargetSecurityGroup.GroupId
SubnetId:
Fn::Select: [ 1, Ref: SubnetIds ]
- Create a security group to control access to the mount targets:
MountTargetSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: EFS endpoint security group
Tags:
- Key: Name
Value: MountTargetSecurityGroup
VpcId:
Ref: VpcId
- Create a security group to access the mount target security group you created in the previous step:
MountTargetAccessSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: EFS endpoint access security group
Tags:
- Key: Name
Value: MountTargetAccessSecurityGroup
VpcId:
Ref: VpcId
- Define the ingress and egress rules for the mount target security group:
MountTargetIngress:
Type: AWS::EC2::SecurityGroupIngress
Properties:
FromPort: 2049
GroupId:
Fn::GetAtt: MountTargetSecurityGroup.GroupId
IpProtocol: tcp
SourceSecurityGroupId:
Fn::GetAtt: MountTargetAccessSecurityGroup.GroupId
ToPort: 2049
MountTargetEgress:
Type: AWS::EC2::SecurityGroupEgress
Properties:
DestinationSecurityGroupId:
Fn::GetAtt: MountTargetAccessSecurityGroup.GroupId
FromPort: 2049
GroupId:
Fn::GetAtt: MountTargetSecurityGroup.GroupId
IpProtocol: tcp
ToPort: 2049
- Define the ingress and egress rules for the mount target access security group:
MountTargetAccessIngress:
Type: AWS::EC2::SecurityGroupIngress
Properties:
FromPort: 22
GroupId:
Fn::GetAtt: MountTargetAccessSecurityGroup.GroupId
IpProtocol: tcp
CidrIp: 0.0.0.0/0
ToPort: 22
MountTargetAccessEgress:
Type: AWS::EC2::SecurityGroupEgress
Properties:
DestinationSecurityGroupId:
Fn::GetAtt: MountTargetSecurityGroup.GroupId
FromPort: 2049
GroupId:
Fn::GetAtt: MountTargetAccessSecurityGroup.GroupId
IpProtocol: tcp
ToPort: 2049
- Save your template with the name 03-03-NetworkStorage.yml.
- Launch the CloudFormation stack with the following AWS CLI command, substituting your own VpcId and SubnetIds:
aws cloudformation create-stack
--stack-name wwns1
--template-body file://03-03-NetworkStorage.yml
--parameters
ParameterKey=VpcId,ParameterValue=<your-vpc-id>
ParameterKey=SubnetIds,ParameterValue="<subnet-id-1>,
<subnet-id-2>"