12. [SAA/DVA] EFS Hands On
So let’s go and create our first EFS network file system. So let’s type EFS, and we are in the EFS console. So let’s create a file system, and as we can see, we have a very simple dialog, and you can click on “Create,” and it will just go ahead and create it.
But we want to go through the options. So we’ll click on “Customize” to look at all the options for our elastic file system. So the name is optional, so we’ll leave it empty. We can enable automated backups to just have a backup of our network file system, which is nice. And we have a lifecycle management tab. So here we can use something called the EFS infrequent access storage class, and the idea is to say, “Okay, if a file has not been accessed in 30 days, it looks like it’s a file that is infrequently accessed, therefore move it to the EFS infrequent access storage class in order to save some cost.” and that makes sense. So you can say seven days, 14 days, 30 days, 60 days, or 90 days. Okay, so we’ll just leave it as a default of 30 days. Then we get different performance modes. So we have either general purpose or maximum IO.
And General Purpose, as the name indicates, is ideal for latency-sensitive use cases such as web serving environments and content management systems. So if you have a WordPress site, for example, this would be a great use case. And Max IO scales to higher levels of aggregate throughput and operations per second with a bit more latency. This is better for a big data or file processing type of use case. So we’ll just leave it at general purpose for now. einsteinerupload of. Perhaps because you are aware that you have a small EFS file system but require high throughputs. Then you can provision how many megabytes you want, up to 1024 mid.so many megabytes per second. We’ll just leave it at that as well. We can enable encryption at rest for our EFS file system and scroll down. Now let’s click on “next.” Very important now are the network access settings. So we are operating in our VPC, which we can mount across multiple different availability zones. So EFS is a network file system, and we can have it across different AZs, as I’ll demonstrate to you in a second. And so for each AZ, you should define a security group. And so right now, I’m going to go ahead and create the security group we need.
So let’s go into the EC2 console, and I will go into the Security Groups tab on the left hand side, create a security group, and I’ll call this one my EFS demo. And for now, there are no inbound rules, so I will go ahead and create the security group. Okay, so create the security group for EFS. So now we’ll use my EFS demo in this dialogue. So I will remove all these security groups and I will choose my EFS demo, for which I probably have to refresh this page. So let me do this right now. I’ll refresh this page, very quickly scroll down, and click on Next. And here we go. So I will choose now my EFS demo right hereto be the security group for each different attachment point. So, okay, and the last one is my EFS demo. So, in a second, we’ll see how that security group affects things. Then I will click on “next.” File system policy is optional, and this is out of scope. So I will just go ahead and skip this. And finally, we can review everything. so we can review and create. So everything looks good here.
We have encryption, we are in our VPC, we have IA enabled, we have three availability zones that are going to work with our EFS file system, and they all have the same security group that we just created. And I will just go ahead and click on “Create.” So now my file system is being created, and while that is happening, I can go ahead and create two EC2 instances that will access that EFS file system. So as we can see, let’s go ahead and create the file system is created. It is created, and so if we look at the size, we can see that we are using 6. We’ll only pay in EFS for what we’re using. So we’re using 6 KB. So this is what we’re going to pay for. And we can also get some information about the size and EFS’s infrequent access. So how many files have been moved into that much lower priced tier in EFS? Okay, so everything looks good right here. Now let’s go ahead and create our EC2 instances. So I’ll click on “Launch.” I will choose Amazon Linux 2, AMI T, and Micro to remain within the free tier.
And then I will choose one instance and launch it in EU West 2B, for example, as my first AZ. If you scroll down, you can see that there’s a file system, and you could add your EFS filesystem here, but we’ll not do that. I want to show you how it’s melted. So don’t click here; we’ll click on Add Storage. We can leave the storage as is. Add tags. This is fine. I’ll go ahead and create a new security group for my instance, and I’ll call it EC Two, Two EFS because this is my EC Two instance that’s going to access my EFS network file system. We’re going to allow SSH review and launch launch. And yes, I have this key pair to launch my instance. So now this instance is launching, and I’m going to launch a similar one, but in a different availability zone. So I right-clicked the instance, apologized, and launched it again. Then, in my case, there are the specifics. I will edit the instance details, and I will set it in EU West 2A to be in a different availability zone. This instance should be reviewed and launched, launched, and launched again. So here we go. Now, we have two instances that have been launched in two different availability zones. So this one and that one And we want them to be able to access our EFS network file system. So I’m going to SSH into each of these instances. So this first one is right here.
I’m going to run my SSH command, so easytotoralPM and an Easy to user at my IP will be able to connect. I’m in my first host, and I’m going to take this IP from my second EasyToInstance and launch a similar command. So here we go. easy to use at the IP. Okay, so I’ve done SSH into both instances, and they’re both in two different availability zones. Next, I need to install EFS on these instances. So the easiest way is to go back to the EFS console, and on the top right, there is Attach. And this gives you some information about how you can attach EFS to your instances. So, as you can see, we can mount via DNS or mount via IP. We’ll use mount via DNS, and we’ll use the EFS mount helper. So to use this thing, we have to go into the user guide in the documentation and install a small package onto our EC2 instances called the Amazon EFS utilities package.
So we select Amazon Linux 2 and install the Amazon EFSutils package. And as we can see, we can scroll down and do this pseudo-Yum install command. So let’s go ahead and do this yum install command on both my instances. And this is going to install the necessary packages to use this EFS mount helper. Okay, so this was very quick. not only do you want to do something else? We need to create the EFS directory. So doing so is extremely simple. We’re going to do Makedir EFS and make Deer EFS. So now, if we look into both of our instances, they both have an EFS folder. Next, I’m going to run this command right here to mount the EFS drive using TLS. So it will be in Flights encryption, and I will mount it into this EFS directory. So let me copy this command right here and paste it. Press Enter. And as you can see, there is a timeout because we need to modify the security group settings. So let’s stop this command. And I’m going to go into my EC2 console, and we need to modify one security group. So if we remember, we have attached a security group to our EFS network file system, which was this one. My EFS demo and currently my EFS demo, in terms of inbound rules, do not allow anything.
What needs to happen is that my EFS needs to allow inbound from EC 2 to EFS. So very simply, let’s edit the inbound rule, add a rule, and we’ll look for NFS, and the source of it is going to be EC-2 to the EFS security group. And so we allow EC two instances into EFS, we save this rule, and now that this rule has been done, we should be able to go back into EFS, try this command again, and then it should succeed. And it has succeeded. I can apply the very same command in here on the right hand side, and it has succeeded as well. Okay, good. So what did happen? Well, let’s go into the EFS directory. So I just changed directories into the EFS directory, and currently we can see there are no files. But what if I create a hello, world.TXT file in here? Well, I don’t have enough permission, so I will do a pseudo-touch, Hello World. TXT. That should do it. Now, if I look into the files, I have a hello, world.TXT file here.
And if I look now on the right hand side and list the files into EFS, we can see the same Hello, World file has been created. So, if I use pseudo-nano hello world.txt to simply edit and say hello world from the first instance, and then save the file, So, if we look at the content of this file, hello world.TXT, we can see that it says hello world from the start. And if we look into the content of the very same file on the right-hand side instance, we also see hello world from the first instance. So this file system mounted on the left and right sides is the same. It is a shared network file system. And that is the whole power of EFS. And that’s it. It’s very simple. So when you’re done with this, you can go ahead and delete the EFS file system, obviously. And you could go ahead and terminate these two easy instances if you needed to. So you click on these two instances, “action,” and then “terminate,” and you’ll be good to go. So that’s it for me. I hope you liked it.
13. [SAA/DVA] EFS vs EBS
So now let’s discuss EBS versus EFS. So EBS volumes can be attached to only one instance at a time, and they are locked into a specific availability zone. So here’s an example: We have our EC2 instance in the first AZ, and the EBS volume, as we can see, really is within that AZ, and it’s only attached to one easy2 instance at a time. So we see that we have different types of EBS volumes. Some important ones are GP 2, where the IO will increase as the disc size increases, and IO 1, where we can increase the IO independently of the volume size. And this is great if you’re running a critical database. If you want to migrate an EBS volume across different availability zones, then you first need to take a snapshot. And then, once you have the snapshot, you’re going to restore it into another AZ, and that will create a new EBS volume in that AZ.
And so while you do these EBS snapshots and use backups, that will use a lot of IO on your EBS volumes. So it should be run only when your instance is not actively using your EBS volumes. Otherwise, you may have performance issues. Finally, the root EBS volumes of your instances will get terminated by default when your EC2 instance gets terminated. But this is a behaviour that you can disable if you want to. So this should be something you master right now. This is very easy. This is EBS, and this is all you need to know. And now you should know that EFS is very, very different. So EFS is your elastic file system, and this one can be mounted to hundreds of thousands of instances across multiple availability zones. So these instances are running Linux. And as we can see, the EFS in this case is outside of our AZ because it is multi-AZ. So you can use EFS mount targets that are going to be in a specific AZ to mount between your EC2 instances all the way to your EFS drive. As a result, we can use EFS to share website files like WordPress. And as I said, it is only for Linux instances because it is a PICS file system. So it does not work for Windows.
EFS is going to be more expensive than EBS, about three times more expensive. However, if you wanted to save money, you could use EFS infrequent access as a storage tier and a lifecycle policy to achieve these increased cost savings. And again, what you need to remember is that for EFS, you get billed only for what you use on your EFS. In contrast, you must provision in advance for EBS, assuming you know the size of your EBS drive, and you pay for the provision capacity rather than the actual used capacity. So now you should remember that EFS is really for a network file system to be mounted across multiple instances. EBS is used for a network file system volume that only needs to be mounted on one instance and is locked to an AZ, whereas instance store is used to get the most IO onto a simple to start instance. But it is something you lose if you lose that instance. So it is an ephemeral drive. Okay, well, that’s it. I hope you liked it, and I will see you in the next lecture.
14. EFS Access Points
Now let’s talk about a feature called EFS Access Points, which is a feature to easily manage your application’s access to your NFS environment. You can require a POSIX user and group to use this access point when accessing the file system. And the idea is that you’ll be able to restrict access to a specific directory within the file system by using this access point. And also, you can optionally specify a different route directory, which could be quite handy. And access from the NFS clients to the access points can be done using IAM policies. So here’s an example: We have an EFS file system, which is going to be shared across your entire company but has different folders. Under the roots, there are the data folder, the secret folder, and the configuration folder. And we want different users to access different parts of your EFS file system. So if you create an EFS access point, one with a UID of 1001 and a GID of 1001, and the default path to be slashconfig, then by setting up the correct permissions, you can ensure that your developers, users, or group can only access your config subdirectory within your EFS file system and make it their root folder. And so the idea is that, thanks to this access point, they will only be able to access that part of your EFS file system.
They can do it as well for a second group, for example, the analytics group. And again, you would set up a different UID, a different GID, and maybe a different path for the roots of their access. And again, this will be all regulated by Ian’s permissions. And so the idea is that your EFS file system can be used by many different groups, each with their own restrictions and permissions. So this is the whole idea behind EFS access points. Okay, so let’s see how we can create an access point. So let’s go into access points on the left-hand side and create one. So here we have to choose a filesystem to attach to this access point. So I’ll choose the one that I’ve created, and then we can name this access point. So we’ll demonstrate an access point, and then we’ll be able to specify a root directory path, which is pretty cool. So for example, I can say “slash data.” Is the directory going to be accessed as a new route for this specific access point? Because I just want my users to access the data directory in my EFS.
We could optionally specify a POSIX user to be identified on this access point, but I will not specify it. You could also have a root directory creation permission specified right here, but I will not do that, as well as some tags for this access point. So once the access point is created, as you can see, you can see it in this window. Now let me click on it. And so this access point has a specific access point ARN, as you can see here. And if I wanted to be able to mount this access point onto my EC2 instances, then you can use this EFS mount helper in here and mount this EFS access point directly onto your EC2 instances to regulate how they are accessing it. And if you want more information, you can see the user guide. This is out of scope. I just want to show you all the steps. And I’m going to go, so that’s it. To finish, please delete your access point, and you’re ready to go. That’s it. I will see you at the next lecture.
15. EFS – Operations
Okay, so now let’s talk about the operations you can do on your EFS file system. So some operations can be done in place, such as enabling a lifecycle policy to transition into the I-8 year or changing your IA settings. You can also change your throughput mode and provision throughput numbers. And you can create EFS access points, as we’ve just seen. But some operations require a full migration of your EFS file system using Data Sync, because Data Sync will replicate all file attributes and metadata. So if you wanted to migrate to an encrypted EFS or a different encryption key, then you would need to use Data Sync. Or if you wanted to enable performance mode, for example, Max IO, then you would need to use Data Sync again because you would need to create a new separate EFS file system. So let’s have an example. This is your source EFS file system, and this is your destination EFS file system, which is encrypted.
And so, to migrate between the two using the Data Sync Service, it can be done very easily. And then you can migrate your instances from the first file system to the second file system. So, as we saw before, access points can be created. But if I click on this file system itself, we can edit a few things. So as you can see, we can enable the lifecycle management directly from this UI, and we can change the throughput mode directly from burst to provision. And if provisioned, we can change the provisioning throughput over time. Okay? We can also enable and disable automatic backups. But if you wanted to encrypt it or change the encryption, then we would need to use Data Sync. So let me give you an example. So I’ll just call it unencrypted EFS, and then I will choose the customizable one. And in here, what I’m going to do is just disable the encryption of data at rest. Click on Next, and then everything looks good. We don’t really care; I just want to show you the idea behind it. So now I have two EFS. Let’s say that the unencrypted EFS is the one I’m currently using, and then I want to move my data to an encrypted EFS.
Okay? So what I’m going to do then is use the data sync service. And this is why the Data Sync service is available here on the left hand side. So by clicking on Data Sync, I’m going to be able to synchronise my data between my two EFS and then make sure I can transition from one to the other. So using Data Sync, we want to create a data transfer task between AWS storage services. So I’ll create a new location, and then the first location is an EFS file system, which is my unencrypted EFS, and you can specify a mount path if you want to. Okay? And next, I can create a target location, a destination. So again, an EFS file system, and this time it is going to be my encrypted EFS. After you click Next, you can obviously configure your tasks. So the name will be “Demo Task” and so on. And then you could obviously do some data sync with specific settings. Okay, but the idea is that when the task is created, you would need to create a data sync cloud watch log group. Let’s go next. You would verify everything and then click on Create Task, which would synchronise your two EFS file systems, and you would be good to go for your migration. But it won’t create it because it doesn’t show you anything specific. And then I will just delete my unencrypted EFS by typing the file system ID in here to confirm. Okay, so that’s it. You’ve seen EFS migration operations. I hope you liked it, and I will see you in the next lecture.
16. EFS – CloudWatch Metrics
Hey. So, to clean up this section, if you have any instances, make sure you can terminate them because it will release any EBS volumes attached to them. Okay, so delete your instances. Then you candelete your volumes under volumes as well. So first, you need to delete the snapshot. So take any snapshots and then delete the snapshots themselves. Then you can take a look at the volume and take action. Delete volumes so you can do them one by one. So for this one, I can delete the volume. And this one right here, I need to wait a little bit until it is detached. And then, after it has been detached, you can delete it. So I need to probably refresh this page. Here we go. and then delete my volume. This is perfect. which actually doesn’t exist because it’s been deleted automatically. And for EFS file systems, you can just take this one and delete it by entering the File System ID. So that’s it for this lecture. I hope you liked it, and I will see you in the next section.