Skip to main content
This guide demonstrates how to create an Amazon Elastic File System (EFS), configure mount targets and security groups, and mount the same EFS file system on two EC2 instances (server1 and server2) located in different Availability Zones (AZs). The result is shared, concurrent read/write access from multiple instances. Environment: a simple VPC with two subnets across two AZs and two EC2 instances (server1 and server2), each in a separate AZ.
A screenshot of the AWS EC2 Instances console showing two running t2.micro instances (server1 and server2), each with 2/2 status checks passed and public IPv4 addresses listed.
Overview
  • Create an EFS file system and configure options (storage class, encryption, lifecycle, throughput, performance).
  • Add mount targets in the VPC subnets for all AZs used by your EC2 clients.
  • Configure security groups to permit NFS (TCP/2049) traffic from EC2 instances to EFS mount targets.
  • Install amazon-efs-utils on each EC2 instance and mount the file system.
  • Verify shared file visibility and make mounts persistent across reboots.
Creating the EFS file system (step-by-step)
  1. Open the Amazon EFS console and choose Create file system. Use Quick create for defaults or Customize to set options manually.
  2. Provide a name (for example: efsdemo).
  3. Choose a storage class:
    • Regional: redundant across AZs (recommended for HA)
    • One Zone: lower cost, single AZ
  4. Optionally enable automatic backups and configure lifecycle management to transition older files to Infrequent Access (IA) to save cost.
  5. Choose encryption options (at-rest via AWS KMS) if required.
  6. Choose throughput and performance modes to match your workload (bursting vs provisioned throughput; General Purpose vs Max I/O).
A screenshot of the Amazon Web Services console showing “Performance settings” for a file system, with throughput mode options like Enhanced, Bursting, Elastic (Recommended), and Provisioned. The page also displays encryption and transition-to-Infrequent-Access settings.
EFS options summary
SettingPurposeConsiderations
Storage classRegional or One ZoneRegional gives AZ redundancy; One Zone lowers cost
Lifecycle managementTransition to IASave cost for infrequently accessed files
EncryptionAt-rest via KMSRequired for compliance or security needs
Throughput modeBursting / ProvisionedChoose based on predictable throughput requirements
Performance modeGeneral Purpose / Max I/OUse Max I/O for highly parallel workloads
Mount targets and security groups
  • Select the VPC where your EC2 instances run. Create mount targets in each AZ/subnet where clients will mount the file system for redundancy and low-latency access.
  • Assign a security group to the mount targets that permits NFS traffic (TCP port 2049) from your EC2 instances. A recommended pattern is:
    • Create an EFS security group (efs-sg)
    • Allow inbound TCP/2049 from the EC2 instances security group
Example security group setup: an EFS security group (efs-sg) that allows inbound NFS from the EC2 instances security group.
Screenshot of the AWS EC2 Security Groups console showing a selected security group named "efs-sg." The group (sg-0a985...) has one inbound rule allowing all traffic from another security group (ec2-instances).
When configuring mount targets, the console displays the created entries (Availability Zone, Subnet ID, IP, Security groups). Verify that the mount target security group permits incoming TCP/2049 from the EC2 instances’ SG.
A screenshot of the Amazon Web Services console on the "Network access" step for creating an Amazon EFS file system, showing VPC selection and mount target configuration. It lists availability zones, subnet IDs, IP address settings, and security groups (efs-sg) for mount targets.
Create the file system and wait for state = Available. Note the File system ID (for example: fs-08de7b8e04f984697) — you will use this when mounting.
A screenshot of the Amazon Elastic File System (EFS) console showing details for a file system named "efsdemo" (fs-08de7b8e04f984697). The General panel shows General Purpose performance, Elastic throughput, automatic backups enabled, state "Available," and a metered size of 6.00 KiB.
Prepare EC2 instances and install amazon-efs-utils On each EC2 instance (server1 and server2), create the mount directory and install amazon-efs-utils (provides the mount helper and utilities). Run the commands below with sudo privileges; pick the package manager appropriate for your distribution. Example commands (run on each instance): 
sudo mkdir -p /efsdemo

# On Amazon Linux 2 / RHEL
sudo yum -y install amazon-efs-utils

# On newer distributions that use dnf:
sudo dnf -y install amazon-efs-utils

# On Debian/Ubuntu you may need to add the AWS package repo first, then:
sudo apt-get update
sudo apt-get -y install amazon-efs-utils
Mount the EFS file system Use the amazon-efs-utils mount helper for simplified mounting. You can also use the kernel mount type “efs”. Optionally enable TLS for encrypted in-transit traffic. Examples using a sample file system ID (fs-08de7b8e04f984697): 
# Using the mount helper (recommended)
sudo mount.efs fs-08de7b8e04f984697:/ /efsdemo

# Or explicitly with type and TLS
sudo mount -t efs -o tls fs-08de7b8e04f984697:/ /efsdemo
Verify the mount (df -k shows the EFS mount point): 
df -k | grep efs
fs-08de7b8e04f984697.efs.us-east-1.amazonaws.com:/ 90071992547439968 0 90071992547439968 0% /efsdemo
Share files between instances Files written on one instance are immediately visible to other instances mounting the same EFS file system. On server1: 
echo "I made this on server1" | sudo tee /efsdemo/file1
ls -l /efsdemo
# file1 should be listed
On server2: 
ls -l /efsdemo
# shows file1
cat /efsdemo/file1
# output: I made this on server1
Create a file on server2: 
echo "I made this on server2" | sudo tee /efsdemo/file2
Back on server1: 
ls -l /efsdemo
# file1  file2
cat /efsdemo/file2
# output: I made this on server2
Persisting mounts across reboots The above mount is temporary and will not survive instance reboots. To persist the EFS mount, add an entry to /etc/fstab on each instance. Use the recommended options for your environment (include _netdev so the system waits for networking). For TLS or using the mount helper, consult the official mounting documentation. Example /etc/fstab line (adjust for your FS ID and mount point): /etc/fstab example: fs-08de7b8e04f984697:/ /efsdemo efs defaults,_netdev 0 0
To persist mounts across reboots, add an appropriate entry in /etc/fstab (or configure boot scripts). See the official AWS EFS mounting instructions for recommended options and examples: https://docs.aws.amazon.com/efs/latest/ug/mounting-fs.html
Checklist and troubleshooting tips
  • Ensure mount targets exist in every AZ used by your EC2 clients.
  • Verify mount target security group allows inbound TCP/2049 from EC2 instances.
  • Confirm amazon-efs-utils is installed on each client instance.
  • If mounts fail, check:
    • VPC route tables and network ACLs between instances and mount targets
    • Security group rules for both EC2 instances and EFS mount targets
    • DNS resolution (EFS uses regional endpoint names that resolve to mount target IPs)
    • System logs (/var/log/messages or journalctl) for mount helper errors
Summary
  • Create an EFS file system, place mount targets in each AZ used by clients, and attach a security group that permits TCP/2049 from your EC2 instances.
  • Install amazon-efs-utils on each EC2 instance and mount with mount.efs or mount -t efs (optional: use -o tls for encrypted in-transit traffic).
  • Files created by any instance are immediately visible to all instances mounting the same EFS file system.
  • To persist mounts across reboots, add a proper /etc/fstab entry following AWS documentation.
Links and references

Watch Video

Practice Lab