EFS network access is configured through Mount Targets and Security Groups. A Mount Target is an NFS endpoint created in each Availability Zone of your VPC that provides network access to the EFS file system. Each Mount Target gets a private IP address and must be associated with a Security Group that permits NFS traffic on port 2049.
Unlike EBS which attaches directly to an EC2 instance, EFS is accessed over the network via the NFS protocol. To make an EFS file system accessible within a VPC, you create Mount Targets — one per Availability Zone. Each Mount Target is an ENI (Elastic Network Interface) with a private IP address in a subnet you specify. EC2 instances connect to the EFS by reaching the Mount Target in their AZ using standard NFS protocol on port 2049.
One Mount Target per AZ — you should create one Mount Target in each AZ where your EC2 instances run, for lowest latency and highest availability
Each Mount Target lives in a specific subnet — choose the subnet where your EC2 instances reside
Each Mount Target gets a private IP address from the subnet's CIDR range
Each Mount Target is associated with one or more Security Groups
For Multi-AZ EFS (Standard storage class): create a Mount Target in each AZ — if one AZ fails, instances in other AZs still have access through their own Mount Targets
For One Zone EFS: only one Mount Target exists in the single AZ
DNS name — EFS provides a DNS name that automatically resolves to the Mount Target in the same AZ as the connecting instance (e.g., fs-0abc.efs.us-east-1.amazonaws.com)
Mount Target Security Group — must have an inbound rule: Type=NFS, Protocol=TCP, Port=2049, Source=EC2 Security Group
EC2 Instance Security Group — must have an outbound rule: Type=NFS, Protocol=TCP, Port=2049, Destination=Mount Target Security Group
Best practice: create a dedicated EFS Security Group (e.g., 'efs-sg') and attach it to all Mount Targets
Reference the EC2 security group as the source in the EFS security group's inbound rule — do not use CIDR ranges, as they are less precise
For on-premises access via Direct Connect or VPN: the on-premises NFS client must be able to reach the Mount Target's IP on port 2049
The VPC must have DNS Resolution enabled (enableDnsSupport = true)
The VPC must have DNS Hostnames enabled (enableDnsHostnames = true)
These settings allow EC2 instances to resolve the EFS DNS name to the correct Mount Target IP in their AZ
Without DNS settings enabled, you would need to hard-code Mount Target IP addresses in mount commands, which is error-prone