AWS Solutions Architect Exam: Troubleshooting VPC Peering and EFS Mounting Issues

Troubleshooting VPC Peering and EFS Mounting Issues

Prev Question Next Question

Question

You have two VPCs in different regions ( VPC A and VPC B) peered with each other.

You have created an EFS for VPC A.

When you tried to mount the EFS on EC2 instances on VPC B, you are getting a connection timed out error.

What can cause this? (Select TWO)

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Correct Answer: B and C.

You can connect to Amazon EFS file systems from EC2 instances in other AWS regions using an inter-region VPC peering connection, and from on-premises servers using an AWS VPN connection.

Option A is incorrect.

Usually, EFS and its mount targets get created within a few moments.

Option B is CORRECT because both an Amazon EC2 instance and a mount target have associated security groups.

These security groups can act as a virtual firewall that controls the traffic between them.

Option C is CORRECT because the security groups you associate with a mount target must allow inbound access for the TCP protocol on the NFS port from all EC2 instances on which you want to mount the file system.

Option D is incorrect because VPC peering within a single AWS Region when using certain Amazon EC2 instance types is supported.

Inter-region VPC peering is supported for all instance types.

Reference:

https://docs.aws.amazon.com/efs/latest/ug/limits.html https://aws.amazon.com/about-aws/whats-new/2018/10/amazon-efs-now-supports-aws-vpn-and-inter-region-vpc-peering/

The correct answers are B and C:

B. Security group is improperly configured for the EFS mount target. C. Security group on mount targets does not have inbound NFS port open to VPC B's EC2 instances.

Explanation:

When VPCs are peered, they are connected via a private network and can communicate with each other. However, there are some considerations when accessing resources across VPCs. In this case, the issue is related to the EFS mount target in VPC A not being accessible from EC2 instances in VPC B.

The most likely causes of the connection timeout error are:

B. Security group is improperly configured for the EFS mount target: When you create an EFS file system, it automatically creates mount targets in each of the subnets that you specify. Each mount target has a security group associated with it. If the security group is not properly configured to allow inbound traffic from the EC2 instances in VPC B, the connection will be timed out. Make sure that the security group for the mount target allows inbound traffic on port 2049 (NFS).

C. Security group on mount targets does not have inbound NFS port open to VPC B's EC2 instances: In addition to the security group for the mount target, the security group for the EC2 instances in VPC B must also allow inbound traffic from the mount target on port 2049 (NFS). If this port is not open, the connection will be timed out.

A. AWS EFS takes upto an hour after creation to make mount targets available: This is not a likely cause of the connection timeout error because the error message indicates that the EC2 instances in VPC B are able to reach the mount target, but the connection is timing out. If the mount target was not yet available, the error message would be different.

D. EFS cannot be mounted through VPC peering: This is not true. EFS can be mounted through VPC peering. In fact, this is one of the benefits of using VPC peering, as it allows you to access resources across VPCs.