This chapter covers Amazon EFS (Elastic File System) with Multi-AZ mount targets, a critical pattern for building highly available, fault-tolerant file storage on AWS. For the SAA-C03 exam, understanding EFS Multi-AZ architecture is essential for designing resilient architectures that survive Availability Zone failures. Approximately 5-10% of exam questions touch on EFS, and a significant subset focuses on Multi-AZ configurations, mount target placement, and performance implications. This chapter will give you the precise technical detail needed to answer those questions correctly.
Jump to a section
Imagine a company with three branch offices in different cities, each needing access to the same set of shared documents. They install a special file server that has three identical cabinets, one in each office. Each cabinet contains a complete copy of every document. When an employee in any office opens a document, they read from their local cabinet. When they save changes, the system instantly replicates the update to the other two cabinets using a high-speed private network. If one office loses power, employees can seamlessly walk to either of the other offices and pick up exactly where they left off — the document they were editing is already there because replication happened in near real-time. The key is that all three cabinets are kept in sync automatically, and the system ensures that no matter which office you are in, you always see the latest version. This mirrors how Amazon EFS with Multi-AZ mount targets works: each Availability Zone (AZ) has its own mount target pointing to the same file system, and data is replicated synchronously across AZs. If one AZ fails, applications in other AZs continue accessing the file system through their local mount target with no interruption.
What is Amazon EFS and Why Multi-AZ Mount Targets?
Amazon EFS is a fully managed, scalable, and elastic NFS file system for use with AWS EC2 instances and on-premises servers via AWS Direct Connect or VPN. It is designed to provide shared file storage that can be accessed concurrently by thousands of EC2 instances. By default, when you create an EFS file system, you specify a set of Availability Zones (AZs) where mount targets will be created. A mount target is an NFS endpoint in a specific subnet within an AZ. For high availability, you should create mount targets in multiple AZs. This ensures that if an AZ becomes unavailable, instances in other AZs can still access the file system through their local mount target. The EFS file system itself is replicated across all AZs in the region automatically — this is not something you configure; it is inherent to EFS. The data is stored redundantly across multiple AZs, providing 99.999999999% (11 nines) durability and 99.99% availability for Standard storage classes.
How It Works Internally
When you create an EFS file system, you choose a region. AWS automatically replicates the data across multiple AZs within that region. You then create mount targets in specific subnets. Each mount target is an elastic network interface (ENI) in that subnet with a private IP address. EC2 instances in the same VPC can mount the EFS file system by connecting to any mount target. The NFS protocol (version 4.1 or 4.0) is used. When an instance reads or writes data, the request goes to the mount target, which then communicates with the EFS backend. The backend ensures that all writes are synchronously replicated across all AZs before acknowledging the write. This synchronous replication provides strong consistency: after a write is acknowledged, any subsequent read from any mount target will see the updated data. The replication happens at the storage layer, transparent to the client.
Key Components, Values, Defaults, and Timers
Mount Target: An NFS endpoint in a subnet. Each mount target has a private IP address and a DNS name. The DNS name resolves to the IP addresses of all mount targets in the region, enabling client-side load balancing and failover.
EFS File System ID: A unique identifier (e.g., fs-12345678).
Performance Modes: General Purpose (default) for latency-sensitive workloads, Max I/O for throughput-intensive workloads.
Throughput Modes: Bursting (default) – throughput scales with storage size; Provisioned – you specify throughput independent of storage.
Storage Classes: Standard (for frequently accessed data) and Infrequent Access (IA) with lower storage cost but retrieval fee.
Lifecycle Management: Automatically move files to IA after N days (default 30, configurable from 7 to 365 days).
Encryption: At rest using AWS KMS (optional), in transit using TLS (optional).
Security: Use security groups to control inbound NFS traffic (port 2049) to mount targets.
Limits: Default mount targets per file system: 1 per AZ, up to 12 per region (soft limit, can be increased).
DNS: The EFS mount target DNS name follows the pattern: fs-12345678.efs.<region>.amazonaws.com. This DNS name resolves to the IP addresses of all mount targets in the region. To force a specific AZ, you can use the AZ-specific DNS name: fs-12345678.efs.<region>.amazonaws.com with a mount target per AZ, but the standard DNS provides automatic distribution.
Configuration and Verification Commands
To create an EFS file system with Multi-AZ mount targets using AWS CLI:
# Create file system
aws efs create-file-system --creation-token my-efs --region us-east-1
# Create mount targets in different AZs
aws efs create-mount-target --file-system-id fs-12345678 --subnet-id subnet-abc123 --security-group sg-xyz789
aws efs create-mount-target --file-system-id fs-12345678 --subnet-id subnet-def456 --security-group sg-xyz789
aws efs create-mount-target --file-system-id fs-12345678 --subnet-id subnet-ghi789 --security-group sg-xyz789
# Verify mount targets
aws efs describe-mount-targets --file-system-id fs-12345678Output example:
{
"MountTargets": [
{
"OwnerId": "123456789012",
"MountTargetId": "fsmt-abc123",
"FileSystemId": "fs-12345678",
"SubnetId": "subnet-abc123",
"LifeCycleState": "available",
"IpAddress": "10.0.1.12",
"NetworkInterfaceId": "eni-abc123",
"AvailabilityZoneId": "use1-az2",
"AvailabilityZoneName": "us-east-1a",
"VpcId": "vpc-12345"
},
{
"OwnerId": "123456789012",
"MountTargetId": "fsmt-def456",
"FileSystemId": "fs-12345678",
"SubnetId": "subnet-def456",
"LifeCycleState": "available",
"IpAddress": "10.0.2.12",
"NetworkInterfaceId": "eni-def456",
"AvailabilityZoneId": "use1-az4",
"AvailabilityZoneName": "us-east-1b",
"VpcId": "vpc-12345"
}
]
}To mount on an EC2 instance:
sudo mount -t nfs4 -o nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport fs-12345678.efs.us-east-1.amazonaws.com:/ /mnt/efsHow It Interacts with Related Technologies
EC2 Auto Scaling: When using Auto Scaling groups across multiple AZs, each new instance should mount EFS using the general DNS name. This ensures that instances in different AZs can access the file system via their local mount target.
AWS Backup: EFS supports automated backups via AWS Backup, which can be integrated with lifecycle policies.
AWS DataSync: Used for migrating large datasets to/from EFS.
VPC Peering and Transit Gateway: EFS mount targets are accessible only within the same VPC by default. To access from peered VPCs or on-premises, you need to use AWS PrivateLink or VPN/Direct Connect with appropriate routing.
AWS Lambda: Lambda functions can access EFS when configured with a VPC and mount target in the same subnet.
AWS Fargate: Containers can mount EFS volumes for persistent shared storage.
Performance Considerations
Throughput: For General Purpose mode, baseline throughput is 50 MB/s per TB of storage, burstable to 100 MB/s per TB. For Max I/O, throughput scales with file system size but with higher latency.
Latency: Multi-AZ mount targets add negligible latency because the mount target is in the same AZ as the client. Cross-AZ access adds latency but is still functional.
Client Mount Options: Using hard mount (default) ensures that if the mount target fails, the client retries indefinitely until the operation succeeds. soft mount returns an error after a timeout, which can cause data corruption. The exam recommends hard mount for critical workloads.
NFS Version: EFS supports NFSv4.1 and NFSv4.0. NFSv4.1 is preferred for better performance and features like pNFS.
High Availability and Failover
When you create mount targets in multiple AZs, the EFS file system is already replicated across AZs. If one AZ fails, the mount targets in that AZ become unreachable. However, because the data is replicated, instances in other AZs can still access the file system through their local mount target. The DNS name resolves to the IP addresses of all available mount targets. If a mount target becomes unhealthy, DNS may automatically remove its IP from the resolution (this is not instantaneous but typically within a few minutes). Therefore, it is best practice to mount using the general DNS name rather than a specific AZ DNS name. Additionally, you can use an Application Load Balancer (ALB) in front of EFS for advanced routing, but that is not common.
Security Groups
Each mount target must have a security group that allows inbound NFS traffic (TCP port 2049) from the CIDR of the VPC (or specific instance security groups). For Multi-AZ, ensure that the security group allows traffic from all relevant subnets.
Cost Considerations
EFS costs are based on storage used (per GB-month) and throughput (for Provisioned mode). There is no charge for mount targets themselves. However, data transfer between AZs is not charged for EFS traffic (it stays within AWS network). This is an advantage over solutions like EBS snapshots or S3 cross-region replication.
Exam Pitfall: Single-AZ Mount Target
A common mistake is to create only one mount target in a single AZ. While the file system is still replicated across AZs, if that AZ fails, instances cannot mount the file system because the mount target is unavailable. Even though data is safe, access is lost. The exam will test that you need mount targets in each AZ where you have instances. Also, you cannot have more than one mount target per subnet (but you can have one per AZ subnet).
Create EFS file system
Use the AWS Management Console, CLI, or SDK to create an EFS file system. Specify the region. AWS automatically replicates the file system across all AZs in that region. The file system is created with a unique ID (e.g., fs-12345678). You can choose performance mode (General Purpose or Max I/O) and throughput mode (Bursting or Provisioned). At this point, no mount targets exist, so no instances can access the file system.
Create mount targets in multiple AZs
For each AZ where you have EC2 instances, create a mount target in a subnet within that AZ. Each mount target is an elastic network interface (ENI) with a private IP address. You must specify a security group that allows inbound NFS (port 2049). The mount target becomes 'available' after a few seconds. You can create up to one mount target per subnet. The exam expects you to create mount targets in at least two AZs for high availability.
Mount file system on EC2 instances
On each EC2 instance, install the NFS client (e.g., `amazon-efs-utils` package). Use the `mount` command with the EFS DNS name (e.g., `fs-12345678.efs.us-east-1.amazonaws.com:/`). The DNS name resolves to the IP addresses of all mount targets in the region. The NFS client will connect to one of them, typically the one in the same AZ (due to DNS latency-based routing). The mount point must be an existing directory (e.g., /mnt/efs). Use options like `nfsvers=4.1,hard,timeo=600,retrans=2`.
Verify connectivity and performance
After mounting, test by creating a file and reading it. Use `df -h` to confirm the mount. Check that the mount target is in the same AZ for optimal performance. You can use `nfsstat` or `mountstats` to monitor NFS operations. If you have instances in multiple AZs, verify that they can all access the same file system. The EFS file system is strongly consistent, so a write from one AZ is immediately visible from another.
Simulate AZ failure for testing
To test high availability, you can temporarily remove the mount target in one AZ by modifying its security group to block traffic. Instances in that AZ will lose access, but instances in other AZs will continue to work. The DNS name will eventually remove the failed mount target's IP (this may take a few minutes). If you mount using the general DNS, clients will automatically connect to a healthy mount target. This validates that your Multi-AZ setup is resilient.
Enterprise Scenario 1: Web Application with Shared Content
A large e-commerce platform runs a web application across multiple EC2 instances in an Auto Scaling group spanning three AZs. The application serves product images and static assets from a shared EFS file system. The team creates mount targets in each AZ's public subnet. They use the general DNS name in the mount command. During a major AZ outage in us-east-1a, the instances in that AZ fail, but the Auto Scaling group launches new instances in the remaining AZs. These new instances mount EFS using the DNS name and connect to the healthy mount targets. The application continues serving content without interruption. The key lesson: always mount using the general DNS, not an AZ-specific endpoint.
Enterprise Scenario 2: Media Processing Pipeline
A media company uses a pipeline of EC2 instances and AWS Batch jobs to transcode video files. The input and output files are stored on EFS. The pipeline spans three AZs. They create mount targets in each AZ and use provisioned throughput to handle the high I/O. During a partial AZ failure affecting the mount target's network, the jobs in that AZ fail to mount. However, the job scheduler retries the jobs in other AZs, where mount targets are healthy. The pipeline recovers automatically. The team also uses lifecycle policies to move older files to Infrequent Access to reduce costs. A common mistake was initially using a single mount target; after an AZ failure, all jobs failed. They redesigned to Multi-AZ mount targets.
Scenario 3: Shared Home Directories for Enterprise Users
A company provides virtual desktops using Amazon WorkSpaces or EC2 instances with Linux. User home directories are stored on EFS. With Multi-AZ mount targets, if a user's WorkSpace in one AZ fails, they can be redirected to a WorkSpace in another AZ and still access their home directory. This requires that the EFS file system is mounted using the general DNS. The IT team also sets up a security group that allows NFS traffic only from the WorkSpaces security group. They use encryption at rest and in transit for compliance. A misconfiguration occurred when they accidentally created mount targets in subnets with no route to the internet (for a private workload) but forgot to add a VPC endpoint for EFS; they fixed it by using AWS PrivateLink.
What SAA-C03 Tests on This Topic
The SAA-C03 exam objective 2.1 (Resilient Architectures) includes designing for high availability and fault tolerance. Specific to EFS, the exam tests:
The need for Multi-AZ mount targets to achieve high availability.
The difference between file system replication (automatic across AZs) and mount target availability (must be created in each AZ).
Mount options: hard vs. soft, and why hard is recommended.
Performance modes: General Purpose vs. Max I/O; when to choose each.
Throughput modes: Bursting vs. Provisioned.
Security: security groups for mount targets, encryption.
Integration with Auto Scaling, Lambda, Fargate.
Common Wrong Answers and Why Candidates Choose Them
"EFS is only available in one AZ" – Candidates confuse EBS (single-AZ) with EFS (multi-AZ by default). EFS automatically replicates across AZs; you just need to create mount targets.
"You need to configure replication manually" – Some think EFS requires setting up cross-AZ replication, but it is built-in.
"Mount targets are not needed if using the DNS name" – The DNS name resolves to mount targets, but if no mount target exists in the AZ, the instance cannot mount. You must create mount targets.
"Soft mount is better for high availability" – Candidates think soft mount allows failover, but hard mount is correct because it retries indefinitely. Soft mount can cause data loss.
"You can have multiple mount targets per subnet" – Only one mount target per subnet is allowed.
Specific Numbers, Values, and Terms
Durability: 99.999999999% (11 nines)
Availability: 99.99% (Standard)
Default throughput: 50 MB/s per TB baseline, burst to 100 MB/s per TB
NFS port: 2049
Mount option: hard (default), timeo=600 (600 deciseconds = 60 seconds timeout)
File system ID pattern: fs-<hex>
Mount target ID pattern: fsmt-<hex>
DNS name: fs-<id>.efs.<region>.amazonaws.com
Edge Cases and Exceptions
Cross-AZ access: While EFS supports cross-AZ access, it adds latency. The exam may ask about performance impact.
Unmounting: If an instance is terminated while mounted, the mount target may have stale connections; EFS handles this gracefully.
Limits: Maximum of 12 mount targets per file system (soft limit).
EFS One Zone: There is also EFS One Zone storage class (for lower cost), which stores data in a single AZ. This is not Multi-AZ and does not survive AZ failures. The exam distinguishes between Standard (multi-AZ) and One Zone.
How to Eliminate Wrong Answers
If an answer says "EFS provides high availability by replicating data across AZs", it is correct but incomplete: you also need mount targets.
If an answer says "Use EFS One Zone for high availability", it is wrong because One Zone is not resilient.
If an answer says "Mount using the AZ-specific DNS for failover", it is wrong because the general DNS provides failover.
If an answer says "Use soft mount to handle failover", it is wrong because hard mount is recommended.
If an answer says "EFS requires manual replication", it is wrong because replication is automatic.
EFS is a regional service that automatically replicates data across multiple AZs for durability and availability.
To access EFS from an AZ, you must create a mount target in a subnet within that AZ.
Mount targets are NFS endpoints (ENIs) in a subnet; you can have one per subnet, up to 12 per file system.
Always mount using the general DNS name (fs-<id>.efs.<region>.amazonaws.com) to enable automatic failover.
Use the 'hard' mount option for critical workloads to ensure operations retry on failure.
EFS provides strong consistency: writes are synchronously replicated across AZs before acknowledgment.
For high availability, create mount targets in at least two AZs.
Security groups must allow inbound NFS (TCP 2049) from client subnets.
EFS Standard storage class provides 99.999999999% durability and 99.99% availability.
EFS One Zone is a lower-cost option but does not survive AZ failures.
These come up on the exam all the time. Here's how to tell them apart.
EFS with Multi-AZ Mount Targets
High availability: survives AZ failure
Mount targets in multiple AZs allow access from any AZ
Automatic failover via DNS
Recommended for production workloads
Slightly more complex to set up
EFS with Single-AZ Mount Target
Not highly available: if the AZ fails, access is lost
Only instances in that AZ can mount
No automatic failover
Suitable for development/test or single-AZ deployments
Simpler configuration
Mistake
EFS is a single-AZ service like EBS.
Correct
EFS is a regional service that automatically replicates data across multiple AZs. You only need to create mount targets in the AZs you want to access it from.
Mistake
You must configure cross-AZ replication for EFS.
Correct
EFS replication across AZs is automatic and synchronous. No additional configuration is needed.
Mistake
If you create mount targets in multiple AZs, you must mount using the AZ-specific DNS name for each instance.
Correct
You should use the general DNS name (fs-<id>.efs.<region>.amazonaws.com) which resolves to all mount targets. The client will automatically connect to the nearest one.
Mistake
Soft mount is recommended for high availability because it fails fast.
Correct
Hard mount is recommended because it retries indefinitely until the operation succeeds. Soft mount can return errors and cause data loss or corruption.
Mistake
You can only have one mount target per file system.
Correct
You can have up to one mount target per subnet, and up to 12 per file system (soft limit). For high availability, create mount targets in each AZ where you have instances.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
EFS Standard (Multi-AZ) automatically replicates data across multiple Availability Zones within a region, providing 99.999999999% durability and 99.99% availability. EFS One Zone stores data in a single AZ, offering lower cost (about 47% less) but with 99.999999999% durability within that AZ only. If the AZ fails, data is lost. For high availability, use Standard. For non-critical or easily reproducible data, One Zone may be acceptable.
You can create up to one mount target per subnet, and up to 12 mount targets per file system (this is a soft limit that can be increased by requesting a limit increase). For high availability, you typically create one mount target per AZ where you have instances.
By default, EFS mount targets are only accessible from within the same VPC. To access from a different VPC, you can use VPC Peering, AWS Transit Gateway, or AWS PrivateLink (VPC Endpoint for EFS). For on-premises access, use AWS Direct Connect or VPN.
If a mount target becomes unavailable (e.g., due to AZ failure), instances using that mount target will lose connectivity. However, if you mounted using the general DNS name, the client will attempt to reconnect to another mount target. The DNS record updates to remove the failed IP (within minutes). Using the 'hard' mount option ensures the client retries indefinitely until it reconnects.
Amazon EFS supports NFSv4.1 and NFSv4.0. NFSv4.1 is recommended because it offers better performance, supports pNFS for parallel data access, and includes features like sessions for improved resilience. Use the mount option 'nfsvers=4.1'.
Yes, EFS supports encryption at rest using AWS KMS (customer master keys or AWS managed keys) and encryption in transit using TLS. Encryption at rest is enabled when creating the file system. Encryption in transit is configured on the client side by using the 'mount -o tls' option with the amazon-efs-utils package.
Yes, AWS Lambda functions can access EFS file systems when the function is configured to run in a VPC. You must create a mount target in the same subnet as the Lambda function. The Lambda function can then mount the EFS file system using the EFS access point or the file system ID.
You've just covered EFS Multi-AZ Mount Targets — now see how well it sticks with free SAA-C03 practice questions. Full explanations included, no account needed.
Done with this chapter?