Working with interface VPC endpoints in Amazon EFS - Amazon Elastic File System
Creating an interface endpointCreating an endpoint policy
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Working with interface VPC endpoints in Amazon EFS

To establish a private connection between your virtual private cloud (VPC) and the Amazon EFS API, you can create an interface VPC endpoint. The endpoint provides secure connectivity to the Amazon EFS API without requiring an internet gateway, NAT instance, or virtual private network (VPN) connection. For more information, see Interface VPC Endpoints in the Amazon VPC User Guide.

Interface VPC endpoints are powered by Amazon PrivateLink, a feature that enables private communication between Amazon services using private IP addresses. To use Amazon PrivateLink, create an interface VPC endpoint for Amazon EFS in your VPC using the Amazon VPC console, API, or CLI. Doing this creates an elastic network interface in your subnet with a private IP address that serves Amazon EFS API requests. You can also access a VPC endpoint from on-premises environments or from other VPCs using Amazon VPN, Amazon Direct Connect, or VPC peering. To learn more, see Accessing Services Through Amazon PrivateLink in the Amazon VPC User Guide.

Creating an interface endpoint for Amazon EFS

To create an interface VPC endpoint for Amazon EFS, use one of the following:

For a complete list of Amazon EFS endpoints, see Amazon Elastic File System in the Amazon Web Services General Reference.

For more information about how to create an interface endpoint, see Creating an interface endpoint in the Amazon VPC User Guide.

Creating a VPC endpoint policy for Amazon EFS

To control access to the Amazon EFS API, you can attach an Amazon Identity and Access Management (IAM) policy to your VPC endpoint. The policy specifies the following:

  • The principal that can perform actions.

  • The actions that can be performed.

  • The resources on which actions can be performed.

For more information, see Controlling Access to Services with VPC Endpoints in the Amazon VPC User Guide.

The following example shows a VPC endpoint policy that denies everyone permission to create an EFS file system through the endpoint. The example policy also grants everyone permission to perform all other actions. 

{
   "Statement": [
        {
            "Action": "*",
            "Effect": "Allow",
            "Resource": "*",
            "Principal": "*"
        },
        {
            "Action": "elasticfilesystem:CreateFileSystem",
            "Effect": "Deny",
            "Resource": "*",
            "Principal": "*"
        }
    ]
}

For more information, see Using VPC Endpoint Policies in the Amazon VPC User Guide.