Want to list EC2 instances connected to EFS? We can help you.

As a part of our AWS Support Services, we often receive similar requests from our AWS customers.

Today, let’s see the steps followed by our Support Techs to help our customers.

How to list EC2 instances connected to EFS?

Traffic on the elastic network interface of each Amazon EFS mount target is tracked using the VPC flow logs.

The flow logs can push to Amazon CloudWatch logs.

Using CloudWatch logs insights, the traffic flow on the mount target’s elastic network interface will filter to provide the list of Amazon EC2 instances that have mount an Amazon EFS in a specific timestamp.

Today, let us see the steps followed by our Support Techs to perform the task.

After completing the steps, each time you want to list the IP addresses of the clients mounting the Amazon EFS, run a query to create a current list.

Create a log group

1. Open the CloudWatch console, and then select Logs.
2. Select the Actions menu, and then select Create Log Group.
3. Enter a Log Group Name, and then select Create Log Group.

Create an Identity and Access Management (IAM) role with permission for publishing flow logs to CloudWatch Logs

1. Open the IAM console, and then create a new IAM role.
2. The IAM policy that’s attached to your IAM role must include the permissions to publish the VPC flow logs to CloudWatch and must have a trust relationship that allows the flow logs service to assume the role.

Get the list of elastic network interfaces used by the mount target of your Amazon EFS

1. Firstly, open the Amazon EFS console.
2. Then, select the specific Amazon EFS and note the Network Interface ID for each mount target.

Create the flow logs

1. Open the Amazon EC2 console, and then select Network Interfaces.
2. Then, select all the elastic network interfaces that you noted in step 3 that are being used by the mount target.
3. Select the Actions menu, and then select Create flow log.

Use the following values when creating the flow log:

Filter: Select All
Destination: Select Send to CloudWatch Logs
Destination log group: Choose the log group created in Step 1.
IAM role: Choose the IAM Role created in Step 2.

4. Then, select Create.
5. Monitor the flow log status by selecting the specific elastic network interface that you created a flow log for.

At the bottom of the screen, select Flow Logs. Verify that the Status is Active.
6. The first flow log should be pushed to CloudWatch Logs in about 10 minutes.

Verify that the flow logs are in CloudWatch Logs

1. Open the CloudWatch console, and then select Logs.
2. Next, select the Log Group created in step 1.
3. Finally, verify that all the log streams created in step 4 appear.

Each elastic network interface has a different log stream.

Run a query

To run a query in CloudWatch Logs Insights:

1. In the CloudWatch console, select Insights.
2. Then, select the log groups created in step 1 from the drop-down menu.
3. Next, select the duration that you want to review the flow logs for (Last 15 min, 30 min, 1 hr).
4. Enter the following query:

filter dstPort="2049" | stats count(*) as FlowLogEntries by srcAddr | sort FlowLogEntries desc

5. Select Run Query. The output contains the list of private IPs of all the Amazon EC2 instances where you mounted Amazon EFS.

To run a query from the AWS Command Line Interface (AWS CLI):

1. After the VPC flow log is set up, you can use an AWS CLI command to run the query.

2. Then, verify that the AWS CLI is updated to the latest version:

$ pip install --upgrade awscli

3. Verify that jq is installed:

yum install -y jq

4. Use the following AWS CLI query using these query parameters:

log-group-name: Enter the log group name you created in step 1.

start-time / end-time: These values are in Unix/Epoch time.

Use the converter found at epochconverter.com to convert human-readable timestamps to Unix/Epoch time.

test.json: You can optionally change the json file name each time you run this command.

Changing the name makes sure that the previous output isn’t merged with the new output.

sleep: This value (in seconds) is used as delay while the CloudWatch Logs Insights query is executed.

The value entered depends on how long you want to review the flow logs. If you want to review the logs for a longer duration, such as weeks, then increase the sleep time.

pre>aws logs start-query --log-group-name EFS-ENI-logs --start-time 1549002413 --end-time 1553063276 --query-string "filter dstPort="2049" | stats count(*) as FlowLogEntries by srcAddr | sort FlowLogEntries desc" >> test.json && sleep 10 && jq .queryId test.json | xargs aws logs get-query-results --query-id

[Need help with more AWS queries? We’d be happy to assist]
 

Conclusion

 
To conclude, today we discussed the steps followed by our Support Engineers to List EC2 instances connected to EFS.