EBS vs EFS for Multiple EC2 Instances: Shared Storage Explained

When you need to share a folder across five EC2 instances simultaneously, the storage choice you make determines whether your architecture works at all — not just how well it performs. Understanding the fundamental difference between EBS and EFS for multiple instances is one of the most common architectural decisions engineers face when moving workloads to AWS.

TL;DR: EBS vs EFS for Multiple Instances

Dimension EBS (Elastic Block Store) EFS (Elastic File System)
Simultaneous multi-instance access Not supported in standard mode; EBS Multi-Attach is limited Fully supported — many instances, concurrently
Protocol Block storage (attached as a disk device) NFS v4.1 / v4.0 (mounted as a network filesystem)
Scope Single Availability Zone Regional (spans multiple AZs via mount targets)
Use case fit Single-instance databases, boot volumes, high-IOPS workloads Shared content, home directories, CMS media, CI/CD artifacts
Pricing model Provisioned capacity Pay-per-use (consumed GB); pricing varies — check AWS docs

Concept Foundation: How EBS and EFS Actually Work

Before deciding, you need a clear mental model of what each service is at the protocol level — not just the marketing description.

EBS: Block Storage Attached to One Instance

EBS presents a raw block device to an EC2 instance. The operating system formats it with a filesystem (ext4, xfs, NTFS) and mounts it like a local disk. The attachment is a direct, low-latency channel between the hypervisor and the storage backend — which is exactly why it cannot be shared freely.

The filesystem layer (ext4, xfs) maintains its own journal and inode table. If two instances mount the same block device simultaneously without a cluster-aware filesystem, they will corrupt each other's metadata. Standard Linux filesystems are not designed for concurrent writers from separate OS instances.

EBS Multi-Attach: The Exception With Hard Constraints

EBS does offer a feature called Multi-Attach, but it is not a general-purpose shared filesystem solution. Multi-Attach is available only for io1 and io2 volume types, is restricted to instances within a single Availability Zone, and supports a maximum of 16 instances per volume. Critically, AWS explicitly states that you must use a cluster-aware filesystem (such as GFS2 or OCFS2) to manage concurrent writes — standard filesystems will cause data corruption. For a typical "share a folder" use case, this is the wrong tool.

EFS: A Managed NFS Service

EFS is a fully managed Network File System. Instances mount it over NFS v4.1, and the service handles consistency, locking, and concurrent access natively. There is no volume size to provision — capacity scales automatically as you write data. Mount targets are created per Availability Zone, so instances across your entire VPC (and across AZs) can reach the same filesystem simultaneously.

Think of EBS as a dedicated hard drive bolted to one server. EFS is a NAS appliance on the network — any server with the right credentials and network path can mount it at the same time.
graph TD subgraph EBS_Model["EBS: Single-Instance Block Storage"] EBS1["EBS Volume"] EC2A["EC2 Instance A
(attached)"] EC2B["EC2 Instance B
(no access)"] EC2C["EC2 Instance C
(no access)"] EBS1 -->|"block device"| EC2A EBS1 -.-|"X"| EC2B EBS1 -.-|"X"| EC2C end subgraph EFS_Model["EFS: Shared Network Filesystem"] EFS1["EFS Filesystem"] MT1["Mount Target AZ-1"] MT2["Mount Target AZ-2"] I1["Instance 1"] I2["Instance 2"] I3["Instance 3"] I4["Instance 4"] I5["Instance 5"] EFS1 --- MT1 EFS1 --- MT2 MT1 -->|"NFS TCP 2049"| I1 MT1 -->|"NFS TCP 2049"| I2 MT1 -->|"NFS TCP 2049"| I3 MT2 -->|"NFS TCP 2049"| I4 MT2 -->|"NFS TCP 2049"| I5 end
  1. EBS volume attaches to a single EC2 instance via a dedicated block channel. Other instances have no path to it.
  2. EFS filesystem exposes mount targets in each AZ. All five EC2 instances mount the same NFS endpoint concurrently — reads and writes are coordinated by the EFS service.
  3. The Security Group on the mount target must allow NFS traffic (TCP port 2049) from the EC2 instances' Security Group.

EBS vs EFS for Multiple Instances: The Decision Flow

flowchart TD Start(["Do multiple instances need
the same data simultaneously?"]) Start -->|"No — one instance at a time"| EBS_OK["Use EBS
Simpler, lower cost"] Start -->|"Yes — concurrent access needed"| ClusterApp{"Is this a cluster-aware
application with its own
filesystem (GFS2/OCFS2)?"} ClusterApp -->|"Yes, same AZ, io1/io2 only"| MultiAttach["EBS Multi-Attach
(narrow use case)"] ClusterApp -->|"No — general shared folder"| EFS_OK["Use EFS
Managed NFS, multi-AZ"] EBS_OK --> Done1(["Attach EBS, format,
mount on one instance"]) EFS_OK --> Done2(["Create EFS, mount targets,
mount on all instances"]) MultiAttach --> Done3(["Verify cluster filesystem
before mounting"])
  1. If only one instance needs the volume at a time, EBS is simpler and cheaper.
  2. If multiple instances need concurrent access, EFS is the correct path for general-purpose shared filesystems.
  3. EBS Multi-Attach is a narrow exception for cluster-aware applications on io1/io2 within one AZ — not a general shared folder solution.

Implementing Shared Storage with EFS Across Five EC2 Instances

Step 1: Create the EFS Filesystem

aws efs create-file-system \
  --performance-mode generalPurpose \
  --throughput-mode bursting \
  --encrypted \
  --region us-east-1 \
  --tags Key=Name,Value=shared-app-fs

Operator Rationale: generalPurpose performance mode covers the vast majority of workloads. bursting throughput mode scales with filesystem size — appropriate unless you have consistently high throughput requirements. Encryption at rest is enabled as a baseline security practice.

Step 2: Create Mount Targets in Each Availability Zone

You need one mount target per AZ where your EC2 instances reside. Replace the subnet IDs and security group ID with your actual values.

aws efs create-mount-target \
  --file-system-id fs-0123456789abcdef0 \
  --subnet-id subnet-0a1b2c3d4e5f60001 \
  --security-groups sg-0a1b2c3d4e5f60002 \
  --region us-east-1

Operator Rationale: Each mount target gets an IP address within the subnet. Instances in that AZ resolve the EFS DNS name to the local mount target IP, keeping NFS traffic within the AZ and avoiding cross-AZ data transfer charges.

Step 3: Configure Security Groups

The mount target's Security Group must allow inbound NFS (TCP 2049) from the EC2 instances. The cleanest approach references the EC2 Security Group as the source rather than a CIDR range.

aws ec2 authorize-security-group-ingress \
  --group-id sg-0a1b2c3d4e5f60002 \
  --protocol tcp \
  --port 2049 \
  --source-group sg-0ec2instancesgroupid \
  --region us-east-1

Operator Rationale: Using a Security Group reference instead of a CIDR block means the rule automatically applies to any new instance added to the EC2 Security Group — no manual rule updates as you scale.

Step 4: Mount EFS on Each EC2 Instance

AWS recommends using the EFS mount helper (amazon-efs-utils), which handles TLS encryption in transit and automatic retry logic.

# Install the mount helper (Amazon Linux 2 / AL2023)
sudo yum install -y amazon-efs-utils

# Create the mount point
sudo mkdir -p /mnt/shared

# Mount using the EFS DNS name
sudo mount -t efs -o tls fs-0123456789abcdef0:/ /mnt/shared

Operator Rationale: The -o tls option encrypts data in transit using TLS. Without it, NFS traffic traverses the VPC unencrypted. The EFS DNS name (fs-xxxxxxxx.efs.us-east-1.amazonaws.com) resolves to the mount target IP in the instance's AZ automatically.

Step 5: Persist the Mount Across Reboots

Add the following line to /etc/fstab on each instance:

fs-0123456789abcdef0:/ /mnt/shared efs _netdev,tls 0 0

Operator Rationale: The _netdev option tells the OS to wait for network availability before attempting the mount during boot. Without it, the mount can fail on startup because the NFS network path is not yet available when /etc/fstab is processed.

Required IAM Policy for EFS Access

If you use EFS access points or IAM authorization, the EC2 instance role needs the following permissions. For basic NFS mounting without IAM authorization, network-level access (Security Group) is sufficient — but enabling IAM authorization is a security best practice.

🔽 Click to expand — IAM policy for EFS mount with IAM authorization 
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "elasticfilesystem:ClientMount",
        "elasticfilesystem:ClientWrite",
        "elasticfilesystem:DescribeMountTargets"
      ],
      "Resource": "arn:aws:elasticfilesystem:us-east-1:123456789012:file-system/fs-0123456789abcdef0"
    }
  ]
}

Experience Signal: The Silent Corruption Trap

A common failure pattern: an engineer creates an EBS volume, attaches it to one instance, and then — under deadline pressure — attaches the same volume to a second instance to "just copy some files." The second attachment succeeds. The mount succeeds. Files appear readable. Then, hours later, the primary instance starts logging filesystem errors, or worse, silently writes corrupted data.

The misdiagnosis is usually "EBS flakiness" or "network issue." The actual cause is two OS instances writing to the same ext4 journal concurrently — a scenario ext4 was never designed to handle. The fix is not a retry or a reboot. It requires unmounting from both instances, running fsck to repair the filesystem, and migrating to EFS if concurrent access is genuinely needed.

The observable signal is EXT4-fs error entries in /var/log/messages or dmesg on the primary instance, often appearing minutes after the second mount — not immediately.

Depth Signal: EFS Consistency Model and What It Means for Your Application

EFS provides read-after-write consistency for data operations from a single client. For operations across multiple clients (your five instances), EFS provides open-to-close consistency — meaning that once a client closes a file, subsequent opens by any other client will see the latest data. However, if two instances have the same file open simultaneously and are writing concurrently, the application is responsible for coordination (file locking via NFS lock manager, or application-level locking).

This is not a limitation unique to EFS — it is standard NFS semantics. The practical implication: if your application assumes POSIX strict consistency for concurrent writers (as some databases do), EFS is not the right backend. For shared content directories, log aggregation targets, or deployment artifact stores, open-to-close consistency is entirely sufficient.

Verifying Your EFS Setup

After mounting on all five instances, verify the shared filesystem is working correctly:

# On Instance 1 — write a test file
echo "hello from instance-1" > /mnt/shared/test.txt

# On Instance 2 — verify the file is visible
cat /mnt/shared/test.txt

# Check mount target health
aws efs describe-mount-targets \
  --file-system-id fs-0123456789abcdef0 \
  --region us-east-1

Operator Rationale: The cross-instance read test confirms both network connectivity and NFS mount correctness. The describe-mount-targets call confirms mount target lifecycle state — a mount target must be in available state before instances can connect.

When EBS Is Still the Right Answer

EFS is not universally superior. EBS remains the correct choice when:

  • You are running a relational database (RDS uses EBS internally; self-managed databases on EC2 require block storage for IOPS predictability and filesystem semantics databases expect).
  • You need a boot volume — EC2 root volumes are always EBS.
  • Your workload requires very high IOPS with sub-millisecond latency that a network filesystem cannot provide.
  • Only one instance ever needs the data at a time, and cost optimization matters.

Wrap-Up: EBS vs EFS for Multiple Instances — Next Steps

For sharing a folder across five EC2 instances, EFS is the correct service. EBS is a block device designed for single-instance attachment; its Multi-Attach feature exists for specialized cluster applications, not general shared directories. EFS provides a fully managed NFS filesystem that handles concurrent access, scales automatically, and spans Availability Zones without operational overhead.

Your next steps:

  • Review the Amazon EFS User Guide for performance mode and throughput mode selection guidance.
  • Evaluate EFS Access Points if you need per-application directory isolation with enforced POSIX user/group identity.
  • Consider EFS Lifecycle Management to automatically tier infrequently accessed files to a lower-cost storage class.
  • If your workload is Windows-based, evaluate Amazon FSx for Windows File Server instead — EFS is Linux/NFS only.

Glossary

Term Definition
EBS (Elastic Block Store) AWS block storage service that presents a raw disk device to a single EC2 instance. Formatted with a local filesystem by the OS.
EFS (Elastic File System) AWS managed NFS service that allows concurrent filesystem access from multiple EC2 instances across one or more Availability Zones.
Mount Target An EFS network endpoint created in a specific subnet/AZ. EC2 instances in that AZ connect to EFS through this endpoint via NFS.
EBS Multi-Attach An EBS feature allowing a single io1/io2 volume to attach to up to 16 instances in the same AZ. Requires a cluster-aware filesystem; not a general shared folder solution.
Open-to-close consistency An NFS consistency model where data written by one client is guaranteed visible to other clients after the writing client closes the file.

Related Posts

Comments

Post a Comment

Popular posts from this blog

EC2 No Internet Access in Custom VPC: Fix Internet Gateway and Route Table

EC2 no internet access in a custom VPC is one of the most common launch-day failures — the instance is running, but outbound connectivity is completely silent. TL;DR: EC2 No Internet Access — Fix Checklist Step What to Do Why It Matters Complexity 1 Create and attach an Internet Gateway to the VPC Without an IGW, the VPC has no path to the public internet Low 2 Add a default route (0.0.0.0/0) pointing to the IGW in the subnet's route table The IGW exists but traffic has no route to reach it Low 3 Assign a public IP or Elastic IP to the instance Private IPs are not routable on the public internet Low 4 Verify Security Group allows outbound traffic A restrictive outbound rule silently drops all egress Low 5 Verify Network ...
Read more

EC2 SSH Connection Timeout: Which Security Group Rules to Check

An EC2 SSH connection timeout is one of the most common blockers when launching a new instance — the fix is almost always a missing or misconfigured inbound rule in your Security Group. TL;DR — Diagnostic Steps at a Glance Step What to Check Common Fix 1 Security Group inbound rules Add SSH (TCP 22) from your IP 2 Subnet route table Ensure 0.0.0.0/0 routes to an Internet Gateway 3 Network ACL rules Allow inbound TCP 22 and ephemeral return ports 4 Instance public IP / Elastic IP Confirm a public IP is assigned 5 Key pair and SSH username Use correct private key and AMI-specific username Why SSH Times Out Instead of Refusing A connection refused error means the TCP handshake reached the host but nothing is listening. A connection timed out error means packets never arrived — or replies never returned. On EC2, that silence is almost always a network-layer block, not an OS-level problem. The Se...
Read more

Difference Between IAM User and IAM Role: Which One Should Your EC2 Use?

Understanding the difference between IAM User and IAM Role is critical — choosing wrong means either hardcoded credentials in your app or a silent security exposure you won't catch until an audit. TL;DR: IAM User vs IAM Role at a Glance Dimension IAM User IAM Role Identity type Permanent, named human or service identity Assumable identity with temporary credentials Credential type Long-lived access keys or password Short-lived STS tokens (auto-rotated) Attached to EC2? No native attachment — keys must be embedded Yes — via Instance Profile, injected automatically Rotation required? Manual — your responsibility Automatic — AWS STS handles it Recommended for EC2 → S3? No Yes — always Cross-account access Requires separate user per account Native — assume role across accounts Audit trail Tied to user identity Tied to role + session name in CloudTrail What IAM User and IAM Role Actual...
Read more