How do I mount Amazon EFS using FQDN on a Linux Machine that is joined with AWS Managed Microsoft AD?

Last updated: 2021-03-12

I am using the AWS Directory Service for Microsoft Active Directory. I joined my Amazon Elastic Compute Cloud (Amazon EC2) Linux instances into the Active Directory Domain. I am unable to mount the Amazon Elastic File System (Amazon EFS) using the fully qualified domain name (FQDN) from my EC2 Linux instance. How can I resolve this issue?

Short description

To join your Linux machine with AWS Managed Microsoft AD, configure your instance to use the DNS servers for your Active Directory. This configuration means that all DNS requests from your EC2 Linux instances are routed to the Active Directory DNS servers.

When you use Microsoft AD, all DNS requests are forwarded to the IP address of the Amazon provided DNS servers for your VPC. These DNS servers resolve names that are configured in your Amazon Route 53 (Route 53) private hosted zones. If you aren't using Route 53 private hosted zones, then your DNS requests are forwarded to public DNS servers. If no private hosted zone exists for your AWS services, then DNS requests are forwarded to public DNS servers. This means that they can only resolve AWS services FQDNs to public IP addresses. For more information, see Configure DNS.

This means that the Amazon EFS FQDN resolves only to private IP addresses. If you are using Microsoft AD, you can't mount EFS using the FQDN.

Example of issue

This example uses the AWS Managed Microsoft AD. The DNS servers provided are 10.30.32.80 and 10.20.34.122. The EFS file system was created in the same VPC with mount target 10.20.0.178.

1.Using netcat, confirm that the EC2 instance can establish a connection with the EFS mount target 10.20.0.178:

nc -vz 10.20.0.178 2049
Connection to 10.20.0.178 2049 port [tcp/nfs] succeeded!

2. On the EC2 Linux server, integrate Microsoft AD, and then configure the Active Directory DNS servers:

echo 'supersede domain-name-servers 10.20.32.80, 10.20.34.122;' | sudo tee --append /etc/dhcp/dhclient.conf
echo 'supersede domain-search "nikkisDNS.com";' | sudo tee --append /etc/dhcp/dhclient.conf
sudo dhclient -r
sudo dhclient

3. Confirm that the DNS servers are configured by checking the resolv.conf file:

cat /etc/resolv.conf
options timeout:2 attempts:5
; generated by /sbin/dhclient-script
search nikkisDNS.com.
nameserver 10.20.32.80
nameserver 10.20.34.122

4. Run dig on the file system to see that the mount target private IP isn't returned:

dig fs-ca591a02.efs.eu-west-1.amazonaws.com 

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.64.amzn1 <<>> fs-ca591a02.efs.eu-west-1.amazonaws.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 33320
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;fs-ca591a02.efs.eu-west-1.amazonaws.com. IN A

;; AUTHORITY SECTION:
eu-west-1.amazonaws.com. 299	IN	SOA	dns-external-master.amazon.com. hostmaster.amazon.com. 1312 180 60 2592000 7229

Note: The DNS request doesn't resolve to any A record, and the status shows NXDOMAIN.

If you use the Amazon provided name server for the VPC, then note that it successfully resolves:

dig @10.20.0.2 fs-ca591a02.efs.eu-west-2.amazonaws.com
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.64.amzn1 <<>> fs-ca591a02.efs.eu-west-1.amazonaws.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29705
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;fs-ca591a02.efs.eu-west-1.amazonaws.com. IN A

;; ANSWER SECTION:
fs-ca591a02.efs.eu-west-1.amazonaws.com. 60 IN A 10.20.0.178

Resolution

Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you’re using the most recent AWS CLI version.

Configure conditional forwarders for your Microsoft AD to forward requests to the Amazon VPC-provided DNS. This method also works for resolving other AWS services FQDN to their private IP addresses, if you use the Active Directory provided DNS.

To do this, configure a conditional forwarder rule. This forwards all sub-domains of a domain to a specific DNS server IP. For example, you can forward all DNS requests for sub-domains of amazonaws.com to the private IP of the Amazon VPC provided DNS.

Note: The Amazon VPC provided DNS IP is the reserved IP address at the base of the VPC IPv4 network range plus two.

To create the conditional forwarder rule, run the AWS CLI command create-conditional-forwarder:

aws ds create-conditional-forwarder --directory-id d-93673d4d5a --remote-domain-name amazonaws.com --dns-ip-addrs 10.20.0.2 --region eu-west-1

Use the following parameters

  • directory-id - Enter the AD directory ID.
  • remote-domain-name - You can specify any domain. This rule is applied to all FQDN matching this domain or sub-domains.
  • dns-ip-addrs - Enter the Amazon VPC provided DNS IP.

This allows for DNS resolution of the EFS FQDN, and subsequently mounts the EFS FS using the FQDN.

dig fs-ca591a02.efs.eu-west-2.amazonaws.com
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.64.amzn1 <<>> fs-ca591a02.efs.eu-west-1.amazonaws.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29705
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;fs-ca591a02.efs.eu-west-1.amazonaws.com. IN A

;; ANSWER SECTION:
fs-ca591a02.efs.eu-west-1.amazonaws.com. 60 IN A 10.20.0.178