Skip to content
S3 Files Workloads

Mount Targets

Progress checklist

Overview

Section titled “Overview”

A MOUNT-TARGET
Mount Target — a network endpoint that provides NFS access to an S3 file system within a single Availability Zone. One mount target per AZ is recommended. gives compute resources a network path to the file system within a single AZ
Availability Zone — an isolated data-centre location within an AWS region. Mount targets are created per AZ for high availability. . Create one per AZ where your Lambda functions run — you can have at most one per AZ.

  1. Confirm base exports. Required

    Re-run these in your current shell so all required variables are set:

    Terminal window
    export AWS_REGION=ap-southeast-6
    export ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
    export BUCKET=my-s3-files-bucket        # ← replace with your real bucket name
    export BUCKET_ARN=arn:aws:s3:::${BUCKET}
    export FS_ID=$(aws s3files list-file-systems \
      --region $AWS_REGION \
      --bucket $BUCKET_ARN \
      --query 'fileSystems[0].fileSystemId' \
      --output text)
    echo "Region: $AWS_REGION  Account: $ACCOUNT_ID  FS: $FS_ID"

    If FS_ID is empty or None, complete File System first.

  2. List your VPC subnets and identify one per AZ.

    Terminal window
    export VPC_ID=vpc-0123456789abcdef0   # replace with your VPC ID
    

    aws ec2 describe-subnets \
      --filters "Name=vpc-id,Values=$VPC_ID" \
      --query 'Subnets[*].{AZ:AvailabilityZone,SubnetId:SubnetId,CIDR:CidrBlock}' \
      --output table \
      --region $AWS_REGION

    Note a subnet ID for each AZ you need. Pick the private subnets where your Lambda functions will run.

  3. Create a security group for mount targets. Required

    Terminal window
    export MT_SG_ID=$(aws ec2 create-security-group \
      --group-name s3files-mount-target-sg \
      --description "S3 Files mount target - NFS inbound" \
      --vpc-id $VPC_ID \
      --region $AWS_REGION \
      --query GroupId \
      --output text)
    echo "Mount target SG: $MT_SG_ID"

  4. Create a mount target in each AZ. Required

    From the step 2 table, copy one subnet ID per Availability Zone where you need NFS. Assign each to a shell variable before calling create-mount-target.

    First AZ (required): set a real subnet ID:

    Terminal window
    export SUBNET_ID_AZA=subnet-0123456789abcdef0   # replace — e.g. private subnet in ap-southeast-6a

    Second AZ (required if your VPC has a second AZ and you want HA):

    Terminal window
    export SUBNET_ID_AZB=subnet-0fedcba9876543210   # replace — e.g. private subnet in ap-southeast-6b

    Add another export SUBNET_ID_AZC=subnet-… for each extra AZ — do not run create-mount-target with placeholder subnet IDs.

    Create one mount target per export (at most one mount target per AZ):

    Terminal window
    aws s3files create-mount-target \
      --region $AWS_REGION \
      --file-system-id $FS_ID \
      --subnet-id $SUBNET_ID_AZA \
      --security-groups $MT_SG_ID
    

    aws s3files create-mount-target \
      --region $AWS_REGION \
      --file-system-id $FS_ID \
      --subnet-id $SUBNET_ID_AZB \
      --security-groups $MT_SG_ID

    If you only use one AZ, keep the first export and the first create-mount-target only; skip SUBNET_ID_AZB and the second API call.

    Mount target creation takes up to 5 minutes per target.

  5. Wait until all mount targets are available.

    Terminal window
    aws s3files list-mount-targets \
      --region $AWS_REGION \
      --file-system-id $FS_ID \
      --query 'mountTargets[*].{AZ:availabilityZoneId,State:status,IP:ipv4Address}' \
      --output table

    Re-run until all entries show available in the State column.

Next step

Section titled “Next step”

Continue to IAM to create the Lambda execution role.