❗ Important
The availability of this feature may be limited based on the license type, region, and other criteria. To access this feature, contact Support.
Ensure you have set up the following before you configure your Amazon Elastic File Systems for discovery, backup and restore:
Amazon EFS Mount Target configuration
To ensure successful backups, the Amazon Elastic File System must have at least one active mount target created in the Virtual Private Cloud (VPC) to allow for data access.
Active Mount Target: The EFS file system must have at least one active mount target within a VPC subnet. Druva identifies existing mount targets and automatically selects one. Druva automatically identifies and selects an available an active mount target to facilitate the backup process.
The Subnet and Security Group associated with that specific mount target provide the network blueprint, and are used to provision the Druva Quantum Bridge.
Note: Druva does not use EFS Access Points - instead mounts the file system directly to ensure the entire directory structure remains accessible for a full backup.
Steps to verify and/or configure EFS Mount Target
Steps to verify and/or configure EFS Mount Target
Log into your AWS EFS Console and select your file system.
Navigate to Network > Manage and select Add Mount Target.
Define the mount target settings
Choose Subnets: Select the specific subnet for each Availability Zone where your instances reside.
Assign IP Addresses: You can leave this as "Automatic" (recommended) or assign a specific private IP.
Select Security Groups: Remove the "default" group and add the specific EFS security group you created.
Click Save.
For more information, refer to the AWS documentation.
Network connectivity prerequisites
To ensure successful EFS backups via Druva, the following network and configuration requirements must be met within your AWS environment.
Security Group Configuration
Once your Amazon Elastic Files Systems are discovered, verify that your EFS mount targets are accessible from the Druva Quantum Bridge provisioned for backup.
Verify each mount target has a security group that allows:
Inbound and outbound traffic on port 2049 (NFS)
Outbound traffic on Port 443 to Druva Endpoint
If not configured, proceed with the following steps:
Steps to verify and configure Security Group Rules
Steps to verify and configure Security Group Rules
Log into your AWS EC2 Console and select Security Groups.
Locate the Security Group attached to your EFS Mount Target.
Click Edit inbound rules and Add: Type: NFS, Port: 2049 and specify a custom Source: Subnet CIDR or the same Security Group ID.
Click Edit outbound rules and add:
Type: NFS | Port: 2049 | Destination: Custom (Same as above).
Type: HTTPS | Port: 443 | Destination: 0.0.0.0/0 (to reach Druva endpoints).
VPC and Subnet Settings
The VPC and the specific subnet housing the Mount Target must support DNS resolution and outbound routing.
Steps to verify and configure VPC Settings
Steps to verify and configure VPC Settings
Log into your AWS management console and navigate to VPC > Your VPCs.
Click Actions and select Edit VPC settings and Enable the DNS Attributes:
DNS Hostnames must be Enabled.
DNS Resolution must be Enabled.
Create S3 Gateway Endpoint (Recommended)
Optimize costs by deploying an S3 Gateway Endpoint that allows backup data to stay within the AWS private backbone, eliminating standard data egress charges associated with the public internet.
Steps to configure S3 Gateway Endpoint
Steps to configure S3 Gateway Endpoint
On your AWS VPC Console, navigate to Endpoints > Create endpoint and select AWS services.
Under Services, select Gateway, and specify com.amazonaws.region.s3 (for your selected AWS Region).
Route Tables: Select your EFS VPC, and select the route table used by the subnet where your EFS Mount Target resides.
Druva Quantum Bridge deployment
Ensure your AWS environment is configured to support the worker instance lifecycle required to deploy the Druva Quantum Bridge.
Default Instances: Druva prefers c6a.xlarge, c6i.xlarge, or c7a.xlarge.
If the default instance types are unavailable in your specific Availability Zone (AZ), the backup job fails unless an alternative is configured, via EFS tags.
Tag Compliance
if your AWS account has AWS Service Control Policies (SCPs) that block untagged instance launches, or requires specific tags (e.g., CostCenter:123), these must be passed via EFS tags. If using alternatives, select 4 vCPUs and 8 GB RAM (e.g., c5.xlarge or m6i.xlarge).
Steps to apply custom tags
Steps to apply custom tags
To override default settings and ensure policy compliance, apply custom tags to the EFS file systems to be protected.
Log into your AWS EFS Console and select the File system ID of the EFS you are backing up.
On the file system details page, select Tags and click Edit.
Purpose | Tag Key should contain | Recommended Value |
Alternative Instance Types | <druva-instance-types-tag-key> | Comma-separated list (e.g. c6i.xlarge,m5.xlarge) |
Mandatory EC2 Tags | <druva-ec2-tags-tag-key> | env:prod,team:storage |
Specify Mount Target | <druva-mount-target-tag-key> | The Mount Target ID (e.g. fsmt-0a1b2c3d4e5f) |
EFS File System Policy Configuration
To enable successful discovery and access of the Amazon EFS, the file system policy must include the designated IAM role.
An Amazon EFS file system can include an optional resource-based policy, which serves as a secondary security layer. If the file system policy is empty no action is required to proceed with backups.
If a File System Policy is configured
If a policy is active, it must be configured to permit Druva’s operations. Below is a breakdown of common constraints and the required actions:
Identity: If you restrict access to specific IAM roles, ensure the Druva IAM role is included in the Allow list.
Permissions: Ensure there are no explicit Deny statements targeting ClientRootAccess, as blocks capture of the full file system state.
Steps to update the EFS File System Policy
Steps to update the EFS File System Policy
Log into your AWS EFS Console, select your file system, and navigate to the File system policy tab.
Click Edit to modify the JSON statement.
Principal: The ARN of the Druva IAM Role.
Action: Ensure elasticfilesystem:ClientMount, elasticfilesystem:ClientWrite, and elasticfilesystem:ClientRootAccess are allowed.
Warning: Verify the policy does not include explicit Deny statements. Deny statements for any of the above permissions will override Allow statements and cause backup failures.