Amazon FSx for Windows File Server provides a fully managed native Microsoft Windows file system. Amazon FSx provides NTFS file systems that can be accessed from up to thousands of compute instances using the SMB protocol (SMB 2.0 to 3.1.1).  You can access your Amazon FSx file system from Amazon EC2, VMware Cloud on AWS, Amazon WorkSpaces, and Amazon AppStream 2.0 instances. 

 The service works with Microsoft Active Directory (AD) to integrate your file system with your existing Windows environments. Amazon FSx uses Distributed File System (DFS) Replication to support multi-AZ deployments. To ensure compatibility with your applications, Amazon FSx supports all Windows versions starting from Windows Server 2008 and Windows 7, and also current versions of Linux. 

AWS FSx can be used for various application workloads like home directories, web serving & content management, enterprise applications, analytics, and media & entertainment. All Amazon FSx file system data is automatically encrypted at rest and in transit.  

1.0 FSx for Windows file system 

Prerequisites – Currently AWS FSx only work with AWS Managed AD [AWS MAD], AWS support AWS Directory Service’s AD sharing feature, AWS plan to support AD Connector and Self-managed Microsoft Active Directory.  

These are the Directory Types options AWS have –  

a)       AWS Managed Microsoft AD 

b)      Simple AD 

c)       AD Connector 

d)      Cloud Directory

e)      Amazon Cognito Your User Pools 

No need to select any option from above. Self-managed Microsoft Active Directory is something we need to use for our use cases. Other options are little complicated and has some overhead to it to maintain as explained below.

a)        Create AWS Managed Active Directory  

We need to  create AD (eg: xyz.storage.com). During AWS Managed Directory service creation, you will be asked for – Directory Type; Edition; Directory DNS name; Directory NetBIOS name; VPC; Subnet; AZ. 

Limitation:

 Here we need to maintain AD in respective account. So, this AD need a continues sync for latest AD objects.

Details explained here for the filesystem creation for this method

b)      Simple AD 

Simple AD is a standalone managed directory that is powered by a Linux-Samba Active Directory–compatible server. Not recommended as it needs to create a directory and object limitation

b)      AD Connector 

Need to create a trust relationship between source (app account ) and destination account (AD account).

–> Need to create AWS Managed AD directory ID

Limitation:

1)      Overhead for this process and every account using this will need to have this trust relation.

2)      Cost for active directory service created.

d) Cloud Directory : Similar to RDS cloud directory, Cloud Directory is a high-performance, serverless, hierarchical data store still same limitations as above mentioned for Simple AD.

e) Amazon Cognito Your User Pools : Directs to Cognito service for directory creation. No use

Self-managed Microsoft Active Directory: this is recommended to use

1)      Select FSx for windows file server

Use cases for both 

	Amazon FSx for Lustre	Amazon FSx for Windows File Server
Performance	Compute Intensive	Simple fileshare
Lifecycle	Yes	No lifecycle
Storage	Minimum 1.2 TB	Minimum 32 gig
AD authentecation	NO	Yes
Price	$0.14 GB-month / 30 / 24 = $0.000194/GB-hour 3600 GB x $0.000194/GB-hour x 72 hours = $50.40 Total FSx for Lustre charge for 72 hours = $50.40	Storage: 1,024 GB-months x $0.130 GB-month= $133/mo Throughput: 8 MBPS-months x $2.200/MBps-month= $18/mo Backup: 500 GB-months x $0.050/GB-month = $25/mo Total monthly charge: $176 ($0.172/GB-mo)

2)      Then for filesystem creation mention below options

File System Name – This will not be used to access the file share or File System. 

Storage Capacity – Minimum 32 GiB; Maximum 65,536 GiB 

Throughput capacity – Recommended is 8MB/s and max can go up to 2048MB/s .

3)      Network info

Please remember the fs is AZ specific but accessible in all Az’s of a region. Need to DFS for redundancy as explained below in doc.

Network & Security – Select your VPC; Availability zone; Subnet; VPC Security Group 

4)      Select the Window authentication method

Select Self-managed AD (SMAD), if selected AWS MAD-id  then create directory services mentioned above methods.

Mention all the requested info :- FDQN, Service account (use ’id” : “serviceaccount”,
   “domain_user”)

Use  Route53 revolvers route the traffice to DNS

5)      Other options

OU :- Please don’t leave default blank or else all the hardening rules will be applied to this , not sure on what impact it might have

OU=Storage and Backup,OU=Appliance,OU=Computers,OU=Objects,DC=ads,DC=xyz,DC=com

Encryption – Default [AWS Key Management Service (KMS) encryption key that protects your file system data at rest] 

6)      Review summary and click “create filesystem”

7) Filesystem will be created

Check via using DNS name

\\amznfsxieasvi5.ads.xyz.com

Share folder will comes by default and cannot be deleted.

2.0 Automatic Daily Backups 

 Amazon FSx automatically takes backups of your file systems once a day. These daily backups are taken during the daily backup window that was established when you created the file system. At some point during the daily backup window, storage I/O might be suspended briefly while the backup process initializes (typically under a few seconds). When you choose your daily backup window, we recommend that you choose a convenient time of the day outside of the normal operating hours for the applications that will use the file system. Backups are kept for a certain period of time, known as a retention period. By default, backups are retained for 7 days. However, you can change the retention period to anywhere in a range of 0–35 days. 

We can perform backup creation and restoration from FSx Management Console, the AWS CLI, or one of the AWS SDKs 

3.0 Multi-AZ File System Deployments 

For workloads that require multi-AZ redundancy to tolerate temporary AZ unavailability, We can create multiple file systems in separate AZs, keep them in sync, and configure failover between them. Amazon FSx fully supports the use of the Microsoft Distributed File System (DFS) for file system deployments across multiple AZs to get Multi-AZ availability and durability. Using DFS Replication, you can automatically replicate data between two file systems. Using DFS Namespaces, you can configure one file system as your primary and the other as your standby, with automatic failover to the standby in the event that the primary becomes unresponsive. MS DFS support both async and sync replication. 

      AWS FSx provides high availability and failover support across multiple AZs which can be used for shared storage and also as mapped drive instead of EBS volumes as EBS cannot span Multi-AZ. 

4.0 Benefits and Cons of FSx

Benefits:

·      AWS FSx is fully managed. It relies on SSD storage and performs with high levels of IOPS and throughput, as well as consistent sub-millisecond latencies for a well-designed infra.

·      AWS FSx is secure. All of the file systems are a part of the Virtual Private Cloud (VPC); all data is encrypted both in transit and at rest, and all activities are logged to CloudTrail

Cons:

·      AWS FSx for windows File server supports custo DNS only Single-AZ filesystems, not for Multi-AZ as if yet

·      Cost is not accurate enough currently

AWS Documentation