Configuring transfers with Amazon FSx for NetApp ONTAP
To transfer data to or from your Amazon FSx for NetApp ONTAP file system, you must create an AWS DataSync transfer location. DataSync can use this location as a source or destination for transferring data.
Providing DataSync access to FSx for ONTAP file systems
To access an FSx for ONTAP file system, DataSync mounts a storage virtual machine (SVM) on your file system using network interfaces in your virtual private cloud (VPC). DataSync creates these network interfaces in your file system’s preferred subnet only when you create a task that includes your FSx for ONTAP location.
Note
VPCs that you use with DataSync must have default tenancy. VPCs with dedicated tenancy aren't supported.
DataSync can connect to an FSx for ONTAP file system's SVM and copy data by using the Network File System (NFS) or Server Message Block (SMB) protocol.
Topics
Using the NFS protocol
With the NFS protocol, DataSync uses the AUTH_SYS
security mechanism
with a user ID (UID) and group ID (GID) of 0
to authenticate with
your
SVM.
Note
DataSync currently only supports NFS version 3 with FSx for ONTAP locations.
Using the SMB protocol
With the SMB protocol, DataSync uses credentials that you provide to authenticate with your SVM.
- Supported SMB versions
-
By default, DataSync automatically chooses a version of the SMB protocol based on negotiation with your SMB file server. You also can configure DataSync to use a specific version, but we recommend doing this only if DataSync has trouble negotiating with the SMB file server automatically.
See the following table for a list of options in the DataSync console and API for configuring an SMB version with your FSx for ONTAP location:
Console option API option Description Automatic AUTOMATIC
DataSync and the SMB file server negotiate the highest version of SMB that they mutually support between 2.1 and 3.1.1.
This is the default and recommended option. If you instead choose a specific version that your file server doesn't support, you may get an
Operation Not Supported
error.SMB 3.0.2
SMB3
Restricts the protocol negotiation to only SMB version 3.0.2.
SMB 2.1 SMB2
Restricts the protocol negotiation to only SMB version 2.1. SMB 2.0 SMB2_0
Restricts the protocol negotiation to only SMB version 2.0. - Required permissions
-
You must provide DataSync a local user in your SVM or a domain user in your Microsoft Active Directory with the necessary rights to mount and access your files, folders, and file metadata.
If you provide a user in your Active Directory, note the following:
-
If you're using AWS Directory Service for Microsoft Active Directory, the user must be a member of the AWS Delegated FSx Administrators group.
-
If you're using a self-managed Active Directory, the user must be a member of one of two groups:
-
The Domain Admins group, which is the default delegated administrators group.
-
A custom delegated administrators group with user rights that allow DataSync to copy object ownership permissions and Windows access control lists (ACLs).
Important
You can't change the delegated administrators group after the file system has been deployed. You must either redeploy the file system or restore it from a backup to use the custom delegated administrator group with the following user rights that DataSync needs to copy metadata.
User right Description Act as part of the operating system (
SE_TCB_NAME
)Allows DataSync to copy object ownership, permissions, file metadata, and NTFS discretionary access lists (DACLs).
This user right is usually granted to members of the Domain Admins and Backup Operators groups (both of which are default Active Directory groups).
Manage auditing and security log (
SE_SECURITY_NAME
)Allows DataSync to copy NTFS system access control lists (SACLs).
This user right is usually granted to members of the Domain Admins group.
-
-
If you want to copy Windows ACLs and are transferring between FSx for ONTAP file systems using SMB (or other types of file systems using SMB), the users that you provide DataSync must belong to the same Active Directory domain or have an Active Directory trust relationship between their domains.
-
- Required authentication protocols
-
For DataSync to access your SMB share, your file system must use NTLM authentication. DataSync can't access the file system if it uses Kerberos authentication.
- DFS Namespaces
DataSync doesn't support Microsoft Distributed File System (DFS) Namespaces. We recommend specifying an underlying file server or share instead when creating your DataSync location.
Unsupported protocols
DataSync can't access FSx for ONTAP file systems using the iSCSI (Internet Small Computer Systems Interface) protocol.
Choosing the right protocol
To preserve file metadata in FSx for ONTAP migrations, configure your DataSync source and destination locations to use the same protocol. Between the supported protocols, SMB preserves metadata with the highest fidelity (see Understanding how DataSync handles file and object metadata for details).
When migrating from a Unix (Linux) server or network-attached storage (NAS) share that serves users through NFS, do the following:
-
Create an NFS location for the Unix (Linux) server or NAS share. (This will be your source location.)
-
Configure the FSx for ONTAP volume you’re transferring data to with the Unix security style.
-
Create a location for your FSx for ONTAP file system that’s configured for NFS. (This will be your destination location.)
When migrating from a Windows server or NAS share that serves users through SMB, do the following:
-
Create an SMB location for the Windows server or NAS share. (This will be your source location.)
-
Configure the FSx for ONTAP volume you’re transferring data to with the NTFS security style.
-
Create a location for your FSx for ONTAP file system that’s configured for SMB. (This will be your destination location.)
If your FSx for ONTAP environment uses multiple protocols, we recommend working with
an AWS storage specialist. To learn about best practices for multiprotocol access,
see Enabling multiprotocol workloads with Amazon FSx for NetApp
ONTAP
Accessing SnapLock volumes
If you're transferring data to a SnapLock volume on an FSx for ONTAP file system, make sure the SnapLock settings Autocommit and Volume append mode are disabled on the volume during your transfer. You can re-enable these settings when you're done transferring data.
Creating your FSx for ONTAP transfer location
To create the location, you need an existing FSx for ONTAP file system. If you don't have one, see Getting started with Amazon FSx for NetApp ONTAP in the Amazon FSx for NetApp ONTAP User Guide.
Open the AWS DataSync console at https://console.aws.amazon.com/datasync/
. -
In the left navigation pane, expand Data transfer, then choose Locations and Create location.
-
For Location type, choose Amazon FSx.
You configure this location as a source or destination later.
-
For FSx file system, choose the FSx for ONTAP file system that you want to use as a location.
-
For Storage virtual machine, choose a storage virtual machine (SVM) in your file system where you want to copy data to or from.
-
For Mount path, specify a path to the file share in that SVM where you'll copy your data.
You can specify a junction path (also known as a mount point), qtree path (for NFS file shares), or share name (for SMB file shares). For example, your mount path might be
/vol1
,/vol1/tree1
, or/share1
.Tip
Don't specify a path in the SVM's root volume. For more information, see Managing FSx for ONTAP storage virtual machines in the Amazon FSx for NetApp ONTAP User Guide.
-
For Security groups, choose up to five Amazon EC2 security groups that provide access to your file system's preferred subnet.
The security groups must allow outbound traffic on the following ports (depending on the protocol you use):
-
NFS – TCP ports 111, 635, and 2049
-
SMB – TCP port 445
Your file system's security groups must also allow inbound traffic on the same ports.
-
-
For Protocol, choose the data transfer protocol that DataSync uses to access your file system's SVM.
For more information, see Choosing the right protocol.
-
(Optional) Enter values for the Key and Value fields to tag the FSx for ONTAP file system.
Tags help you manage, filter, and search for your AWS resources. We recommend creating at least a name tag for your location.
-
Choose Create location.
To create an FSx for ONTAP location by using the AWS CLI
-
Copy the following
create-location-fsx-ontap
command:aws datasync create-location-fsx-ontap \ --storage-virtual-machine-arn arn:aws:fsx:
region
:account-id
:storage-virtual-machine/fs-file-system-id
\ --security-group-arns arn:aws:ec2:region
:account-id
:security-group/group-id
\ --protocoldata-transfer-protocol
={} -
Specify the following required options in the command:
-
For
storage-virtual-machine-arn
, specify the fully qualified Amazon Resource Name (ARN) of a storage virtual machine (SVM) in your file system where you want to copy data to or from.This ARN includes the AWS Region where your file system resides, your AWS account, and the file system and SVM IDs.
-
For
security-group-arns
, specify the ARNs of the Amazon EC2 security groups that provide access to the network interfaces of your file system's preferred subnet.This includes the AWS Region where your Amazon EC2 instance resides, your AWS account, and your security group IDs. You can specify up to five security group ARNs.
For more information about security groups, see File System Access Control with Amazon VPC in the Amazon FSx for NetApp ONTAP User Guide.
-
For
protocol
, configure the protocol that DataSync uses to access your file system's SVM.-
For NFS, you can use the default configuration:
--protocol NFS={}
-
For SMB, you must specify a user name and password that can access the SVM:
--protocol SMB={User=
smb-user
,Password=smb-password
}
-
-
-
Run the command.
You get a response that shows the location that you just created.
{ "LocationArn": "arn:aws:datasync:us-west-2:123456789012:location/loc-abcdef01234567890" }