Configuring AWS DataSync transfers with Amazon FSx for NetApp ONTAP - AWS DataSync
Accessing FSx for ONTAP file systemsCreating your FSx for ONTAP transfer location

Beginning December 7, 2023, we will discontinue version 1 DataSync agents. Check the Agents page on the DataSync console to see if you have affected agents. If you do, replace those agents before then to avoid data transfer or storage discovery disruptions. If you need more help, contact AWS Support.

Configuring AWS DataSync transfers with Amazon FSx for NetApp ONTAP

To transfer data to or from your Amazon FSx for NetApp ONTAP file system, you must create an AWS DataSync transfer location. DataSync can use this location as a source or destination for transferring data.

Accessing FSx for ONTAP file systems

To access an FSx for ONTAP file system, DataSync mounts a storage virtual machine (SVM) on your file system using network interfaces in your virtual private cloud (VPC). DataSync creates these network interfaces in your file system’s preferred subnet only when you create a task that includes your FSx for ONTAP location.

Note

VPCs that you use with DataSync must have default tenancy. VPCs with dedicated tenancy are not supported. For more information, see Work with VPCs.

Supported protocols

DataSync can connect to an FSx for ONTAP file system's SVM and copy data using the following protocols:

  • Network File System (NFS) – With the NFS protocol, DataSync uses the AUTH_SYS security mechanism with a user ID (UID) and group ID (GID) of 0 to authenticate with your SVM.

    Note

    DataSync currently only supports NFS version 3 with FSx for ONTAP locations.

  • Server Message Block (SMB) – With the SMB protocol, DataSync uses credentials you provide to authenticate with your SVM. When creating your location, you can specify a local user in your SVM or domain user in your Microsoft Active Directory.

    To copy between FSx for ONTAP file systems using SMB (or other types of file systems using SMB), your source and destination locations must belong to the same Active Directory domain or have an Active Directory trust relationship between their domains.

    By default, DataSync automatically chooses a version of the SMB protocol based on negotiation with your SMB file server. You also can configure DataSync to use a specific version, but we recommend doing this only if DataSync has trouble negotiating with the SMB file server automatically.

    See the following table for a list of options in the DataSync console and API for configuring an SMB version with your FSx for ONTAP location:

    Console option API option Description
    Automatic

    AUTOMATIC

    DataSync and the SMB file server negotiate the highest version of SMB that they mutually support between 2.1 and 3.1.1.

    This is the default and recommended option. If you instead choose a specific version that your file server doesn't support, you may get an Operation Not Supported error.

    SMB 3.0.2

    SMB3

    Restricts the protocol negotiation to only SMB version 3.0.2.
    SMB 2.1

    SMB2

    		 Restricts the protocol negotiation to only SMB version 2.1.
    SMB 2.0

    SMB2_0

    		 Restricts the protocol negotiation to only SMB version 2.0.

    For DataSync to access your SMB file server, your server must use NTLM authentication. DataSync can't access the server if it uses Kerberos authentication.

Unsupported protocols

DataSync can't access FSx for ONTAP file systems using the iSCSI (Internet Small Computer Systems Interface) protocol.

Choosing the right protocol

To preserve file metadata in FSx for ONTAP migrations, configure your DataSync source and destination locations to use the same protocol. Between the supported protocols, SMB preserves metadata with the highest fidelity (see How AWS DataSync handles metadata and special files for details).

When migrating from a Unix (Linux) server or network-attached storage (NAS) share that serves users through NFS, do the following:

  1. Create an NFS location for the Unix (Linux) server or NAS share. (This will be your source location.)

  2. Configure the FSx for ONTAP volume you’re transferring data to with the Unix security style.

  3. Create a location for your FSx for ONTAP file system that’s configured for NFS. (This will be your destination location.)

When migrating from a Windows server or NAS share that serves users through SMB, do the following:

  1. Create an SMB location for the Windows server or NAS share. (This will be your source location.)

  2. Configure the FSx for ONTAP volume you’re transferring data to with the NTFS security style.

  3. Create a location for your FSx for ONTAP file system that’s configured for SMB. (This will be your destination location.)

If your FSx for ONTAP environment uses multiple protocols, we recommend working with an AWS storage specialist. To learn about best practices for multiprotocol access, see Enabling multiprotocol workloads with Amazon FSx for NetApp ONTAP.

Creating your FSx for ONTAP transfer location

To create the location, you need an existing FSx for ONTAP file system. If you don't have one, see Getting started with Amazon FSx for NetApp ONTAP in the Amazon FSx for NetApp ONTAP User Guide.

To specify an FSx for ONTAP file system by using the DataSync console

  1. Open the AWS DataSync console at https://console.aws.amazon.com/datasync/.

  2. In the left navigation pane, expand Data transfer, then choose Locations and Create location.

  3. For Location type, choose Amazon FSx.

    You configure this location as a source or destination later.

  4. For FSx file system, choose the FSx for ONTAP file system that you want to use as a location.

  5. For Storage virtual machine, choose a storage virtual machine (SVM) in your file system where you want to copy data to or from.

  6. For Mount path, specify a path to the file share in that SVM where you'll copy your data.

    You can specify a junction path (also known as a mount point), qtree path (for NFS file shares), or share name (for SMB file shares). For example, your mount path might be /vol1, /vol1/tree1, or /share1.

    Tip

    Don't specify a path in the SVM's root volume. For more information, see Managing FSx for ONTAP storage virtual machines in the Amazon FSx for NetApp ONTAP User Guide.

  7. For Security groups, choose up to five Amazon EC2 security groups that provide access to your file system's preferred subnet.

    The security groups must allow outbound traffic on the following ports (depending on the protocol you use):

    • NFS – TCP ports 111, 635, and 2049

    • SMB – TCP port 445

    Your file system's security groups must also allow inbound traffic on the same ports.

  8. For Protocol, choose the data transfer protocol that DataSync uses to access your file system's SVM.

    For more information, see Choosing the right protocol.

    NFS

    DataSync uses NFS version 3.

    SMB

    Configure an SMB version, user name, password, and Active Directory domain name (if needed) to access the SVM.

    • (Optional) Expand Additional settings and choose an SMB version for DataSync to use when accessing your SVM.

      By default, DataSync automatically chooses a version based on negotiation with the SMB file server. For more information, see Supported protocols.

    • For User, enter a user name that can mount the location and access the files, folders, and metadata that you need in the SVM.

      If you provide a user in your Active Directory, note the following:

      • If you're using AWS Directory Service for Microsoft Active Directory, the user must be a member of the AWS Delegated FSx Administrators group.

      • If you're using a self-managed Active Directory, the user must be a member of either the Domain Admins group or a custom group that you specified for file system administration when you created your file system.

      Make sure that the user has the permissions it needs to copy the data you want:

      • SE_TCB_NAME – Required to set object ownership and file metadata. With this privilege, you also can copy NTFS discretionary access lists (DACLs).

      • SE_SECURITY_NAME – May be needed to copy NTFS system access control lists (SACLs). This operation specifically requires the Windows privilege, which is granted to members of the Domain Admins group. If you configure your task to copy SACLs, make sure that the user has the required privileges. For information about copying SACLs, see Managing how AWS DataSync transfers files, objects, and metadata.

    • For Password, enter the password of the user that you specified who can access the SVM.

    • (Optional) For Active Directory domain name, enter the fully qualified domain name (FQDN) of the Active Directory that your SVM belongs to.

  9. (Optional) Enter values for the Key and Value fields to tag the FSx for ONTAP file system.

    Tags help you manage, filter, and search for your AWS resources. We recommend creating at least a name tag for your location.

  10. Choose Create location.