Getting started with Amazon FSx for Windows File Server - Amazon FSx for Windows File Server

Getting started with Amazon FSx for Windows File Server

Following, you can learn how to get started using FSx for Windows File Server. This getting started exercise includes the following steps.

  1. Sign up for an AWS account and create an administrative user in the account.

  2. Create an AWS Managed Microsoft AD Active Directory using the AWS Directory Service. You will join your file system and compute instance to the Active Directory.

  3. Create an Amazon Elastic Compute Cloud compute instance running Microsoft Windows Server. You will use this instance to access your file system.

  4. Create an Amazon FSx for Windows File Server file system using the Amazon FSx console.

  5. Map your file system to your EC2 instance

  6. Write data to your file system.

  7. Back up your file system.

  8. Clean up the resources you created.

Setting up your AWS account

Before you use Amazon FSx for the first time, complete the following tasks:

Sign up for an AWS account

If you do not have an AWS account, complete the following steps to create one.

To sign up for an AWS account
  1. Open https://portal.aws.amazon.com/billing/signup.

  2. Follow the online instructions.

    Part of the sign-up procedure involves receiving a phone call and entering a verification code on the phone keypad.

    When you sign up for an AWS account, an AWS account root user is created. The root user has access to all AWS services and resources in the account. As a security best practice, assign administrative access to a user, and use only the root user to perform tasks that require root user access.

AWS sends you a confirmation email after the sign-up process is complete. At any time, you can view your current account activity and manage your account by going to https://aws.amazon.com/ and choosing My Account.

Create a user with administrative access

After you sign up for an AWS account, secure your AWS account root user, enable AWS IAM Identity Center, and create an administrative user so that you don't use the root user for everyday tasks.

Secure your AWS account root user
  1. Sign in to the AWS Management Console as the account owner by choosing Root user and entering your AWS account email address. On the next page, enter your password.

    For help signing in by using root user, see Signing in as the root user in the AWS Sign-In User Guide.

  2. Turn on multi-factor authentication (MFA) for your root user.

    For instructions, see Enable a virtual MFA device for your AWS account root user (console) in the IAM User Guide.

Create a user with administrative access
  1. Enable IAM Identity Center.

    For instructions, see Enabling AWS IAM Identity Center in the AWS IAM Identity Center User Guide.

  2. In IAM Identity Center, grant administrative access to a user.

    For a tutorial about using the IAM Identity Center directory as your identity source, see Configure user access with the default IAM Identity Center directory in the AWS IAM Identity Center User Guide.

Sign in as the user with administrative access
  • To sign in with your IAM Identity Center user, use the sign-in URL that was sent to your email address when you created the IAM Identity Center user.

    For help signing in using an IAM Identity Center user, see Signing in to the AWS access portal in the AWS Sign-In User Guide.

Assign access to additional users
  1. In IAM Identity Center, create a permission set that follows the best practice of applying least-privilege permissions.

    For instructions, see Create a permission set in the AWS IAM Identity Center User Guide.

  2. Assign users to a group, and then assign single sign-on access to the group.

    For instructions, see Add groups in the AWS IAM Identity Center User Guide.

Step 1. Create your file system

To create your Amazon FSx file system, you must create your Windows Amazon Elastic Compute Cloud (Amazon EC2) instance and the AWS Directory Service directory. If you don't have that set up already, see Prerequisites for getting started.

To create your file system (console)
  1. Open the Amazon FSx console at https://console.aws.amazon.com/fsx/.

  2. On the dashboard, choose Create file system to start the file system creation wizard.

  3. On the Select file system type page, choose FSx for Windows File Server, and then choose Next. The Create file system page appears.

  4. For Creation method choose Standard create.

File system details
  1. In the File system details section, provide a name for your file system. It's easier to find and manage your file systems when you name them. You can use a maximum of 256 Unicode letters, white space, and numbers, plus the special characters + - = . _ : /

  2. For Deployment type choose Multi-AZ or Single-AZ.

    • Choose Multi-AZ to deploy a file system that is tolerant to Availability Zone unavailability. This option supports SSD and HDD storage.

    • Choose Single-AZ to deploy a file system that is deployed in a single Availability Zone. Single-AZ 2 is the latest generation of single Availability Zone file systems, and it supports SSD and HDD storage.

    For more information, see Availability and durability: Single-AZ and Multi-AZ file systems.

  3. For Storage type, you can choose either SSD or HDD.

    FSx for Windows File Server offers solid state drive (SSD) and hard disk drive (HDD) storage types. SSD storage is designed for the highest-performance and most latency-sensitive workloads, including databases, media processing workloads, and data analytics applications. HDD storage is designed for a broad spectrum of workloads, including home directories, user and departmental file shares, and content management systems. For more information, see About storage types.

  4. For Provisioned SSD IOPS, you can choose either Automatic or User-provisioned mode.

    If you choose Automatic mode, FSx for Windows File Server automatically scales your SSD IOPS to maintain 3 SSD IOPS per GiB of storage capacity. If you choose User-provisioned mode, enter any whole number in the range of 96–400,000. Scaling SSD IOPS above 80,000 is available in US East (N. Virginia), US West (Oregon), US East (Ohio), Europe (Ireland), Asia Pacific (Tokyo), and Asia Pacific (Singapore). For more information, see Managing SSD IOPS.

  5. For Storage capacity, enter the storage capacity of your file system, in GiB. If you're using SSD storage, enter any whole number in the range of 32–65,536. If you're using HDD storage, enter any whole number in the range of 2,000–65,536. You can increase the amount of storage capacity as needed at any time after you create the file system. For more information, see Managing storage capacity.

  6. Keep Throughput capacity at its default setting. Throughput capacity is the sustained speed at which the file server that hosts your file system can serve data. The Recommended throughput capacity setting is based on the amount of storage capacity you choose. If you need more than the recommended throughput capacity, choose Specify throughput capacity, and then choose a value. For more information, see FSx for Windows File Server performance.

    Note

    If you are going to enable file access auditing, you must choose a throughput capacity of 32 MB/s or greater. For more information, see Logging end user access with file access auditing.

    You can modify the throughput capacity as needed at any time after you create the file system. For more information, see Managing throughput capacity on FSx for Windows File Server file systems.

Network & security
  1. In the Network & security section, choose the Amazon VPC that you want to associate with your file system. For this getting started exercise, choose the same Amazon VPC that you chose for your AWS Directory Service directory and your Amazon EC2 instance.

  2. For VPC Security Groups, the default security group for your default Amazon VPC is already added to your file system in the console. If you're not using the default security group, make sure that the security group you choose is in the same AWS Region as your file system. To ensure that you can connect an EC2 instance with your file system, you will need to add the following rules to your chosen security group:

    1. Add the following inbound and outbound rules to allow the following ports.

      Rules Ports

      UDP

      53, 88, 123, 389, 464

      TCP 53, 88, 135, 389, 445, 464, 636, 3268, 3269, 5985, 9389, 49152-65535

      Add from and to IP addresses or security group IDs associated with the client compute instances that you want to access your file system from.

    2. Add outbound rules to allow all traffic to the Active Directory that you're joining your file system to. To do this, do one of the following:

      • Allow outbound traffic to the security group ID associated with your AWS Managed AD directory.

      • Allow outbound traffic to the IP addresses associated with your self-managed Active Directory domain controllers.

    Note

    In some cases, you might have modified the rules of your AWS Managed Microsoft AD security group from the default settings. If so, make sure that this security group has the required inbound rules to allow traffic from your Amazon FSx file system. For more information about the required inbound rules, see AWS Managed Microsoft AD Prerequisites in the AWS Directory Service Administration Guide.

    For more information, see File System Access Control with Amazon VPC.

  3. Multi-AZ file systems have a primary and a standby file server, each in its own Availability Zone and subnet.If you are creating a Multi-AZ file system (see step 5), choose a Preferred subnet value for the primary file server and a Standby subnet value for the standby file server.

    If you are creating a Single-AZ file system, choose the Subnet for your file system.

Windows authentication
  • For Windows authentication, you have the following options:

    Choose AWS Managed Microsoft Active Directory if you want to join your file system to a Microsoft Active Directory domain that is managed by AWS, and then choose your AWS Directory Service directory from the list. For more information, see Working with Microsoft Active Directory.

    Choose Self-managed Microsoft Active Directory if you want to join your file system to a self-managed Microsoft Active Directory domain, , and provide the following details for your Active Directory. For more information see Using a self-managed Microsoft Active Directory.

    • The fully qualified domain name of your Active Directory.

      Important

      For Single-AZ 2 and all Multi-AZ file systems, the Active Directory domain name cannot exceed 47 characters. This limitation applies to both AWS Directory Service and self-managed Active Directory domain names.

      Amazon FSx requires a direct connection for internal traffic to your DNS IP address. Connection via an internet gateway is not supported. Instead, use AWS Virtual Private Network, VPC peering, AWS Direct Connect, or AWS Transit Gateway association.

    • DNS server IP addresses—the IPv4 addresses of the DNS servers for your domain

      Note

      Your DNS server must have EDNS (Extension Mechanisms for DNS) enabled. If EDNS is disabled, your file system might fail to create.

    • Service account username—the user name of the service account in your existing Active Directory. Do not include a domain prefix or suffix.

    • Service account password—the password for the service account.

    • (Optional) Organizational Unit (OU)—the distinguished path name of the organizational unit in which you want to join your file system.

    • (Optional) Delegated file system administrators group— the name of the group in your Active Directory that can administer your file system. The default group is 'Domain Admins'. For more information, see Amazon FSx service account.

Encryption, Auditing, and Access (DNS aliases)
  1. For Encryption, choose the AWS KMS key Encryption key used to encrypt the data on your file system at rest. You can choose the default aws/fsx (default) that is managed by AWS KMS, an existing key, or a customer managed key by specifying the ARN for the key. For more information, see Encryption at Rest.

  2. For Auditing - optional, file access auditing is disabled by default. For information about enabling and configuring file access auditing, see Logging end user access with file access auditing.

  3. For Access - optional, enter any DNS aliases that you want to associate with the file system. Each alias name must be formatted as a fully qualified domain name (FQDN). For more information, see Managing DNS aliases.

Backup and maintenance

For more information about automatic daily backups and the settings in this section, see Protecting your data with backups.

  1. Daily automatic backup is enabled by default. You can disable this setting if you do not want Amazon FSx to take backups of your file system automatically on a daily basis.

  2. If automatic backups are enabled, they occur within a time period known as the backup window. You can use the default window, or choose an Automatic backup window start time that is best for your workflow.

  3. For Automatic backup retention period, you can use the default setting of 30 days, or set a value between 1 and 90 days that Amazon FSx will retain automatic daily backups of your file system for. This setting does not apply to user initiated backups, or backups taken by AWS Backup.

  4. For Tags - optional, enter a key and value to add tags to your file system. A tag is a case-sensitive key-value pair that helps you manage, filter, and search for your file system. For more information, see Tagging your Amazon FSx resources.

    Choose Next.

Review your configuration and create
  1. Review the file system configuration shown on the Create file system page. For your reference, you can see which file system settings you can and can't modify after file system is created. Choose Create file system.

  2. After Amazon FSx creates the file system, choose the file system ID from the list in the File Systems dashboard to view the details. Choose Attach, and note the DNS name for your file system the Network & security tab. You will need it in the following procedure to map a share to an EC2 instance.

Step 2. Map your file share to an EC2 instance running Windows Server

You can now mount your Amazon FSx file system to your Microsoft Windows–based Amazon EC2 instance joined to your AWS Directory Service directory. The name of your file share is not the same as the name of your file system.

To map a file share on an Amazon EC2 Windows instance using the GUI
  1. Before you can mount a file share on a Windows instance, you must launch the EC2 instance and join it to the AWS Directory Service for Microsoft Active Directory that your file system has joined. To perform this action, choose one of the following procedures from the AWS Directory Service Administration Guide:

  2. Connect to your instance. For more information, see Connecting to Your Windows Instance in the Amazon EC2 User Guide.

  3. When you're connected, open File Explorer.

  4. From the navigation pane, open the context (right-click) menu for Network and choose Map Network Drive.

  5. Choose a drive letter of your choice for Drive.

  6. You can map your file system using either its default DNS name assigned by Amazon FSx, or using a DNS alias of your choosing. This procedure describes mapping a file share using the default DNS name. If you want to map a file share using a DNS alias, see Accessing data using DNS aliases.

    For Folder, enter the file system DNS name and the share name. The default Amazon FSx share is called \share. You can find the DNS name in the Amazon FSx console, https://console.aws.amazon.com/fsx/, Windows File Server > Network & Security section, or in the response of CreateFileSystem or DescribeFileSystems API command.

    • For a Single-AZ file system joined to an AWS Managed Microsoft Active Directory, the DNS name looks like the following.

      fs-0123456789abcdef0.ad-domain.com
    • For a Single-AZ file system joined to a self-managed Active Directory, and any Multi-AZ file system, the DNS name looks like the following.

      amznfsxaa11bb22.ad-domain.com

    For example, enter \\fs-0123456789abcdef0.ad-domain.com\share.

  7. Choose whether the file share should Reconnect at sign-in, and then choose Finish.

Step 3. Write data to your file share

Now that you've mapped your file share to your instance, you can use your file share like any other directory in your Windows environment.

To write data to your file share
  1. Open the Notepad text editor.

  2. Write some content in the text editor. For example: Hello, World!

  3. Save the file to your file share's drive letter.

  4. Using File Explorer, navigate to your file share and find the text file that you just saved.

Step 4. Back up your file system

Now that you've had a chance to use your Amazon FSx file system and its file shares, you can back it up. By default, daily backups are created automatically during your file system's 30-minute backup window. However you can create a user-initiated backup at any time. Backups have additional costs associated with them. For more information on backup pricing, see Pricing.

To create a backup of your file system from the console
  1. Open the Amazon FSx console at https://console.aws.amazon.com/fsx/.

  2. From the console dashboard, choose the name of the file system you created for this exercise.

  3. From the Overview tab for your file system, choose Create backup.

  4. In the Create backup dialog box that opens, provide a name for your backup. This name can contain a maximum of 256 Unicode letters and include white space, numbers, and the following special characters: + - = . _ : /

  5. Choose Create backup.

  6. To view all your backups in a list, so you can restore your file system or delete the backup, choose Backups.

When you create a new backup, its status is set to CREATING while it is being created. This can take a few minutes. When the backup is available for use, its status changes to AVAILABLE.

Step 5. Clean up resources

After you have finished this exercise, you should follow these steps to clean up your resources and protect your AWS account.

To clean up resources
  1. On the Amazon EC2 console, terminate your instance. For more information, see Terminate Your Instance in the Amazon EC2 User Guide.

  2. On the Amazon FSx console, delete your file system. All automatic backups are deleted automatically. However, you still need to delete the manually created backups. The following steps outline this process:

    1. Open the Amazon FSx console at https://console.aws.amazon.com/fsx/.

    2. From the console dashboard, choose the name of the file system you created for this exercise.

    3. For Actions, choose Delete file system.

    4. In the Delete file system dialog box that opens, decide whether you want to create a final backup. If you do, provide a name for the final backup. Any automatically created backups are also deleted.

      Important

      New file systems can be created from backups. We recommend that you create a final backup as a best practice. If you find you don't need it after a certain period of time, you can delete this and other manually created backups.

    5. Enter the ID of the file system that you want to delete in the File system ID box.

    6. Choose Delete file system.

    7. The file system is now being deleted, and its status in the dashboard changes to DELETING. When the file system has been deleted, it no longer appears in the dashboard.

    8. Now you can delete any manually created backups for your file system. From the left-side navigation, choose Backups.

    9. From the dashboard, choose any backups that have the same File system ID as the file system that you deleted, and choose Delete backup.

    10. The Delete backups dialog box opens. Leave the check box checked for the ID of the backup you selected, and choose Delete backups.

    Your Amazon FSx file system and related automatic backups are now deleted.

  3. If you created an AWS Directory Service directory for this exercise in Prerequisites for getting started, you can delete it now. For more information, see Delete your directory in the AWS Directory Service Administration Guide.