Architecture for deploying FSx for ONTAP in an enterprise environment - AWS Prescriptive Guidance
Customer access layerActive DirectoryAmazon FSx resourcesWindows HPC cluster on Amazon EC2AWS Secrets Manager

Architecture for deploying FSx for ONTAP in an enterprise environment

Amazon FSx for NetApp ONTAP is a managed storage service that helps you launch and run fully managed NetApp ONTAP file systems in the AWS Cloud. FSx for ONTAP supports Windows or Linux operating systems (OSs), and it is accessible through industry-standard protocols, such as Network File System (NFS), Server Message Block (SMB), and Internet Small Computer System Interface (iSCSI). In addition, this file system supports compression and deduplication, which can reduce storage costs.

This guide focuses on deployment for a Windows workload. For example, you can use FSx for ONTAP as shared storage for an HPC third-party solution that is composed of hundreds of Windows nodes. These nodes have extremely high write and read throughput requirements and are connected to a grid scheduler.

The following diagram depicts a typical example of an enterprise HPC workload and FSx for ONTAP deployment in a hybrid-cloud environment. This architecture is referenced throughout the guide.

FSx for ONTAP integrated with an HPC workload in the AWS Cloud and Active Directory on premises

The following are the features of this architecture:

  1. The on-premises data center and cloud environments are connected by using AWS Direct Connect.

  2. The HPC workload, running Windows, is deployed in the AWS Cloud.

  3. Active Directory is deployed in the on-premises environment.

  4. The access layer systems, which are running on Windows, are deployed in the on-premises environment.

Customer access layer

Through the customer access layer, the end user accesses the workload in the AWS Cloud. Amazon WorkSpaces or Citrix are commonly used to access applications and access the data in Amazon FSx by using an SMB mount.

Active Directory

Typically, Microsoft Active Directory is installed and managed on premises. Many organizations want to join their FSx for ONTAP SVMs to their Active Directory domain in order to provide user authentication and access control at the file and folder level. SMB clients can then use their existing user identities in Active Directory to authenticate themselves and access SVM volumes. For more information, see Working with Microsoft Active Directory in FSx for ONTAP. You must establish proper networking rules to make sure that the SVMs can reach the Active Directory domain.

To allow the Amazon FSx file system to create, edit and delete files on the managed volumes, you need to create a service account for the Active Directory domain. For more information, see Delegating permissions to your Amazon FSx service account. Active Directory is a core component in many enterprise organizations, and the deployment of a new account—even with limited privileges—might require considerable time.

Amazon FSx resources

The following are the primary types of resources in FSx for ONTAP:

  • A file system is the primary FSx for ONTAP resource, analogous to an on-premises NetApp ONTAP cluster. For troubleshooting, you can use NetApp CLI commands to establish an SSH connection with a file share endpoint. More information about troubleshooting commands is provided later in this guide.

  • A storage virtual machine (SVM) is an isolated virtual file server with its own administrative and data access endpoints. The integration between FSx for ONTAP and an Active Directory domain is managed at the SVM level. Therefore, if you get an error regarding Active Directory, the SVM is a good starting point for troubleshooting.

  • Volumes are virtual resources that you use to organize and group your data. These are logical containers, and data stored in them consumes physical capacity on your file system. Volumes are hosted on SVMs. You can configure each volume with different tiering policies. Tiering policies are powerful tools that help you manage performance and cost by defining whether data is stored in the performance-optimized SSD layer or in the cost-optimized capacity layer.

The following diagram explains the resource structure of an FSx for ONTAP file system. Amazon FSx fully manages all of the components.

Amazon FSx for NetApp ONTAP resources, including the file system, SVMs, and volumes within the SVMs.

You can join multiple volumes into a single logical namespace by using junction paths (NetApp documentation). To the client, a junction appears to be an ordinary directory. Junction paths provide the benefits of using multiple volumes (such as fine-grained control over snapshot and migration options) with the convenience of accessing data in multiple volumes through a single access point.

Windows HPC cluster on Amazon EC2

For the purposes of this guide, Amazon FSx acts as storage layer for a critical, high-throughput Windows HPC cluster composed of Amazon Elastic Compute Cloud (Amazon EC2) instances. There are multiple approaches for setting up an HPC cluster on Amazon EC2. For an example approach, see Tutorial: Set up a Windows HPC cluster on Amazon EC2 in the Amazon EC2 documentation. The HPC cluster compute nodes, also known as worker nodes, interact with the Amazon FSx file system through SMB shares. You can automatically or manually create the SMB shares on the compute nodes.

AWS Secrets Manager

Enterprise architectures are usually deployed by using infrastructure as code (IaC) tools, such as HashiCorp Terraform. It is a security best practice not to include any sensitive information in IaC scripts. AWS Secrets Manager is commonly used to store sensitive information, such as passwords for Active Directory service accounts.