Amazon FSx for Windows File Server is an excellent example of quick and easy native AWS service integration with VMware Cloud on AWS. Hosting a Windows file share is a common setup in on-premises data centres, it might be across Windows Servers or dedicated file-based storage presenting Server Message Block (SMB) / Common Internet File System (CIFS) shares over the network. When migrating Virtual Machines to VMware Cloud on AWS, an alternative solution may be needed if the data is large enough to impact capacity planning of VMware Cloud hosts, or if it indeed resides on a dedicated storage array.

AWS FSx

FSx is Amazon’s fully managed file storage offering that comes in 2 flavours, FSx for Windows File Server and FSx for Lustre (high-performance workloads). This post will focus on FSx for Windows File Server, which provides a managed file share capable of handling thousands of concurrent connections from Windows, Linux, and macOS clients that support the industry-standard SMB protocol.

FSx is built on Windows Server with AWS managing all the underlying file system infrastructure and can be consumed by users and compute services such as VMware Cloud on AWS VMs, and Amazon’s WorkSpaces or Elastic Compute Cloud (EC2). File-based backups are automated and use Simple Storage Services (S3) with configurable lifecycle policies for archiving data. FSx integrates with Microsoft Active Directory enabling standardised user permissions and migration of existing Access Control Lists (ACLs) from on-premises using tools like Robocopy. As you would expect, file systems can be spun up and down on-demand, with a consumption-based pricing model and different performance tiers of disk. You can read more about the FSx service and additional features such as user quotas and data deduplication in the AWS FSx FAQs.

Example Setup

In the example above, FSx is deployed to the same Availability Zones as VMware Cloud on AWS for continuous availability. Disk writes are synchronously replicated across Availability Zones to a standby file server. In the event of a service disruption FSx automatically fails over to the standby server. Data is encrypted in transit and at rest, and uses the 25 Gbps Elastic Network Interface (ENI) between VMware Cloud and the AWS backbone network. There are no data egress charges for using the ENI connection, but there may be cross-AZ charges from AWS in multi-AZ configurations. For more information on the connected VPC and services see AWS Native Services Integration With VMware Cloud on AWS.

A reference architecture for Integrating Amazon FSx for Windows Servers with VMware Cloud on AWS is available from VMware, along with a write up by Adrian Roberts here. AWS FSx allows single-AZ or multi-AZ deployments, with single-AZ file systems supporting Microsoft Distributed File System Replication (DFSR) compatible with your own namespace servers, which is the model used in the VMware reference architecture. At the time of writing custom DNS names are still road mapped for multi-AZ. You can see the full table of feature support by deployment type in the Amazon FSx for Windows File Server User Guide.

FSx Setup

To provide user-based authentication, access control, and DNS resolution for FSx file shares, you can use your existing Active Directory domain or deploy AWS Managed Microsoft AD using AWS Directory Services. You will need your Active Directory details ready before starting the FSx deployment, along with the Virtual Private Cloud (VPC) and subnet information to use.

Log into the AWS console and locate FSx under Storage from the Services drop-down. In the FSx splash-screen click Create file system. On this occasion, we are creating a Windows file system.

Enter the file system details, starting with the file system name, deployment type, storage type, and capacity.

A throughput capacity value is recommended and can be customised based on the data requirements. Select the VPC, Security Group, and subnets to use. In this example, I have selected the subnets connected to VMware Cloud on AWS as defined in the ENI setup.

Enter the Active Directory details, including service accounts and DNS servers. If desired, you can make changes to the encryption keys, daily backup window, maintenance window, and add any required resource tags. Review the summary page and click Create file system.

The file system is created and will show a status of Available once complete.

If you’re not using the default Security Group with FSx, then the following ports will need defining in rules for inbound and outbound traffic: TCP/UDP 445 (SMB), TCP 135 (RPC), TPC/UDP 1024-65535 (RPC ephemeral port range). There may be additional Active Directory ports required for the domain the file system is being joined to.

Further to the FSx Security Group, the ENI Security Group also needs the SMB and RPC port ranges adding as inbound and outbound rules to allow communication between VMware Cloud on AWS and the FSx service in the connected VPC. In any case, when configuring Security Group or firewall rules, the source or destination should be the clients accessing the file system, or if applicable any other file servers participating in DFS Replication. AWS Security Groups are accessible in the console under VPC. You can either create a dedicated Security Group or modify an existing ruleset. The Security Group in use by the VMware Cloud ENI can be found under EC2 > ENI.

With the SMB ports open for the FSx and ENI Security Groups, remember that the traffic will also hit the VMware Cloud on AWS Compute Gateway. In the VMware Cloud Services Portal add the same rules to the Compute Gateway, and to the Distributed Firewall if you’re using micro-segmentation. The Compute Gateway Firewall is accessible from the Networking & Security tab of the SDDC.

Virtual Machines in VMware Cloud on AWS will now be able to access the FSx file shares across the ENI using the DNS name for the share or UNC path.

The FSx service in the AWS console provides some options for managing file systems. Storage capacity, throughput, and IOPS can be viewed quickly and added to a CloudWatch dashboard. CloudWatch Logs can also be ingested by vRealize Log Insight Cloud from the VMware Cloud Services Portal.