AWS FSx for Windows File Server

• Amazon FSx for Windows File Server provides fully managed, highly reliable, and scalable file storage that is accessible over the industry-standard Server Message Block (SMB) protocol.
• FSx for Windows is built on Windows Server, delivering a wide range of administrative features such as user quotas, end-user file restore, File Server Resource Manager (FSRM), ACLs, and Microsoft Active Directory (AD) integration.
• FSx for Windows provides high levels of throughput and IOPS and consistent sub-millisecond latencies.
• FSx for Windows supports up to 12 GBps throughput capacity and up to 400,000 IOPS.
• FSx for Windows offers single-AZ and multi-AZ deployment options, fully managed backups, and encryption of data at rest and in transit.
• FSx for Windows File Server backups are file-system-consistent, highly durable, and incremental.
• Amazon FSx is accessible from Windows, Linux, and MacOS compute instances and devices.
• Amazon FSx provides concurrent access to the file system to thousands of compute instances and devices.
• Amazon FSx can connect the file system to EC2, VMware Cloud on AWS, Amazon WorkSpaces, Amazon AppStream 2.0, and Amazon ECS instances.
• Integrated with CloudWatch to monitor storage capacity and file system activity.
• Integrated with CloudTrail to monitor all Amazon FSx API calls.
• Amazon FSx was designed for use cases that require Windows shared file storage, like CRM, ERP, custom or .NET applications, home directories, data analytics, media, and entertainment workflows, web serving and content management, software build environments, and Microsoft SQL Server.
• FSx file system is accessible from the on-premises environment using an AWS Direct Connect or AWS VPN connection.
• FSx is accessible from multiple VPCs, AWS accounts, and AWS Regions using VPC Peering connections or AWS Transit Gateway.
• FSx provides consistent sub-millisecond latencies with SSD storage and single-digit millisecond latencies with HDD storage.
• FSx supports Microsoft’s Distributed File System (DFS) to organize shares into a single folder structure up to hundreds of PB in size.
• FSx supports DNS aliases to access file systems using custom DNS names (up to 50 aliases per file system), enabling seamless migration from on-premises file servers.
• FSx supports two network type options: IPv4-only and dual-stack (for both IPv4 and IPv6), allowing access from IPv6 clients without complex address translation.

FSx for Windows Performance

• FSx for Windows supports up to 12 GBps of throughput capacity per file system.
• Maximum IOPS levels up to 400,000 for file systems with 12 GBps throughput capacity.
• SSD IOPS can be provisioned independently of storage capacity, up to 400,000 IOPS.
• Throughput capacity and storage capacity can be increased or decreased independently at any time.
• Storage type can be updated from HDD to SSD without creating a new file system.
• Each file system can be provisioned up to 64 TB in size.
• Data deduplication helps reduce storage consumption by identifying and removing duplicate data.

FSx for Windows Security

• FSx works with Microsoft Active Directory (AD) to integrate with existing Windows environments, which can either be an AWS Managed Microsoft AD or self-managed Microsoft AD.
• FSx integrates with AWS Secrets Manager for enhanced management of Active Directory credentials for domain join operations.
• FSx provides standard Windows permissions (full support for Windows Access Controls ACLs) for files and folders.
• FSx for Windows File Server supports encryption at rest for the file system and backups using KMS managed keys.
• FSx encrypts data-in-transit using SMB Kerberos session keys when accessing the file system from clients that support SMB 3.0.
• FSx supports file-level or folder-level restores to previous versions by supporting Windows shadow copies, which are point-in-time snapshots of the file system.
• FSx supports Windows shadow copies to enable the end-users to easily undo file changes and compare file versions by restoring files to previous versions, and backups to support the backup retention and compliance needs.
• FSx complies with ISO, PCI-DSS, and SOC certifications, and is HIPAA eligible.
• FSx supports AWS PrivateLink interface VPC endpoints (including dual-stack endpoints) to access the FSx API from within a VPC without sending traffic over the internet.

FSx for Windows File Access Auditing

• FSx supports file access auditing to log end-user accesses on files, folders, and file shares.
• File access auditing helps meet security and compliance requirements by tracking who accessed, modified, or changed permissions on files.
• Audit event logs can be sent to Amazon CloudWatch Logs or streamed to Amazon Kinesis Data Firehose.
• Supports configuring audit levels independently for file/folder accesses and file share accesses.
• Audit log levels include: SUCCESS_ONLY, FAILURE_ONLY, SUCCESS_AND_FAILURE, and DISABLED.
• File access auditing is supported on file systems with a throughput capacity of 32 MBps or greater.

FSx for Windows File Server Resource Manager (FSRM)

• Amazon FSx supports File Server Resource Manager (FSRM), a Windows Server feature that provides capabilities to manage, govern, and monitor file data.
• FSRM enables:
  • File Classification – Automatically classify and identify sensitive data (e.g., PII).
  • File Screening – Block unauthorized file types from being saved to business folders.
  • Folder-level Quotas – Set storage limits to prevent users from consuming excessive storage.
  • Storage Reports – Generate detailed reports about storage usage patterns.
  • Retention Policies – Create data retention and lifecycle policies.
• FSRM events can be published to Amazon CloudWatch Logs or Amazon Kinesis Data Firehose for monitoring and automation.
• FSRM events can trigger AWS Lambda functions to take reactive actions based on file events.
• FSRM is supported on file systems with SSD storage and a throughput capacity of 128 MB/s or greater.

FSx for Windows Availability and Durability

• FSx for Windows automatically replicates the data within an Availability Zone (AZ) to protect it from component failure.
• FSx continuously monitors for hardware failures and automatically replaces infrastructure components in the event of a failure.
• FSx supports Multi-AZ deployment
  • automatically provisions and maintains a standby file server in a different Availability Zone.
  • any changes written to disk in the file system are synchronously replicated across AZs to standby.
  • helps enhance availability during planned system maintenance.
  • helps protect the data against instance failure and AZ disruption.
  • In the event of planned file system maintenance or unplanned service disruption, FSx automatically fails over to the secondary file server, allowing data accessibility without manual intervention.
• Multi-AZ file systems automatically failover from the preferred file server to the standby file server if
  • An Availability Zone outage occurs.
  • Preferred file server becomes unavailable.
  • Preferred file server undergoes planned maintenance.
• FSx supports automatic daily backups of the file systems, which incrementally store only the changes after the most recent backup.
• FSx stores backups in S3.
• FSx supports copying backups cross-region (to another AWS Region) and in-region for disaster recovery and compliance.
• FSx is integrated with AWS Backup for centralized backup management, cross-account backup, and cross-region backup copy.

FSx for Windows and FSx File Gateway

• Note: Amazon FSx File Gateway is no longer available to new customers as of October 28, 2024. Existing customers can continue using the service.
• FSx File Gateway previously provided low-latency, on-premises access to fully managed file shares in the cloud by caching frequently accessed data locally.
• For on-premises access, AWS now recommends accessing FSx for Windows File Server directly using AWS Direct Connect or AWS VPN connections.

AWS Certification Exam Practice Questions

• Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
• AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
• AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
• Open to further feedback, discussion and correction.

1. A data processing facility wants to move a group of Microsoft Windows servers to the AWS Cloud. These servers require access to a shared file system that can integrate with the facility’s existing Active Directory (AD) infrastructure for file and folder permissions. The solution needs to provide seamless support for shared files with AWS and on-premises servers and allow the environment to be highly available. The chosen solution should provide added security by supporting encryption at rest and in transit. The solution should also be cost-effective to implement and manage. Which storage solution would meet these requirements?
   1. An AWS Storage Gateway file gateway joined to the existing AD domain
   2. An Amazon FSx for Windows File Server file system joined to the existing AD domain
   3. An Amazon Elastic File System (Amazon EFS) file system joined to an AWS managed AD domain
   4. An Amazon S3 bucket mounted on Amazon EC2 instances in multiple Availability Zones running Windows Server and joined to an AWS managed AD domain.
2. A company needs to audit file access patterns on its Amazon FSx for Windows File Server file system to meet compliance requirements. The security team needs to track who accessed, modified, or changed permissions on files and folders. Which feature should the solutions architect configure?
   1. Enable CloudTrail logging for FSx API calls
   2. Enable file access auditing with audit logs sent to CloudWatch Logs
   3. Configure Windows Event Viewer on the file server
   4. Enable VPC Flow Logs on the FSx file system’s network interfaces
3. A solutions architect needs to manage storage costs for Amazon FSx for Windows File Server. The organization requires the ability to classify sensitive data, block unauthorized file types, set storage limits per department folder, and generate storage usage reports. Which feature should the architect use?
   1. Configure data deduplication on the file system
   2. Use Amazon Macie to classify data on FSx
   3. Enable File Server Resource Manager (FSRM) on the file system
   4. Use AWS Config rules to monitor storage usage
4. A company is deploying Amazon FSx for Windows File Server and requires the file system to be accessible from both IPv4 and IPv6 clients within their VPC and on-premises network. Which configuration should the solutions architect choose?
   1. Create a file system with IPv4-only network type and use a NAT64 gateway
   2. Create a file system with dual-stack network type
   3. Create two file systems, one for IPv4 and one for IPv6 clients
   4. Deploy an Application Load Balancer with dualstack in front of the file system
5. A company is migrating from on-premises Windows file servers to Amazon FSx for Windows File Server. They want to ensure end users can continue accessing file shares using the same DNS names without any client-side configuration changes. Which approach should the solutions architect recommend?
   1. Update the on-premises DNS to point to the FSx file system’s default DNS name
   2. Associate DNS aliases with the FSx file system matching the existing on-premises file server DNS names
   3. Create a Route 53 private hosted zone with CNAME records
   4. Configure AWS Global Accelerator with the FSx file system as an endpoint

References

• Amazon FSx for Windows File Server User Guide
• Amazon FSx for Windows File Server Features
• Amazon FSx for Windows File Server FAQs