AWS Storage Blog

Accessing SMB file shares remotely with Amazon FSx for Windows File Server

With remote work becoming the norm, customers often need a central repository for files that can be accessed from anywhere to enable collaboration and provide highly durable storage. For ease of use and increased productivity, customers are looking for shared file access that can be mounted as a network drive using built-in Windows, macOS, Linux, and iOS tools. They also want a repository that is searchable and follows a standard file system architecture. Common use cases include home directories, user and departmental shares, and even media workloads where high throughput and low latency is a requirement.

Amazon FSx for Windows File Server (Amazon FSx) is a fully managed, highly available, and scalable file storage solution built on Windows Server that uses the Server Message Block (SMB) protocol. It allows for Microsoft Active Directory integration, data deduplication, and fully managed backups, among other critical enterprise features.

In this blog, I walk through creating a highly available, fully managed file share accessible from personal devices using a virtual private network (VPN).

Overview of solution

For the solution in this blog post, I create an AWS Managed Microsoft AD using AWS Directory Service to allow for authentication and authorization to access my file shares, an Amazon FSx file system to host the file shares, and an AWS Client VPN endpoint and gateway to enable remote access. To ensure high availability, each component is spread over two AWS Availability Zones. Amazon FSx also supports creating file systems linked to an existing, on-premises Active Directory directly without the need to migrate identities over to an AWS Managed Microsoft AD.

The architecture diagram depicts the solution outlined in this walkthrough, with each service involved spread across two Availability Zones to ensure a highly available file share that can be accessed at any time.

The preceding architecture diagram depicts the solution outlined in this tutorial, with each service involved spread across two Availability Zones to ensure a highly available file share that can be accessed at any time.

Tutorial

In this blog, I do the following:

  • Configure an Amazon Virtual Private Cloud (Amazon VPC) – this provides an isolated network for your Amazon FSx deployment.
  • Create an AWS Managed Microsoft AD using AWS Directory Service. An Active Directory is required for Amazon FSx to allow access to the file share, and is used to connect to the VPN.
  • Create an Amazon FSx for Windows File Server file system – this creates the file system that acts as a central repository.
  • Create an AWS Client VPN endpoint – this enables VPN access to the Amazon VPC.
  • Connect to the VPN from a personal device (macOS, Microsoft Windows, or iOS).
  • Mount a file share (macOS, Microsoft Windows, or iOS).

Prerequisites

For this tutorial, you should have the following prerequisites:

Configure Amazon VPC for AWS Managed Microsoft AD and Amazon FSx

First, I create a new Amazon VPC for my Amazon FSx deployment.

Create a new Amazon VPC

  1. Log in to the Amazon VPC console.
  2. Select Your VPCs in the sidebar, then Create VPC.
  3. Name your Amazon VPC and enter an IPv4 CIDR block of 10.0.0.0/16. Then choose Create.

Create a new Amazon VPC - name your Amazon VPC and choose Create.

Add subnets

To create a solution across multiple Availability Zones, and to logically separate each aspect of my architecture, I create six subnets – two for AWS Managed Microsoft AD, two for Amazon FSx for Windows File Server, and two for Client VPN endpoints.

  1. Select Subnets in the sidebar, then Create Subnet.
  2. As shown in the following screenshot, for Name tag, enter Microsoft AD 1. Select the Amazon VPC you just created, and select an Availability Zone. Set a CIDR block of 10.0.1.0/24. Select Subnets in the sidebar, then Create Subnet. Enter a name and select an Availability Zone.
  3. As shown in the following screenshot, repeat the preceding step, with subnets named Microsoft AD 2, FSx 1, FSx 2, VPN 1, and VPN 2, using different CIDR blocks for each. Microsoft AD 2, VPN 2, and FSx 2 should be in a different Availability Zone than Microsoft AD 1, VPN 1, and FSx 1. In my case, Microsoft AD 1, VPN 1, and FSx 1 are in us-west-2a, while Microsoft AD 2, VPN 2, and FSx 2 are in us-west-2b.

6 created subnets

Create AWS Managed Microsoft AD

In this step, I create a new AWS Managed Microsoft AD. To use a self-managed Active Directory, you can follow the instructions here.

Create new directory

  1. Log in to the Directory Service console.
  2. Select Set up directory. Select a directory type of Microsoft AD, then Next.
  3. As shown in the following screenshot, choose your Active Directory Edition. For this tutorial, I use the Standard Edition. Next, define a Directory DNS name (for example, example.com). If you’d like, add a Directory NetBIOS name. Next, add an Admin password, and make a note of it. Choose your Active Directory Edition. For this tutorial, I use the Standard Edition. Then define a Directory DNS name.
  4. Under VPC, select your new Amazon VPC, and under Subnets, choose the subnets you created for the AWS Managed Microsoft AD. This is shown in the following screenshot: Under VPC, select your new Amazon VPC, and under Subnets, choose the subnets you created for the AWS Managed Microsoft AD.
  5. Click Next, review your directory, then click Create directory. This can take 20–45 minutes. In the directory details, note the DNS addresses and save them for later.

Create Client VPN endpoint

To access the file share, you must set up a VPN connection. This consists of three parts: creating a server certificate, creating a Client VPN endpoint, and creating a DHCP option set.

Create the server certificate

  1. Follow the instructions here to create a server certificate using the OpenVPN easy-rsa tool.
  2. Once you have created the certificate, navigate to the AWS Certificate Manager (ACM) console.
  3. If this is your first time using ACM, click on get started underneath Provision Certificate, then Import a certificate. If you have used ACM before, you should have the option to import a certificate on the dashboard.
  4. First, import the server certificate. Open the ca.crt, server.crt, and server.key that you made with easy-rsa in a text editor. Copy and paste the contents of server.crt into the certificate body field, the contents of server.key into the certificate private key field, and the contents of ca.crt into the certificate chain field. Click Next.
  5. Optionally, add tags. Click review and import, then import:

Click review and import, then import.

Create Client VPN endpoint

  1. Navigate back to the Amazon VPC console. In the sidebar, select Client VPN Endpoints. Choose Create Client VPN Endpoint and give the endpoint a name of VPN Endpoint. Afterward, enter a CIDR range of 10.254.0.0/16.
  2. Under Server certificate ARN, select the server certificate that was imported.
  3. For authentication options, select Use user-based authentication, then Active Directory authentication. Choose the Active Directory made in the last section.
  4. Select if you want to log connection details. Check Enable DNS Servers and enter the DNS addresses from the AWS Managed Microsoft AD. Enable split-tunnel, choose the Amazon VPC, and select the VPN security group. Click Create Client VPN Endpoint.
  5. Select the endpoint, then choose Download Client Configuration.

Attach Client VPN endpoint to Amazon VPC Subnets

  1. Select Subnets in the sidebar. Find and note the subnet IDs for VPN 1 and VPN 2.
  2. Go back to Client VPN Endpoints, select the endpoint that was just created, and click on the Associations Click Create. Select the subnets that Amazon FSx was deployed to, and the subnet ID for VPN 1.
  3. Repeat the association process with the subnet ID for VPN 2.
  4. To allow ingress from the VPN connections, go to Authorizations, select Allow Ingress and enter the Amazon VPC CIDR as the destination network. Click Add authorization rule:

Pool Details showing Tape Retention Lock To allow ingress from the VPN connections, go to Authoriations, select Allow Ingress and enter the Amazon VPC CIDR as the destination network.

Create DHCP options set

The steps in the section enable devices not tied to an Active Directory to connect to the Amazon FSx file system using its DNS name. If the devices connecting already use Active Directory for DNS resolution, you can skip this step.

  1. Click on DHCP options sets in the sidebar. Click create, then name the options set Active Directory DHCP. For domain name, enter your Active Directory domain, and add the DNS addresses from the AWS Managed Microsoft AD.
  2. Click Create.
  3. Navigate to the Amazon VPC details, and click Actions, then Edit DHCP options set.
  4. Select Active Directory DHCP, and click Save.

Creating Amazon FSx for Windows File Server file share

In this section, we create the Amazon FSx for Windows File Server file system and file share that will host our files inside the Amazon VPC.

  1. Navigate to the Amazon FSx console.
  2. Select Create File System, and select Amazon FSx for Windows File Server.
  3. Name your file system, choose your storage type, and your storage capacity. Leave the throughput capacity at the recommended setting.
  4. Choose the Amazon VPC that was created in the “Configure an Amazon VPC” section, and leave the security group as default.
  5. Choose FSx 1 as the preferred subnet, and FSx 2 as the standby subnet.
  6. Choose the AWS Managed Microsoft AD created in the “Create AWS Managed AD” section. Click Next and review your settings, then select create file system.
  7. Once the file system is finished creating, access the details and note the DNS name:

Once the file system is finished creating, access the details and note the DNS name

Mounting Amazon FSx file share

In this section, I cover connecting your device to your VPC via your AWS Client VPN endpoint, then I go through mounting your Amazon FSx file share. AWS Client VPN supports any OpenVPN-supported VPN client, but I use the AWS client.

Connecting to AWS Client VPN

To access the Amazon FSx share, we need to connect our device to our Amazon VPC through the AWS Client VPN endpoint.

macOS/Microsoft Windows

  1. Download and install the AWS Client VPN for your operating system.
  2. Once installed, create a profile by clicking on File, then Manage Profiles, then Add Profile.
  3. Choose a display name, and select the VPN configuration file downloaded from the AWS VPN console. Click Add Profile.
  4. Click Connect. When prompted for a user name and password, enter admin and the password that was entered when creating the Active Directory.

iOS

  1. Download the OpenVPN Connect application from the App Store.
  2. Before transferring the configuration file to an iOS device, you must edit it. Open the configuration file in a text editor, and find the line that includes remote <Endpoint URL>. Before the URL, add *. so that the line looks like this:

Before transferring the configuration file to an iOS device, you must edit it,

Save the configuration file, and transfer it to your iOS device using either iTunes sync or saving the file to a cloud storage service and importing it via the share menu. This is shown in the following screenshot:

Save the configuration file, and transfer it to your iOS device using either iTunes sync or saving the file to a cloud storage service and importing it.

Note: You may need to find OpenVPN in the More menu.

  1. Enter your user name, and click add. When prompted by iOS, allow OpenVPN to add VPN configurations.
  2. In the Profiles menu, select the OpenVPN profile that was imported. Enter your user name and password, and click okay to connect.

Mounting Amazon FSx file share

The following steps show you how to mount your Amazon FSx file share on macOS, Microsoft Windows, and iOS.

macOS

  1. Open a new Finder window. In the status bar, click on Go then Connect to server. Open a new Finder window. In the status bar click on Go then Connect to server.
  2. In the connection window, enter <Amazon FSx DNS URL>/share. When prompted, enter your administrator credentials.

Microsoft Windows

  1. In a new File Explorer window, click on Network, then Map Network Drive.
  2. Select a drive letter, and enter \\<Amazon FSx DNS URL>\share. Select a drive letter and enter the folder name
  3. Check Connect using different credentials, then click Finish.
  4. When prompted, enter your administrator credentials as admin@<Active Directory domain>:

When prompted, enter the administrator credentials

iOS

  1. Open the Files app, and tap on the three dots in the top-right corner.
  2. When prompted, tap Connect to Server: When prompted, tap Connect to Server.
  3. Enter smb://<Amazon FSx DNS URL>/share, then tap Connect. When prompted, enter your administrator credentials.

Cleaning up

To avoid incurring future charges, delete all resources created:

Amazon FSx File System

From the Amazon FSx console, select the file system that was created in the “Creating Amazon FSx for Windows File Server file share“ section. Click on the Actions menu, then Delete file system. Choose not to create a final backup, and type the file system ID to confirm deletion. Finally, click on Delete file system (again)

AWS Managed Microsoft AD

From the Directory Service console, select the radio button next to the directory that was created in the “Create AWS Managed Microsoft AD” section. Under Actions, click Delete directory. Type in the name of the directory (e.g. corp.fsxvpc.com), then click Delete.

Amazon VPC

From the Amazon VPC console, select the VPC created in the “Configure Amazon VPC for AWS Managed Microsoft AD and Amazon FSx” section. Click Actions, Delete VPC, then Delete VPC again. This removes all subnets, gateways, endpoints, network interfaces, security groups, and route tables created inside this AWS VPC.

Conclusion

In this blog, I outlined the process involved in creating a highly available file share accessible from personal devices using AWS Client VPN and Amazon FSx for Windows File Server. By completing this walkthrough, you created a file share accessible from home, the office, or on the go. This enables a central repository with flexible bandwidth and capacity for everything from documents to high-resolution video files. From here, you can add users and groups to your Active Directory, migrate files to your new share using AWS DataSync, or create additional VPN endpoints in different Regions for lower latency via VPC Peering.

Thanks for reading this blog post on creating a remotely accessible file share using Amazon FSx for Windows File Server. If you have any comments or questions, please don’t hesitate to leave them in the comments section.

Nick Gatti

Nick Gatti

Nick is an Associate Solutions Architect on the Demand Generation team at AWS. He is passionate about cloud technology and the ways that it can solve problems around the world. In his free time, he can be found at a record store, concert, or the climbing gym.