Simplifying File Storage with FSx for Windows File Server

Are you tired of the hassle of managing file storage for your Windows-based applications? Look no further than FSx for Windows File Server.

Published Apr 12, 2024
During my journey through the Skill Builder course to attain the File Storage Badge, I delved into the topic of FSx for Windows File Server. Today, I'm excited to share the insights I've gained from the course, along with some additional information. First of all a one-liner about what FSx for Windows File Server is:
FsX for Windows file server is Amazon's native fully managed Microsoft Windows file server service.
Managing file storage for Windows-based applications can be a headache for many companies. While on-premises network attached storage (NAS) might work well for smaller data volumes, it quickly becomes cumbersome as data grows. Let’s break down some of the main challenges:

Infrastructure Costs:

Maintaining on-premises infrastructure data centers can be prohibitively expensive and complex. The overhead costs associated with hardware procurement, maintenance, upgrades, and facility management contribute to significant financial and operational burdens for organizations.

Storage Capacity Limits:

Traditional on-premises storage solutions are constrained by immediate capacity limitations. As data volumes grow, organizations must continually expand their infrastructure to accommodate additional data storage needs. This scalability process often involves substantial investments in hardware upgrades and expansions, further increasing operational costs and complexity.

FSx for Windows File Server:

FSx for Windows File Server offers a compelling solution to address these challenges. As Amazon's native fully managed Microsoft Windows file server service, FSx provides a scalable, reliable, and cost-effective platform for Windows shared file storage needs. Organizations can leverage FSx to overcome the limitations of on-premises infrastructure, benefiting from the flexibility, scalability, and operational efficiencies of cloud-based file storage solutions. Whether for traditional file sharing, application data storage, or backup and recovery, FSx for Windows File Server is well-suited for a wide range of use cases requiring Windows-shared file storage.


File System:

In FSx for Windows File Server, the central resource is the file system, which facilitates storage and access to files and folders for users. Accessed via its DNS name, the file system serves as the foundation for data management within FSx. Users can store, retrieve, and manage files and directories within the file system.
Storage Volumes:
Storage volumes host the data within the file system, providing the underlying storage infrastructure. FSx offers a choice between HDD and SSD storage volumes, each suitable for different workloads. HDD storage is well-suited for general-purpose workloads like home directories and content management systems, while SSD storage excels in high-performance and latency-sensitive applications.
Throughput Capacity:
Each file system is associated with a provisioned throughput capacity, determining the baseline and burst network speeds at which data can be served from the file system. This capacity ensures consistent performance and responsiveness for accessing files and folders.

File Share:

A file share represents a specific folder and its subfolders within the file system. Accessible to compute instances via the SMB (Server Message Block) protocol, file shares enable users to collaborate and access shared data. FSx allows the creation of multiple file shares, with a default Windows file share named "share."

Elastic Network Interface (ENI):

An Elastic Network Interface is a resource that enables client compute instances to connect to the file system. The DNS name of the file system maps to the private IP address of the file system's ENI within the Virtual Private Cloud (VPC), facilitating secure and efficient data access within the network environment.

Network Connectivity

Accessing File System from Compute Instances in the Same VPC: Users can access the file system from compute instances residing within the same Virtual Private Cloud (VPC) as the file system. This direct connectivity simplifies data access and ensures efficient communication within the VPC environment.
Accessing File System from On-Premises: File systems hosted in FSx for Windows File Server can also be accessed from on-premises environments. This connectivity is facilitated through either a Direct Connect (DX) or Client VPN connection, providing secure and reliable access to file data stored in the cloud.
Accessing File System from Another VPC, Account, or Region: FSx for Windows File Server allows access to file systems from compute instances located in different VPCs, AWS accounts, and regions. This cross-environment connectivity can be established using VPC peering connections or Transit Gateway (TGW). These networking solutions enable seamless access to file data across diverse network boundaries, enhancing collaboration and data-sharing capabilities across distributed environments.

Deployment types

FSx for Windows File Server offers two deployment types: Single AZ and Multi-AZ, each with distinct levels of availability and durability.

Single AZ:

In Single AZ deployments, FSx automatically replicates data within the same Availability Zone (AZ) where the file system resides. This replication ensures data durability. Additionally, FSx takes highly durable daily backups of the file system, storing them in Amazon S3 for added protection against data loss.

Multi AZ:

Multi-AZ deployments encompass all the availability and durability features of Single AZ deployments. Additionally, they provide continuous availability even if an AZ becomes unavailable. In a Multi-AZ setup, FSx creates an active and standby file server in separate AZs. Changes written to the active file server are synchronously replicated across AZs. During planned maintenance or in the event of active server unavailability, FSx seamlessly fails over to the standby server to ensure uninterrupted access to data.
For optimal access within AWS, it's advisable to launch clients in the same AZ as the file system. This not only reduces costs but also minimizes latency, ensuring efficient data access and operations.

FSx Security Features

Data Encryption:

FSx for Windows File Server offers robust data security through automatic encryption at rest and in transit. For encryption at rest, FSx utilizes keys managed via Key Management Service (KMS), ensuring that our data remains protected even when stored. In transit, client access through SMB (Server Message Block) is encrypted by default, although this can be overridden to allow unencrypted connections. To enforce encryption consistently, it's essential to enforce encryption in transit.

Identity-Based Authentication:

FSx for Windows File Server supports identity-based authentication via integration with Microsoft Active Directory (AD). This authentication method verifies users based on their unique identity attributes such as username or email address. Leveraging Microsoft AD provides centralized security management, enabling precise control over user authentication.

File and Folder Level Access Control:

FSx for Windows File Server offers fine-grained access control at both the file and folder levels using Windows Access Control Lists (ACLs). This functionality, made possible by integration with AD, extends beyond authentication to authorization, allowing administrators to define and enforce access permissions based on user identities. With this capability, organizations can ensure that users only access the files and folders they are authorized to view or modify, enhancing data security and compliance.

Network traffic access control

By leveraging Security Groups (SG) within our Virtual Private Cloud (VPC), we can effectively manage access to our file systems. With SGs, we have granular control over which resources within our VPC are permitted access to our file systems.
When associating a security group with our file system, it's crucial to configure specific rules to allow clients and other file systems to establish connectivity and outbound access to Active Directories (ADs). These rules should be carefully crafted to ensure secure communication while facilitating necessary interactions between resources.
By implementing and fine-tuning SG rules, we can enforce robust access controls, safeguarding our file systems from unauthorized access and ensuring seamless connectivity for legitimate users and services within our VPC environment.


With FSx, backups are designed to be file-system consistent, highly durable, and incremental. In FSx for Windows File Server, achieving file system consistency is ensured through the utilization of the Volume Shadow Copy Service (VSS) in Microsoft Windows. To guarantee high durability, FSx stores backups in Amazon S3.
One notable feature of FSx backups is their incremental nature. Whether generated automatically daily or initiated by the user, these backups only capture changes made to the file system since the last backup. This approach minimizes the time required to create backups and reduces storage costs by avoiding the duplication of data.
By default, FSx performs daily backups of the file system within the designated daily backup window. This automated process ensures that data remains protected without requiring manual intervention, providing peace of mind for users and administrators alike.

Performance and Scale of FSx for Windows File Server

FSx for Windows File Server offers a range of file systems tailored to diverse performance requirements. Leveraging SSD storage, it delivers submillisecond latencies, while HDD storage ensures single-digit millisecond latencies for file operations.
Each file system is associated with specific storage and throughput capacities. The selected throughput capacity determines the baseline and burst network speeds at which the Windows file server hosting our file system can serve data. File systems accumulate credits when network bandwidth usage remains below baseline limits.

Scaling Storage and Throughput Capacity:

We have the flexibility to increase the storage capacity assigned to our file system as required. However, once assigned, storage capacity cannot be decreased. Similarly, we can adjust the throughput capacity, either increasing or decreasing it as needed. Modifying throughput capacity may result in a brief availability loss for single Availability Zone (AZ) configurations.

Monitoring and Adjustment:

FSx for Windows File Server seamlessly integrates with CloudWatch for ongoing monitoring of throughput and storage utilization. By analyzing these metrics, we can accurately gauge when our file system requires additional capacity or when adjustments are needed to optimize performance and cost efficiency. This proactive approach ensures that our file system operates smoothly and efficiently, meeting the evolving needs of our workload.

Grouping multiple file systems using DFS Namespaces

DFS (Distributed File System) empowers us to establish a DFS hierarchy, also known as a namespace, and seamlessly integrate FSx for Windows file server file systems into this structure. Through DFS, we can create a unified namespace that abstracts the underlying DNS names of individual file systems.
The essence of DFS lies in its ability to logically group diverse file systems under a central DFS namespace name. This functionality streamlines file access for users by providing a unified and consistent path to access files across various file systems. By utilizing DFS, organizations can enhance the manageability and accessibility of their file storage infrastructure, simplifying file management and improving user experience.


To implement this architecture in practice, we need to deploy namespace servers, typically Windows servers, within our infrastructure. For redundancy and high availability, it's common to deploy two namespace servers in many architectures. These servers host the DFS namespace, providing a unified path for accessing files.
Underneath the DFS namespace, we organize our file shares, with each file share mapping to the DNS name of an FSx File System. This setup allows for seamless integration of FSx file systems into the DFS architecture.
There are two primary use cases for utilizing DFS. Firstly, it enables us to scale out storage beyond what a single file system can support. Secondly, DFS Namespaces can be used to scale out performance by dividing file data into smaller datasets, or shards, and distributing them across multiple file systems. This approach helps optimize performance by distributing workload across different storage resources.

Data deduplication

One effective method to cut costs is by implementing data deduplication. Large datasets often contain redundant data, which in turn increases storage expenses. For instance, in user file shares, multiple users might store numerous copies or versions of the same file. To mitigate this, we can activate data deduplication.
Data deduplication works by identifying and eliminating redundant data, and storing duplicated portions of the dataset only once. This significantly reduces storage costs.
The process of data deduplication occurs in the background and operates on a schedule. It scans for duplicate data blocks across files. When identical data is identified, data deduplication stores only one copy of that data and links all relevant files to it. This results in substantial storage space savings.
Enabling data deduplication can be achieved using the Command-Line Interface (CLI) in PowerShell. By leveraging this feature, organizations can optimize storage usage and drive cost efficiencies effectively.

Shadow Copies

Imagine a scenario where a user accidentally deletes a crucial file stored on the server, or they make changes to a file but then decide they want to revert to a previous version. Typically, the user would need to contact the helpdesk to restore the file from backup. However, a more efficient solution is to empower users to restore files themselves through the user interface (UI).
To facilitate this capability, we can enable Shadow Copies for an FSx file system. This involves executing PowerShell commands from a client computer that has access to the file system. Shadow Copies essentially act as backups generated on a scheduled basis.
By enabling Shadow Copies and providing users with the ability to restore files through the UI, we not only streamline the restoration process but also empower users to manage their files effectively without relying on IT support for every issue.

Storage Quotas

In our file system configuration, we can establish thresholds for end users. Specifically, we can implement two types of thresholds for quota settings: warning thresholds and limit thresholds.
Warning Thresholds: These thresholds are designed to monitor the usage of end users or groups and provide a proactive alert when they are approaching their quota limit. This allows users to take preemptive action before reaching the limit.
Limit Thresholds: In addition to warning thresholds, we can set up limit thresholds to enforce strict limits on storage capacity. When a user exceeds their quota, these thresholds deny further storage space, ensuring adherence to allocated quotas and efficient resource management.