Create a secure chatbot using Amazon Q with Amazon FSx for NetApp ONTAP

The ability to choose across an ever-evolving catalog of advanced artificial intelligence (AI) frameworks, models, and solutions is an indisputable benefit of the high-speed pace of AI innovation. For organizations looking to develop agile AI applications with minimal complexity, ready-to-use solutions that meet specific business and technical needs are increasingly within reach.

For AWS users, one of the most notable AI releases in 2024 is Amazon Q一a fully-managed, highly advanced generative AI (GenAI) assistant.

This guide explores how to connect Amazon Q Business with your proprietary data hosted on Amazon FSx for NetApp ONTAP (FSx for ONTAP) for fully managed, context-aware GenAI chatbot creation.

What can you achieve with Amazon Q with FSx for ONTAP?

Here’s what you get with theFSx for ONTAP extended integration with AWS AI services, including Amazon Q.

With FSx for ONTAP, you can bring your data from both on-premises NetApp® ONTAP® systems and cloud sources to unlock its full potential (with AI and beyond).

FSx for ONTAP offers simple, secure, efficient, and continuous access to your hybrid data for your end-users and end-user applications. Among these applications, internal GenAI assistants stand out for their ability to boost team productivity by accelerating software development, analyzing data trends, and retrieving up-to-date business context.

The Amazon Q suite of advanced GenAI assistants is the simplest path to develop retrieval-augmented generation (RAG)-based GenAI assistants. These tools can be configured by non-AI experts in just minutes, and are securely accessed via URL in a customizable web interface.

By using your selected Access Control Level (ACL)-securable FSx for ONTAP data volumes as the source for your preferred Amazon Q solution, you can quickly run a proof of concept and then deploy your context-aware GenAI assistant applications without any development, all while maintaining safety, efficiency, and scalability.

Overview of the tech stack

The no-code AI assistance experience we are building in this guide relies only on three AWS services, each offering unique capabilities:

FSx for ONTAP: A fully managed shared storage solution built on the popular NetApp ONTAP technology, which offers advanced data management capabilities on AWS. For your on-premises data hosted in ONTAP systems, you can easily use FSx for ONTAP to securely migrate that data to AWS using NetApp SnapMirror® or FlexCache® technologies.
Amazon Q Business: An assistant powered by GenAI meant to provide high quality performance for enterprise systems. As a specialized solution in the Amazon Q suite, Amazon Q Business allows you to create AI assistants as no-code solutions, connect them to your proprietary data from various sources, and access them via a managed but customizable web interface. Amazon Q Business empowers you to leverage your internal data for enhanced productivity via a seamless GenAI assistant experience.
Amazon Kendra: Kendra is a search service that provides specific answers to search questions based on your data through machine learning algorithms and natural language processing. Amazon Kendra can be used to enhance GenAI and semantic search applications by indexing and querying vast amounts of vectorized structured and unstructured data. In this solution design, Amazon Kendra acts as the middleman in connecting the GenAI experience offered by Amazon Q Business with your proprietary data.

Step-by-step guide to setting up a GenAI chatbot with Amazon Q and FSx for ONTAP

This guide showcases how to create an Amazon Q Business chatbot that can access internal data stored in FSx for ONTAP volumes via a Kendra source.

Here is an architecture diagram of the no-code GenAI experience offered by Amazon Q with FSx for ONTAP:

This guide aims to showcase how simple it is to develop the solution via UI, but the same set-up can be replicated using the AWS APIs for each service.

Part 1: Create the FSx for ONTAP data storage

To set up your FSx for ONTAP data storage, you can follow the official AWS instructions to create and configure the file system to suit your storage needs. The only requirements are to make sure to:

Have a virtual private cloud (VPC) configured for your storage.
Apply read and mounting permissions to the storage volume.

After you’ve completed the creation steps, you can access the FSx for ONTAP file system (named kendrafsx in our demo) from the File systems tab of the Amazon FSx console.

Take note of the file system ID and storage virtual machine ID as they will be needed in the Kendra setup.

Since Amazon Kendra can support the ONTAP ACL for user authentication and file-/folder-level access control, we complete the set up of the FSx for ONTAP storage by joining the storage virtual machines (SVMs) to an Active Directory(AD) domain.

On the Storage virtual machines**** tab of the FSx for ONTAP file system, click on the SVM of interest, named kendrasvm in our demo.
Click on the Actions dropdown menu, select Join/Update Active Directory, and connect to your self-managed Microsoft AD (Take note of the user name, password, and DNS domain name for the Active Directory as they will be needed in the Kendra setup)
Lastly, make sure to add at least one ONTAP volume to the FSx for ONTAP storage. For this demo, we created a FlexVol volume named kendra with size 1GiB and NFTS security style. Here you can see the volumes mounted in the demo FSx for ONTAP system:
The volume should contain some relevant documents for the chatbot to access. For this demo, we used some AWS official documentation on best practices, databases, and machine learning.

Setup Demo Lab using Terraform

You can use the following sample code to create the basic FSx and AD resources required for this demo:

Part 2: Connect and index FSx for ONTAP data with Amazon Kendra

The Amazon Kendra connector for FSx for ONTAP allows you to connect and index your FSx for ONTAP data sources with the fully managed Amazon Kendra intelligent search service.

Prerequisites

We do not provide detailed instructions for prerequisites here, but you can find more information in:

The FSx for ONTAP source is set up within your chosen VPC and with read and mounting permissionsーsee instructions in Part 1 above.
Set up an AWS Secrets Manager secret to store the FSx for ONTAP authentication credentials.
Note that the credentials are expected in the format:

Set up an IAM role to access the data source.

Step-by-step set-up

Now we can show how to connect and index FSx for ONTAP data with Amazon Kendra. You can find more details and instructions notes in the official AWS documentation.

Create an Amazon Kendra index - In the Amazon Kendra console, click on the “Create index” button in the Indexes section. Then, follow the four UI steps in the widget using the default values, as shown below (Note that you don’t need to use tokens for access control since Active Directory is used at the source for identity and access management).
Once you see the index status defined as ACTIVE, your index is ready to use, as shown here:
Add the FSx for ONTAP data source to the Amazon Kendra index - From the Indexes page of the Amazon Kendra console, click on the “Add data source” button. Then, click on “Add connector” for the FSx for ONTAP connector to set up the connection to the FSx for ONTAP data source.
Now proceed with entering the following details:
1. Specify data source details for the FSx for ONTAP file system
  - Choose a meaningful name for your application, e.g. for the demo we use kendrafsxn2. You can also provide a description or tags following your organization’s styling conventions.
2. Define access and security for the Kendra index
  - For access, you specify which FSx for ONTAP file system ID and SMV ID to use as the source, and you choose whether to use the SMB or NFS protocol.
  - For security, you select the secret with your FSx for ONTAP authentication credential, the VPC, and the IAM role we have set up as part of the prerequisites.
  - ACL is enabled by default, and we recommend keeping it enabled so that the same user permissions set on the file system are automatically replicated by Kendra. This means that each user of the chatbot will be provided with information from any data sources that user has access to.
3. Configure sync settings for the FSx for ONTAP data source
  - Define the scope, mode, and schedule of your data source sync. For example, you could exclude .txt files from the scope, choose to sync only modified content, and sync the data every five minutes through a custom cron expression.
4. (Optional) Set field mappings
  - Amazon Kendra automatically extracts default and custom fields from your data sources and maps them to index fields, e.g., the default creationTime field is mapped to _created_at and the customlastAccessTime field is mapped to last_accessed_at. If preferred, you can customize the index field name mapping for any custom field to follow your own naming conventions.
5. Review and create.
  - Once the creation process is complete, you can access and manage the data source from the Data sources tab of the Amazon Kendra index.
  - Below, you can see the sync history for the demo FSx for ONTAP data source in Amazon Kendra:

Amazon Kendra now indexes all your proprietary dataーfor this demo, that’s AWS documentationーin your FSx for ONTAP data source, including errors if using Active Directory.

Part 3: Build your RAG-based Enterprise chatbot with Amazon Q

Amazon Q is a fully managed GenAI experience where a retriever (Kendra) is used to extract relevant context from your data source (FSx for ONTAP), the Amazon Q assistant (Amazon Q Business) is used for response generation, and the Amazon Q web experience is used to access the chatbot.

Prerequisites

We do not provide detailed instructions for prerequisites here, but you can find more information in the links below:

Create an IAM Identity Center Instance - For the demo, we use a same-region IAM Identity Center organization instance located where the Amazon Q Business application will reside for minimal latency. If needed, you can also read these considerations and suggestions on enabling and configuring the IAM Identity Center instance.
Configure an IAM Identity Center instance to use Active Directory - Active Directory will factor into the set up by allowing users and user access to be managed directly at the data source.

While you can run these prerequisite actions from the Amazon Q Business console, we recommend setting IAM before the Amazon Q Business setup to ensure you’re defining access control at the source and to allow Amazon Q to automatically detect ACL. The benefits are ease of use, extended management capabilities, and ease of maintenance.

Step-by-step set-up

We will now show you how to build your RAG-based Enterprise chatbot with Amazon Q step by step. You can find more details and instructions notes in the official AWS documentation.

Create the Amazon Q Business application environment
- From the Applications tab of the Amazon Q Business console (shown below), click on the “Create Application” button to get started with creating your Amazon Q Business app.
Next, proceed with the following
- Create application with automated detection of the IAM Identity Center instance.
  - Specify the application name, e.g. fsxnkendra for the demo, and specify the service access to use the automated AWS service role for Q Business.
  - Also, consider customizing the encryption settings to follow your organization’s requirements for production applications.
  - Note that the UI experience will differ slightly depending on the IAM Identity Center setup.
- Select retriever with automated detection of the Amazon Kendra connector.
  - Choose “Use existing retriever” to use the Amazon Kendra connector we have previously set up.
- Connect data sources to the Amazon Kendra retriever.
  - Select the active Amazon Kendra index and service role previously created, i.e. kendra-fsx andAmazonKendra-us-east-1-fsxkendra respectively if you have followed the demo naming selection.
- Manage access for users and subscriptions to the Amazon Q business application.
  - Note that at least one user/user group needs to exist for the Amazon Q Business web experience to be made available.
- Once creation is completed, you can access and manage your Amazon Q Business application environment from the Application Details tab of the Amazon Q Business applications shown here:
(Optional) Customize the web experience (after environment creation).
- From the Application Details page of your Amazon Q Business application environment in the Amazon Q Business console, click on the Customize web experience button to get started with customizing the web interface.
- Currently, you can define the title, subtitle, and welcome message for the web interface. Additionally, you can provide a list of sample prompts to be displayed on the user’s conversation start screen.
(Optional) Enable advanced capabilities.
- Amazon Q Business allows you to enhance your application environment with guardrails, Amazon Q Apps, plugins, document enrichment, and relevance tuning. Find out more about these advanced capabilities.
- We recommend setting up guardrails for all your applications.
Share access to the Amazon Q Business application via the endpoint URL.
- Find the URL from the Web experience settings tab of the Application Details page of your Amazon Q Business application environment in the Amazon Q Business console, shown here:
As an admin, your job is now completed. Any authenticated user can now access the Amazon Q Business web experience and start chatting with your available Amazon Q Business applications given the pre-defined user access. Here’s an example chat in the demo Amazon Q Business application web experience:
Users can interact with the chatbot to ask any question based on their context, verify response sources via the citations, and perform enabled advanced actions (such as creating a Jira ticket via a Plugin action).