FSx Windows File System Multi-AZ Configuration
Overview
This check verifies that Amazon FSx for Windows File Server file systems are configured with Multi-AZ deployment. Multi-AZ deployments replicate your data across two Availability Zones, providing automatic failover if one zone becomes unavailable.
Risk
Single-AZ file systems create a single point of failure. If an Availability Zone experiences an outage, server failure, or planned maintenance, your file share becomes unavailable. This can cause extended downtime and may require restoring from backups, increasing recovery time and potentially losing recent data.
With Multi-AZ, your file system automatically fails over to a standby server in another zone, minimizing downtime and maintaining data consistency.
Remediation Steps
Prerequisites
- AWS account with permissions to create and manage FSx file systems
- An existing VPC with subnets in at least two Availability Zones
- An AWS Managed Microsoft Active Directory (or self-managed AD accessible from your VPC)
Important: You cannot convert an existing Single-AZ file system to Multi-AZ. You must create a new Multi-AZ file system and migrate your data.
AWS Console Method
- Open the Amazon FSx console in us-east-1
- Click Create file system
- Select Amazon FSx for Windows File Server and click Next
- Under Deployment type, select Multi-AZ
- Configure storage:
- Choose your storage capacity (minimum 32 GiB for SSD)
- Select your throughput capacity
- Under Network & security:
- Select your VPC
- Choose a Preferred subnet in one Availability Zone
- Choose a Standby subnet in a different Availability Zone
- Attach appropriate security groups
- Under Windows authentication, select your Active Directory
- Click Next, review your settings, and click Create file system
After creating the new file system:
- Migrate data from your old Single-AZ file system to the new Multi-AZ file system
- Update your applications to use the new file system DNS name
- Delete the old Single-AZ file system once migration is complete
AWS CLI (optional)
List existing FSx Windows file systems
aws fsx describe-file-systems \
--region us-east-1 \
--query "FileSystems[?FileSystemType=='WINDOWS'].{Id:FileSystemId,DeploymentType:WindowsConfiguration.DeploymentType,SubnetIds:SubnetIds}" \
--output table
Create a new Multi-AZ file system
aws fsx create-file-system \
--region us-east-1 \
--file-system-type WINDOWS \
--storage-capacity 32 \
--storage-type SSD \
--subnet-ids subnet-xxxxxxxxx subnet-yyyyyyyyy \
--security-group-ids sg-xxxxxxxxx \
--windows-configuration '{
"ActiveDirectoryId": "d-xxxxxxxxxx",
"DeploymentType": "MULTI_AZ_1",
"PreferredSubnetId": "subnet-xxxxxxxxx",
"ThroughputCapacity": 8,
"AutomaticBackupRetentionDays": 7,
"CopyTagsToBackups": true
}' \
--tags Key=Name,Value=multi-az-fsx-windows
Replace the placeholder values:
subnet-xxxxxxxxxandsubnet-yyyyyyyyy: Your subnet IDs in different AZssg-xxxxxxxxx: Your security group IDd-xxxxxxxxxx: Your Active Directory IDPreferredSubnetId: Should match one of your subnet IDs
CloudFormation (optional)
AWSTemplateFormatVersion: '2010-09-09'
Description: FSx Windows File System with Multi-AZ deployment
Parameters:
PreferredSubnetId:
Type: AWS::EC2::Subnet::Id
Description: Subnet ID for the preferred file server (first AZ)
StandbySubnetId:
Type: AWS::EC2::Subnet::Id
Description: Subnet ID for the standby file server (second AZ)
SecurityGroupId:
Type: AWS::EC2::SecurityGroup::Id
Description: Security group for the file system
ActiveDirectoryId:
Type: String
Description: AWS Managed Microsoft AD directory ID
StorageCapacityGiB:
Type: Number
Default: 32
MinValue: 32
MaxValue: 65536
Description: Storage capacity in GiB (32-65536 for SSD)
ThroughputCapacity:
Type: Number
Default: 8
AllowedValues: [8, 16, 32, 64, 128, 256, 512, 1024, 2048]
Description: Throughput capacity in MB/s
Resources:
FSxWindowsFileSystem:
Type: AWS::FSx::FileSystem
Properties:
FileSystemType: WINDOWS
StorageCapacity: !Ref StorageCapacityGiB
StorageType: SSD
SubnetIds:
- !Ref PreferredSubnetId
- !Ref StandbySubnetId
SecurityGroupIds:
- !Ref SecurityGroupId
WindowsConfiguration:
ActiveDirectoryId: !Ref ActiveDirectoryId
DeploymentType: MULTI_AZ_1
PreferredSubnetId: !Ref PreferredSubnetId
ThroughputCapacity: !Ref ThroughputCapacity
AutomaticBackupRetentionDays: 7
CopyTagsToBackups: true
Tags:
- Key: Name
Value: multi-az-fsx-windows
Outputs:
FileSystemId:
Description: FSx file system ID
Value: !Ref FSxWindowsFileSystem
DNSName:
Description: DNS name for mounting
Value: !GetAtt FSxWindowsFileSystem.DNSName
Deploy the stack:
aws cloudformation create-stack \
--stack-name fsx-windows-multi-az \
--template-body file://template.yaml \
--parameters \
ParameterKey=PreferredSubnetId,ParameterValue=subnet-xxxxxxxxx \
ParameterKey=StandbySubnetId,ParameterValue=subnet-yyyyyyyyy \
ParameterKey=SecurityGroupId,ParameterValue=sg-xxxxxxxxx \
ParameterKey=ActiveDirectoryId,ParameterValue=d-xxxxxxxxxx \
--region us-east-1
Terraform (optional)
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5.0"
}
}
}
provider "aws" {
region = "us-east-1"
}
variable "preferred_subnet_id" {
description = "Subnet ID for the preferred file server (first AZ)"
type = string
}
variable "standby_subnet_id" {
description = "Subnet ID for the standby file server (second AZ)"
type = string
}
variable "security_group_ids" {
description = "List of security group IDs"
type = list(string)
}
variable "active_directory_id" {
description = "AWS Managed Microsoft AD directory ID"
type = string
}
variable "storage_capacity" {
description = "Storage capacity in GiB (32-65536 for SSD)"
type = number
default = 32
}
variable "throughput_capacity" {
description = "Throughput capacity in MB/s"
type = number
default = 8
}
resource "aws_fsx_windows_file_system" "multi_az" {
storage_capacity = var.storage_capacity
storage_type = "SSD"
subnet_ids = [var.preferred_subnet_id, var.standby_subnet_id]
preferred_subnet_id = var.preferred_subnet_id
security_group_ids = var.security_group_ids
active_directory_id = var.active_directory_id
deployment_type = "MULTI_AZ_1"
throughput_capacity = var.throughput_capacity
automatic_backup_retention_days = 7
copy_tags_to_backups = true
tags = {
Name = "multi-az-fsx-windows"
}
}
output "file_system_id" {
description = "FSx file system ID"
value = aws_fsx_windows_file_system.multi_az.id
}
output "dns_name" {
description = "DNS name for mounting"
value = aws_fsx_windows_file_system.multi_az.dns_name
}
Apply the configuration:
terraform init
terraform plan -var="preferred_subnet_id=subnet-xxxxxxxxx" \
-var="standby_subnet_id=subnet-yyyyyyyyy" \
-var="security_group_ids=[\"sg-xxxxxxxxx\"]" \
-var="active_directory_id=d-xxxxxxxxxx"
terraform apply
Verification
After creating your Multi-AZ file system, verify it in the AWS Console:
- Open the FSx console
- Select your file system
- On the Summary tab, confirm:
- Deployment type shows Multi-AZ
- Availability Zones lists two different zones
CLI verification
aws fsx describe-file-systems \
--region us-east-1 \
--file-system-ids fs-xxxxxxxxx \
--query "FileSystems[0].{DeploymentType:WindowsConfiguration.DeploymentType,SubnetIds:SubnetIds,PreferredSubnetId:WindowsConfiguration.PreferredSubnetId}" \
--output table
The output should show MULTI_AZ_1 for DeploymentType and two subnet IDs.
Additional Resources
- Availability and durability: Single-AZ and Multi-AZ file systems
- Creating an Amazon FSx file system
- Migrating existing file storage to Amazon FSx
- Prowler FSx checks documentation
Notes
- Migration required: Existing Single-AZ file systems cannot be converted to Multi-AZ. You must create a new file system and migrate data.
- Cost considerations: Multi-AZ deployments cost more than Single-AZ due to the additional infrastructure. Review FSx pricing before deployment.
- Active Directory: FSx for Windows requires integration with Microsoft Active Directory. Ensure your AD is properly configured before creating the file system.
- DNS updates: When migrating, update your applications and mount points to use the new file system's DNS name.
- Security groups: Ensure your security groups allow the required ports (TCP 445 for SMB, TCP 5985 for Windows Remote PowerShell).