- Newest
- Most votes
- Most comments
Greetings,
You can use AWS Storage Gateway to expose your FSx Windows File Server to the physical workstations at the client's site. However, you'll need to ensure proper network connectivity and access permissions.
For the Storage Gateway to work correctly, it should be on the same network as the physical workstations at the client's site. It doesn't necessarily need to be on the client's domain, but being on the same network is crucial.
Here's how you can set up the desired architecture:
Create a VPN connection between your AWS VPC and the client's network, if not already set up. This will allow secure communication between the client's on-premises environment and your AWS resources. More information on AWS VPN can be found here: https://aws.amazon.com/vpn/
Deploy the Storage Gateway as a File Gateway on the client's network. This can be done using a virtual machine or a hardware appliance. Make sure it has proper network access to the client's workstations and the AWS VPN connection. More information on AWS Storage Gateway can be found here: https://aws.amazon.com/storagegateway/
Mount your FSx Windows File Server on the Storage Gateway. The Storage Gateway should be able to communicate with the FSx Windows File Server over the VPN. To accomplish this, you may need to configure appropriate routes and security groups in your AWS VPC and on-premises network.
Configure the Storage Gateway to use your AWS Directory Service for authentication. This way, when physical workstations access the file share, the Storage Gateway will handle the authentication with your AWS Directory Service. More information on joining a Storage Gateway to a domain can be found here: https://docs.aws.amazon.com/storagegateway/latest/userguide/GettingStartedCreateFileShares.html#GettingStartedCreateFileShares-jd
Finally, configure the client's workstations to access the file share exposed by the Storage Gateway. They should be able to access the file share with appropriate credentials, even if they are not on your company's domain.
Keep in mind that this setup may require additional fine-tuning based on the specific requirements of your company's network and the client's network.
Please let me know if I answered your question
Hello Joe,
In addition to Zokir response, please consider below as well, as your use-case involves two different AD domains :
- To attach FSx Window File Server to FSx File Gateway, FSx Windows File Server and FSx File Gateway both should be joined to same AD domain.
- Depending on the access requirements, you may need at minimum one way trust or two way trust (for bidirectional AD user accounts access).
- You may access your file shares from both Amazon FSx File Gateway as well as directly from Amazon FSx in AWS; however, you should ensure that files can only be written from a single location at a time. We don't recommend having multiple writers to the same files from two locations as it would lead to InvalidFileState errors.
Relevant content
- asked 2 years ago
- asked 9 months ago
AWS OFFICIALUpdated 9 months ago- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
Assuming we have a VPN set up between our client's on-prem network and our company's AWS environment and we have both the on-prem storage gateway and our fsx windows file server on our company's domain, is there a way that the on-prem workstations on the client's domain could access the file share on our domain? Perhaps via a mapped drive with different credentials?
To achieve your use-case, you would need one way forest trust relationship between your company's domain and your client's domain. In this case, your company's domain trusts your client's domain.Your client's domain would take the role of trusted domain and your company's domain would take the role of trusting domain.
Validated authentication requests travel between the domains in only one direction—allowing accounts in your client's domain to authenticate against resources shared in your company's domain. In this case, Amazon FSx interacts only with your company's domain. Your company's domain then passes on the authentication requests to your client's domain.
Above would be needed even when you consider using only FSx Windows File Server as well.
Please refer below : https://docs.aws.amazon.com/fsx/latest/WindowsGuide/fsx-aws-managed-ad.html#using-a-rfim https://aws.amazon.com/blogs/security/everything-you-wanted-to-know-about-trusts-with-aws-managed-microsoft-ad/ (Scenario 1) https://aws.amazon.com/blogs/architecture/field-notes-designing-multi-region-aws-managed-microsoft-active-directory-for-hybrid-environments/
@Surya: To your point 3), how can you achieve this pratically? "you should ensure that files can only be written from a single location at a time"