By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Shared drive for Windows EC2 instances launched within an autoscaling group

0

I am looking to be able to share a single network storage between my fleet of Windows EC2 instances that are used as application webservers running IIS. These instances need to be able to access the drive either by UNC or a mapped drive letter. The instances are created dynamically through autoscaling, so they need to either be preconfigured to already have the connection in the AMI that they are created from, or be able to connect as part of their startup process (if they are connected as part of startup, the connection must be established quickly so they can serve webpages without much downtime between startup and ready state, 2-3 mins max). Files are created/ modified/ deleted at runtime and need to be accessible to the other instances in the fleet so preconfiguring the AMI to have all the files already loaded up will not work.

Things we have used (or attempted to use) so far are:

A separate EC2 instance that serves as a fileserver that our EC2 AMI is preconfigured to connect up to through windows fileshare. While quick and easy, this is not a great solution since it is a single point of failure.

An S3 bucket mounted through RClone to the EC2s (mounted during the startup process of the EC2). Was too slow in its initial connecting and subsequent retrieving files. It also did not appear to follow any Windows file locks set by other EC2s in the fleet (most likely due to VFS caching, my understanding of this is that every server loads up its own local version of the file for use).

Attaching to FSx through an AWS managed Active Directory. Sort of works if AMIs are preconfigired as connected to the directory, however after 30 days that connection expires, the EC2s loose access, and a new AMI needs to be configured with the connection to spin up new EC2s with since the previous connection is no longer valid. I understand that this is due to not disconnecting from the AD and sysprepping the instance before AMI creation, meaning the AD connection established is seen as the same computer account on each EC2 that was created from the AMI. However if EC2s are sysprepped and configured to connect to the AD using a "User Data" script provided in my EC2 launch template, establishing the connection to FSx takes far too long. (Set up like this blog post: https://aws.amazon.com/blogs/compute/managing-domain-membership-of-dynamic-fleet-of-ec2-instances/)

Topics
Security, Identity, & ComplianceComputeStorage
Tags
AWS Directory ServiceAmazon EC2Amazon FSx for Windows File ServerWindows
Language
English
rePost-User-8040867
asked a year ago1003 views
2 Answers
3

Use Amazon Elastic File System (EFS) as shared network storage between your Windows EC2 instances as one possible solution to your problem. EFS is a scalable, highly available, and fully managed file storage service that supports NFSv4 and SMB protocols, making it an excellent choice for your needs.

To use EFS with your Windows EC2 instances, use the SMB protocol to mount the file system, which allows you to access the file system via UNC paths or mapped drive letters. You can mount the file system during the startup process of your instances by using a PowerShell script or an instance startup script.

https://learn.microsoft.com/en-us/windows-server/storage/file-server/troubleshoot/detect-enable-and-disable-smbv1-v2-v3?tabs=server

# Install the EFS client
Add-WindowsFeature FS-SMB1,FS-SMB2

# Mount the EFS file system
New-PSDrive -Name E -PSProvider FileSystem -Root "\\fs-01234567.efs.us-west-2.amazonaws.com\my-efs" -Persist
profile picture
EXPERT
Sedat Salman
answered a year ago
  • rePost-User-8040867
    a year ago

    Thank you, I will try this out. Just to be clear though, the EFS documentation states it is not supported on Windows EC2s so I assume this is a bit of an "unofficial" solution. Are there any caveats you are aware of that I should know?

  • Rob_H EXPERT
    a year ago

    This would not be the recommended way to do this. It introduces less secure connection protocols for Windows.

0

If you're using Active Directory then doing your original method with FSx (Or your own managed file server) would be the right option. To get over the computers not joining the domain correctly you may want to take a look at : https://catalog.us-east-1.prod.workshops.aws/workshops/ace21ec3-c22b-484d-8e0d-4b497eadfc66/en-US/1-managing-microsoft-workloads-at-scale-on-aws/scalingmanagement Which can help you step through setting up how to leverage lifecycle hooks of the EC2 instance to take a fresh AMI and join it to the domain for you. This way you don't have to implement less secure protocols to use SMBv2-SMBv2 protocols for EFS, which is not designed to be used on Windows systems.

profile pictureAWS
EXPERT
Rob_H
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content