Securely Access Amazon FSx for Windows File Server using AWS Verified Access

Introduction

In this post, I describe how to use Amazon Web Services (AWS) Verified Access (AVA) to securely access an Amazon FSx for Windows File Server file share. You will learn how to configure and deploy AVA endpoints, and connect to your FSx file share from your remote computer using the AVA Connectivity client. This approach has benefits over a VPN, such as eliminating VPN infrastructure, enforcing granular access control, and improving user experience.

AVA is an AWS service that provides secure, scalable authentication and authorization for users and devices accessing your AWS resources. It eliminates the need for a traditional VPN by using modern authentication protocols to verify identities and grant access to your AWS resources. AVA allows you to securely connect to your FSx for Windows File Server file shares without the overhead and complexity of managing a VPN solution.

Prerequisites

Before proceeding, you should read the following to get an overview of AVA and FSx for Windows File Server:

• What is AWS Verified Access and How Verified Access works
• What is Amazon FSx for Windows File Server

Also, I describe the steps using the AWS Management Console. Make sure that you have access to the management console.

Solution architecture

Figure 1 shows the architecture of a remote user accessing an FSx file share through AVA.

Figure 1: AVA and FSx diagram

The sequence of steps a user goes through when accessing their FSx file share through AVA is as follows:

1. The user accesses the AVA endpoint that protects FSx.
2. AVA authenticates the user against the configured identity provider, in this case AWS Identity and Access Management (IAM) Identity Center. AVA also supports external identity providers compatible with OIDC.
3. After successful authentication, AVA checks the authorization policies for FSx and verifies the user has permission to access the FSx file share.
4. Then, the user authenticates against the FSx Active Directory and upon successful authentication accesses the file share.

Implementation steps

The following steps guide you through this implementation.

1. Deploy FSx and collect networking information

As of this post, AVA only supports the Single-AZ 1 deployment of FSx.

Deploy a Single-AZ 1 FSx Windows Server with a Managed Active Directory Server as described here. Make sure that Single-AZ 1 is chosen as the deployment type. Deploying the EC2 Windows server is optional. In this post, I focus on deploying the Active Directory server and the FSx File Server.

1.1 FSx File Server networking information

After creating the FSx File Server, navigate to FSx -> File systems, and choose the file server you created. Choose the Network & security tab to view the FSx File Server networking information. Note the (1) IP Address, (2) Subnet, and (3) Network Interface information. To view the CIDR range of the subnet, choose the link under the Subnet section (2), which takes you to the VPC console, where you find the CIDR range details (4). Refer to the following two figures (Figure 2 and Figure 3) for examples.

Figure 2: FSx network information

Figure 3: Subnet CIDR

2. Deploy AVA instance, trust provider, and group

Make sure that you have the proper permissions to create and configure a Verified Access instance. Follow the Get started tutorial to create the AVA instance, trust provider, and group. Attach an access policy to the group. You can use one of the access policy examples for the policy.

3. Deploy AVA endpoints

The next step is to create an AVA endpoint to the FSx File Server. You can configure access to FSx over SMB by configuring the endpoint to use the TCP protocol. You then choose either the network CIDR range of the subnet to which the FSx File Server is deployed or the network interface of the deployed FSx File Server. The CIDR range configuration provides a fast way to provide access to all resources with an IP address within the CIDR range. The network interface configuration provides access to individual resources associated with the network interface. In the following sections, I describe both configurations.

For both, use the default SMB port 445 for the port range using the notation 445-445, and specify the group that you previously created as the Verified Access group.

3.1 Create and configure the Network CIDR endpoint type

To create the Network CIDR endpoint type, navigate to the VPC Console, and choose Verified Access endpoints -> Create Verified Access endpoint. You should view a page where you choose the configuration options for the endpoint. When creating the AVA network CIDR endpoint type, specify the CIDR range that contains the FSx for Windows File Server in the CIDR section. You can specify the CIDR of the entire subnet in which FSx is deployed or narrow it down further to scope down access.

Figure 4 is an example of the AVA CIDR endpoint type that shows (5) the Endpoint protocol and (6) the Network CIDR type.

Figure 4: AVA Network CIDR endpoint

3.1.1 View the Network CIDR type domain name

After the Network CIDR endpoint is created, you can view the domain name for the FSx File Server. Navigate to the VPC Console, choose Verified Access endpoints, choose the Network CIDR endpoint that you created previously, then choose the Domain names tab. The CIDR type discovers all active IP addresses within the specified CIDR range, thus you must find the domain name that corresponds to the FSx File Server IP address. Figure 5 shows the AVA domain name for the FSx File Server deployed previously (7).

Figure 5: AVA Network CIDR endpoint domain names

Step 3.2 Create and configure the Network Interface endpoint type

To create the Network Interface endpoint type, navigate to the VPC Console, and choose Verified Access endpoints -> Create Verified Access endpoint. You should view a page where you choose the configuration options for the endpoint. When creating the AVA Network Interface endpoint type, specify (3) the ENI of the FSx File System in the Network interface section of the configuration page.

Figure 6 is an example of the AVA Network Interface endpoint type that shows (8) the Endpoint protocol and (9) the Network interface type.

Figure 6: AVA Network interface endpoint

3.2.1 View the Network Interface type domain name

After you create the Network Interface endpoint, you can view the domain name for the FSx File Server. Navigate to the VPC Console and choose Verified Access endpoints, choose the Network Interface endpoint you previously created, then choose the Details tab. The Network Interface type endpoint corresponds to a single resource, thus there is only one domain name available. The following figure shows the AVA domain name for the FSx File Server deployed previously (10).

Figure 7: AVA Network Interface endpoint domain name

4. Deploy AVA Connectivity Client

Download the AVA Connectivity Client and install it on your computer, as described here.

Launch the Connectivity Client, authenticate with your IdP, and wait for the connection to the AVA endpoint to establish.

5. Access the FSx File Server through AVA

When connectivity is established, access the FSx file share using the directions appropriate for your OS. Use the AVA endpoint domain name associated with FSx as the DNS name for the file share (7 or 10 from previous).

Figure 8 shows an example of accessing the FSx share on MacOS using the Network Interface endpoint type domain name.

Figure 8: MacOS server connection

When you choose Connect, FSx challenges you to authenticate with Active Directory (see Figure 9).

Figure 9: FSx Active Directory authentication

After you authenticate, you can access the FSx file share. In Figure 10, I created a folder DemoTest on the file share.

Figure 10: FSx file share

6. Clean up

After you are done exploring AVA and FSx, make sure to delete your AVA resources, your FSx file system, and your Connectivity Client.

Conclusion

In this post, I showed how to securely access an Amazon FSx for Windows File Server using the TCP protocol support of AWS Verified Access (AVA). The key benefits of this architecture include eliminating the need for VPNs, granular access control, improved user experience, and enhanced security through continuous validation. AVA allows organizations to improve security, reduce operational complexity, and deliver a better experience for users accessing Amazon FSx. If you would like to learn more, contact us to speak with an AWS expert.

Further reading

• https://aws.amazon.com/blogs/aws/aws-verified-access-now-supports-secure-access-to-resources-over-non-https-protocols/

About the authors