This chapter covers Amazon FSx for NetApp ONTAP, a fully managed service that brings the rich feature set of NetApp ONTAP storage systems to AWS. For the SAA-C03 exam, this is a niche but important topic, appearing in roughly 2-5% of questions, often as a distractor or a specialized solution for hybrid workloads. Understanding FSx for ONTAP is critical for scenarios requiring high-performance file storage with advanced data management features like snapshots, clones, and multi-protocol access, especially when migrating existing NetApp workloads to AWS.
Jump to a section
Imagine a multinational corporation with a central headquarters (the AWS account) that has a dedicated, high-security file room (the FSx for ONTAP file system). This file room is staffed by expert librarians (ONTAP software) who manage millions of files across many cabinets (volumes and LUNs). The librarians support multiple access methods: they can hand you a physical folder (NFS), a binder (SMB), or even a specialized cartridge (iSCSI). They also take snapshots of the entire room every hour (automatic snapshots) and can instantly reconstruct the room from any snapshot (FlexClone). The file room is connected to the corporate network (VPC) via a dedicated, fast pneumatic tube system (AWS Direct Connect or VPN) that ensures low latency. Remote branch offices (on-premises data centers) can also send requests through the same tube system, and the librarians treat them with the same priority as local requests. However, the file room is only accessible to employees who are inside the corporate building (VPC) or connected via the approved tube system (Direct Connect/VPN). It is not open to the public internet. The librarians can also replicate the entire file room to another building in a different city (cross-region replication) for disaster recovery. This setup provides a high-performance, multi-protocol, highly available file storage service that feels just like an on-premises NetApp filer but is fully managed by AWS.
What is Amazon FSx for NetApp ONTAP?
Amazon FSx for NetApp ONTAP is a fully managed AWS service that launches, runs, and scales NetApp’s ONTAP file system on AWS. It provides a native, high-performance, and feature-rich file storage solution that is compatible with existing NetApp environments. The service is designed for workloads that require the advanced data management capabilities of NetApp ONTAP, such as snapshots, clones, replication, and multi-protocol access, but without the operational overhead of managing the underlying infrastructure.
Why does it exist?
Many enterprises have on-premises NetApp storage systems running critical applications. Migrating these applications to AWS often requires re-architecting storage, which is costly and risky. FSx for ONTAP addresses this by offering a cloud-native version of NetApp ONTAP that integrates seamlessly with AWS. It supports the same APIs and management tools, allowing organizations to lift-and-shift their NetApp workloads to AWS with minimal changes. Additionally, it provides high performance (up to millions of IOPS and multiple GB/s throughput) and low latency (sub-millisecond) for demanding workloads like databases, high-performance computing (HPC), and media processing.
How does it work internally?
FSx for ONTAP deploys a fully managed file server in a customer’s VPC. The file server runs NetApp ONTAP software on AWS Nitro-based instances. Each file system consists of a primary server and a standby server in two different Availability Zones (AZs) in the same AWS Region, providing high availability. The storage is backed by Amazon EBS volumes, and the compute is provided by dedicated EC2 instances. The ONTAP software manages the file system, including volumes, LUNs, snapshots, clones, and replication.
The file system is accessed via standard protocols: NFS (v3, v4.0, v4.1), SMB (v2.0, v3.0), and iSCSI. This allows simultaneous access from Linux, Windows, and virtualized environments. The service also supports the NetApp SnapMirror replication technology for data replication across AWS Regions or to on-premises systems.
Key Components, Values, Defaults, and Timers
File System: The main resource. It has a storage capacity from 1.02 TiB to 192 TiB (increments of 1.02 TiB). The throughput capacity ranges from 128 MB/s to 4,096 MB/s (for SSD storage). For HDD storage, throughput is 16 MB/s per TiB of storage capacity.
Storage Type: SSD (Solid State Drive) for low-latency, high-IOPS workloads; HDD (Hard Disk Drive) for throughput-optimized, cost-sensitive workloads.
Deployment Type: Multi-AZ (default) for high availability; Single-AZ for development/test environments.
Volumes and LUNs: You create volumes (for NFS/SMB) and LUNs (for iSCSI) within the file system. Volumes can be thin-provisioned, with a maximum size of 100 TiB. LUNs support up to 16 TiB each.
Snapshots: Automatic snapshots can be enabled with a schedule (e.g., every hour, daily, weekly). They are stored in the file system and are space-efficient (copy-on-write). Snapshots can be used to create new volumes via FlexClone.
FlexClone: Creates writable, point-in-time copies of volumes or LUNs instantly. Useful for testing, development, and data protection.
SnapMirror: Replicates data from one ONTAP system to another (cross-Region or on-premises). Supports both synchronous and asynchronous replication.
Data Compression and Deduplication: Enabled by default on all volumes. Deduplication is inline and post-process. Compression is also inline.
Throughput: The baseline throughput is determined by the file system’s storage capacity and type. You can also provision additional throughput (up to 4,096 MB/s for SSD).
Latency: Sub-millisecond for SSD-backed file systems.
Pricing: You pay for provisioned storage capacity, throughput capacity (if provisioned), backup storage, and data transfer out. There is no upfront cost.
Configuration and Verification Commands
To create an FSx for ONTAP file system using AWS CLI:
aws fsx create-file-system \
--file-system-type ONTAP \
--storage-capacity 1024 \
--subnet-ids subnet-12345678 \
--preferred-subnet-id subnet-12345678 \
--fsx-admin-password YourAdminPassword \
--tags Key=Name,Value=MyOntapFileSystemTo create a volume:
aws fsx create-volume \
--file-system-id fs-12345678 \
--volume-type ONTAP \
--name MyVolume \
--ontap-configuration JunctionPath=/myvolume,SizeInMegabytes=102400,StorageEfficiencyEnabled=trueTo verify the file system status:
aws fsx describe-file-systems --file-system-ids fs-12345678Interaction with Related Technologies
Amazon EBS: The underlying storage for FSx for ONTAP is EBS. The ONTAP instances use EBS volumes for data and metadata.
Amazon VPC: FSx for ONTAP is deployed within a VPC, using Elastic Network Interfaces (ENIs) for connectivity. It can be accessed from EC2 instances in the same VPC, peered VPCs, or on-premises via Direct Connect or VPN.
AWS Backup: Can be used to back up FSx for ONTAP file systems, but native ONTAP snapshots and SnapMirror are more feature-rich.
AWS KMS: Data at rest is encrypted using KMS keys. You can use a customer-managed key or AWS-managed key.
AWS CloudWatch: Provides metrics like file system usage, IOPS, throughput, and latency. You can also set CloudWatch alarms.
AWS CloudTrail: Logs API calls to FSx for ONTAP.
Active Directory: The file system can be joined to an AWS Managed Microsoft AD or a self-managed AD for SMB authentication.
Performance and Scalability
FSx for ONTAP can scale to 192 TiB of storage and up to 4,096 MB/s of throughput (for SSD). The maximum IOPS is 1 million for SSD. The service is designed for low latency (sub-millisecond) for SSD-backed file systems. You can increase storage capacity and throughput without downtime. However, you cannot decrease them.
Use Cases
Migrating NetApp ONTAP workloads to AWS: Lift-and-shift applications that rely on NetApp features like snapshots, clones, and SnapMirror.
High-performance computing (HPC): Demanding workloads that require low latency and high throughput, such as financial modeling, scientific simulations, and media rendering.
Database storage: Running databases like Oracle, SQL Server, or SAP HANA on iSCSI LUNs.
Home directories and file shares: Centralized file storage for users accessed via SMB.
Disaster recovery: Using SnapMirror to replicate data to another AWS Region.
Limitations
Maximum file system size: 192 TiB.
Maximum volume size: 100 TiB.
Maximum LUN size: 16 TiB.
Protocol support: NFS v3/v4, SMB v2/v3, iSCSI. No support for S3 or EFS.
Not accessible from the internet: Must be accessed from within a VPC or via Direct Connect/VPN.
Cannot be shared across AWS accounts natively: You must use VPC peering or Transit Gateway to share access.
Best Practices
Use SSD for latency-sensitive workloads, HDD for throughput-optimized workloads.
Enable automatic snapshots for data protection.
Use FlexClone to create test/dev environments quickly.
Monitor CloudWatch metrics for performance and capacity planning.
Use AWS KMS for encryption at rest.
For multi-AZ deployments, ensure you have subnets in two AZs.
Exam Tips
FSx for ONTAP is the only AWS managed service that provides iSCSI support.
It supports multi-protocol access (NFS, SMB, iSCSI) simultaneously.
It is ideal for migrating on-premises NetApp workloads.
It offers advanced features like snapshots, FlexClone, and SnapMirror.
Do not confuse with FSx for Windows File Server (SMB only) or FSx for Lustre (high-performance computing, POSIX).
Create the FSx for ONTAP file system
First, you define the file system in the AWS Management Console, CLI, or SDK. You specify the deployment type (Multi-AZ or Single-AZ), storage capacity (1.02 TiB to 192 TiB in 1.02 TiB increments), storage type (SSD or HDD), and throughput capacity (optional, up to 4096 MB/s for SSD). You also select the VPC and subnets (two for Multi-AZ, one for Single-AZ). AWS then provisions the underlying EC2 instances running ONTAP software and attaches EBS volumes for storage. The process takes several minutes.
Configure networking and security
The file system is deployed in your VPC with Elastic Network Interfaces (ENIs) in the selected subnets. It is not publicly accessible. You must ensure that security groups and network ACLs allow traffic on the relevant ports: NFS (2049 TCP), SMB (445 TCP), iSCSI (3260 TCP), and management (SSH 22, HTTPS 443). The file system also needs outbound access to AWS services for monitoring and backups. You can use VPC endpoints for S3 and CloudWatch if needed.
Set up authentication and access
For SMB access, you must join the file system to an Active Directory domain. You can use AWS Managed Microsoft AD or a self-managed AD. For NFS, you control access via export policies that define which clients can mount volumes and with what permissions. For iSCSI, you use CHAP authentication. You also set up the fsx-admin password for CLI/API access to the ONTAP system.
Create volumes and LUNs
After the file system is active, you create volumes (for NFS/SMB) and LUNs (for iSCSI) using the ONTAP CLI, AWS Management Console, or AWS CLI. Each volume has a junction path (e.g., /vol1) and can be thin-provisioned. You can enable storage efficiency (deduplication and compression) per volume. LUNs are created within volumes and have a size up to 16 TiB. You can also create snapshots and clones of volumes.
Mount and use the file system
Clients mount the file system using the DNS name provided by FSx (e.g., svm-12345678-abcde123.fsx.us-east-1.amazonaws.com). For NFS, use the mount command: mount -t nfs -o vers=3 svm-dns-name:/junction-path /local-mount-point. For SMB, use net use or mount.cifs. For iSCSI, you need to configure the iSCSI initiator to connect to the target IQN. The file system is now ready for use with full ONTAP functionality.
Enterprise Scenario 1: Migrating a NetApp-backed Oracle Database to AWS
A financial services company runs Oracle RAC on-premises using NetApp storage with NFS. They want to migrate to AWS without changing their storage stack. They deploy FSx for ONTAP in Multi-AZ mode with SSD storage (10 TiB, 512 MB/s throughput). They create a volume with the same junction path as on-premises and mount it to EC2 instances running Oracle. The migration uses Oracle Data Guard to replicate data to the cloud. FSx for ONTAP’s sub-millisecond latency ensures no performance degradation. They enable automatic snapshots every hour for point-in-time recovery. The migration is completed in weeks instead of months. Common pitfalls: forgetting to set the correct NFS mount options (e.g., hard, intr, noatime) which can cause timeouts; not sizing throughput correctly leads to throttling during peak loads.
Enterprise Scenario 2: Hybrid Cloud with SnapMirror for Disaster Recovery
A media production company uses on-premises NetApp storage for video editing. They want to replicate critical projects to AWS for disaster recovery. They deploy a Single-AZ FSx for ONTAP file system in us-west-2 with HDD storage (50 TiB, 800 MB/s throughput). They establish a VPN connection from their on-premises network to AWS. They configure SnapMirror to replicate volumes from on-premises to the FSx for ONTAP file system. The initial baseline transfer takes a few days, then incremental updates run every 15 minutes. If a disaster strikes, they can promote the FSx for ONTAP volume to primary and spin up EC2 instances to continue editing. They test the failover quarterly. Common issues: insufficient bandwidth for replication causing lag; not using SnapMirror policies correctly leading to failed transfers; forgetting to update DNS records after failover.
Enterprise Scenario 3: Centralized File Shares for a Global Team
A multinational corporation needs a centralized file share for 5,000 employees across offices. They use SMB protocol and require integration with their existing Active Directory. They deploy a Multi-AZ FSx for ONTAP file system with SSD storage (20 TiB, 1 GB/s throughput). They join it to their AWS Managed Microsoft AD. They create departmental volumes with appropriate quotas and security settings. Employees access the share via SMB from their Windows workstations, connecting over Direct Connect from major offices. The system handles peak usage of 10,000 concurrent connections with sub-millisecond latency. They use FlexClone to create sandbox environments for testing new applications. Misconfiguration: not enabling SMB multichannel can limit performance; setting incorrect quota limits causes user complaints; not monitoring CloudWatch metrics leads to unexpected growth and costs.
SAA-C03 Exam Focus: FSx for NetApp ONTAP
This topic is tested under Objective 3.5: "Determine high-performing and/or scalable storage solutions." The exam typically includes 1-2 questions that either directly ask about FSx for ONTAP or present it as a distractor for other storage services. Key areas: understanding its unique features (iSCSI support, SnapMirror, FlexClone), use cases (migration, hybrid cloud), and how it differs from FSx for Windows and FSx for Lustre.
Common Wrong Answers and Why Candidates Choose Them
Choosing FSx for Windows File Server when iSCSI is required. Candidates see "Windows" and think it supports iSCSI, but FSx for Windows only supports SMB. FSx for ONTAP is the only AWS managed file service that supports iSCSI.
Selecting EFS when multi-protocol access (NFS+SMB) is needed. EFS only supports NFS. FSx for ONTAP supports both NFS and SMB simultaneously.
Thinking FSx for ONTAP is only for Linux workloads. It supports SMB for Windows and iSCSI for any OS, making it versatile.
Confusing SnapMirror with AWS Backup. SnapMirror is ONTAP-specific replication; AWS Backup is a broader backup service.
Specific Numbers, Values, and Terms That Appear Verbatim on the Exam
Storage capacity increments: 1.02 TiB minimum, 192 TiB maximum.
Throughput: up to 4,096 MB/s for SSD.
Protocols: NFS v3/v4, SMB v2/v3, iSCSI.
Features: SnapMirror, FlexClone, deduplication, compression.
Deployment: Multi-AZ (default) or Single-AZ.
Edge Cases and Exceptions the Exam Loves to Test
Can FSx for ONTAP be accessed from the internet? No. Only from within a VPC or via Direct Connect/VPN.
Can you share an FSx for ONTAP file system across AWS accounts? Not directly. You must use VPC peering or Transit Gateway.
Does FSx for ONTAP support S3? No. It does not have an S3 interface.
Can you use FSx for ONTAP with on-premises NetApp? Yes, via SnapMirror.
How to Eliminate Wrong Answers Using the Underlying Mechanism
If the scenario requires iSCSI, eliminate all options except FSx for ONTAP.
If the scenario requires SnapMirror or FlexClone, choose FSx for ONTAP.
If the scenario requires simultaneous NFS and SMB access, choose FSx for ONTAP.
If the scenario requires high-performance computing with Lustre, choose FSx for Lustre.
If the scenario requires a simple SMB file share without advanced features, choose FSx for Windows File Server.
If the scenario requires a POSIX-compliant file system for Linux, consider EFS or FSx for Lustre.
By understanding the unique value proposition of FSx for ONTAP—especially its iSCSI support and NetApp ecosystem compatibility—you can quickly identify the correct answer.
FSx for ONTAP is the only AWS managed file service that supports iSCSI protocol.
It supports simultaneous NFS, SMB, and iSCSI access to the same data.
Key features include SnapMirror for replication and FlexClone for instant volume clones.
Minimum storage capacity is 1.02 TiB; maximum is 192 TiB in 1.02 TiB increments.
Throughput can be provisioned up to 4,096 MB/s for SSD storage.
It is deployed in a VPC and is not accessible from the internet.
It integrates with AWS Managed Microsoft AD for SMB authentication.
Use for migrating on-premises NetApp workloads or when advanced data management is needed.
These come up on the exam all the time. Here's how to tell them apart.
FSx for NetApp ONTAP
Supports NFS, SMB, and iSCSI
Offers advanced NetApp features (snapshots, clones, SnapMirror)
Ideal for hybrid cloud with on-premises NetApp
Can be used with Linux, Windows, and virtualized environments
Supports deduplication and compression inline
FSx for Windows File Server
Supports SMB only
Native Windows file server features (e.g., shadow copies, DFS)
Seamless integration with Active Directory
Primarily for Windows workloads
No built-in deduplication (uses Windows Server feature)
FSx for NetApp ONTAP
Supports NFS, SMB, and iSCSI
Sub-millisecond latency for SSD
Designed for general-purpose file storage, databases, and HPC
Features like snapshots and replication for data protection
Can be accessed from on-premises via Direct Connect/VPN
FSx for Lustre
POSIX-compliant (Linux clients only)
Optimized for high-throughput, low-latency HPC workloads
Integrated with S3 for data import/export
No snapshots or replication (uses Lustre features)
Best for large-scale compute-intensive applications
Mistake
FSx for ONTAP supports S3 as a storage tier.
Correct
FSx for ONTAP does not natively integrate with S3. It uses EBS volumes for storage. However, you can use the ONTAP SnapMirror to replicate to S3 via a gateway, but this is not a direct feature.
Mistake
FSx for ONTAP is only for NetApp-specific workloads.
Correct
While it is optimized for NetApp environments, it supports standard NFS, SMB, and iSCSI protocols, making it suitable for any workload that requires these protocols, even without prior NetApp experience.
Mistake
FSx for ONTAP can be accessed from the internet using a public IP.
Correct
FSx for ONTAP is deployed in a VPC and is not assigned a public IP. It can only be accessed from within the VPC, peered VPCs, or via Direct Connect/VPN. There is no internet-facing endpoint.
Mistake
FSx for ONTAP supports the same features as Amazon EFS.
Correct
EFS is a simple, scalable NFS file system. FSx for ONTAP offers advanced features like snapshots, clones, replication, compression, deduplication, and multi-protocol support that EFS does not.
Mistake
You can decrease the storage capacity of an FSx for ONTAP file system.
Correct
Storage capacity can only be increased, not decreased. You must plan carefully to avoid over-provisioning. The same applies to throughput capacity.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
FSx for ONTAP supports NFS versions 3, 4.0, and 4.1; SMB versions 2.0 and 3.0; and iSCSI. This makes it suitable for Linux, Windows, and virtualized environments simultaneously.
Yes. FSx for ONTAP supports NetApp SnapMirror, which can replicate data from an on-premises NetApp system to FSx for ONTAP in AWS. You can also replicate from AWS back to on-premises.
You cannot access FSx for ONTAP directly from the internet. It is deployed in a VPC and is only accessible from within the VPC, via VPC peering, or through AWS Direct Connect or a VPN connection.
FSx for ONTAP supports NFS, SMB, and iSCSI, and includes advanced NetApp features like snapshots, clones, and SnapMirror. FSx for Windows File Server supports only SMB and is built on Windows Server, offering native Windows features like shadow copies and DFS.
Yes. FSx for ONTAP can be mounted as a volume in ECS tasks or as a persistent volume in EKS using the CSI driver. It supports both NFS and iSCSI.
FSx for ONTAP provides inline deduplication and compression, as well as thin provisioning. These features are enabled by default on volumes and can help reduce storage costs.
You can use Amazon CloudWatch metrics such as DataReadBytes, DataWriteBytes, MetadataOps, and others. You can also enable ONTAP-specific monitoring via the ONTAP CLI or API.
You've just covered FSx for NetApp ONTAP — now see how well it sticks with free SAA-C03 practice questions. Full explanations included, no account needed.
Done with this chapter?