Introduction

This blog post demonstrates how to use Amazon FSx for Windows File Server(FSxW) as persistent SMB storage for Windows applications running on AWS Elastic Beanstalk. The solution addresses common challenges with configuring persistent storage and enables direct access to SMB shares within AWS Elastic Beanstalk Windows environments while maintaining application performance, flexibility, and security without the need to manage the underlying infrastructure.

AWS Elastic Beanstalk allows developers to deploy, scale, and manage Internet Information Services (IIS)-based web applications on Amazon Web Services. As a managed platform, Elastic Beanstalk eliminates majority of the server management tasks by handling all deployment operations, including capacity provisioning, load balancing, auto-scaling, and health monitoring.

Windows-based distributed applications usually need centralized Windows file shares for data operations. In conventional setups System administrators map SMB file shares directly to Windows hosts through Global Mappings. However, customers deploying Windows web applications on AWS Elastic Beanstalk face specific challenges implementing persistent storage solutions. AWS Elastic Beanstalk’s ephemeral environment forces applications to use persistent external storage through virtual directory mappings, which requires additional configuration steps that complicate the implementation of persistent shared file storage.

Solution presented in this blog post maps an Amazon FSx for Windows file server (FSxW) share directly as a drive on each provisioned AWS Elastic Beanstalk EC2 instance as part of an Amazon EC2 Auto Scaling group using AWS Elastic Beanstalk’s .ebextensions feature. Configuration files in ebextensions empower developers to modify their environments comprehensively without requiring SSH or RDP access to instances. The solution overview details how to implement these configurations using. ebextensions to automate environment setup.

Solution overview

Figure 1 – Elastic beanstalk solution architecture

Figure 1 provides an overview of a customized Amazon Elastic Beanstalk solution, emphasizing security features that provides data confidentiality, integrity, and availability. Security is enforced through a combination of existing user identities, roles, and permissions. This implementation uses Access Control Lists (ACLs) with AD permissions and stores secure credentials in AWS Systems Manager Parameter Store. It leverages Amazon FSx for Windows file server to provide persistent storage for .NET web application servers using customized Elastic Beanstalk configurations. When instance scaling occurs, the solution automatically maps persistent storage drives to Amazon EC2 instances within the Amazon EC2 auto scaling group.

As referenced in workflow Figure 1, during AWS Elastic Beanstalk deployment, a PowerShell script executes the New-SMBGlobalMapping cmdlet to map Amazon FSx for Windows file SMB shares to the Amazon EC2 instance. The .ebextensions configuration files in the application source code automate this process. The solution injects Microsoft AD credentials into the Elastic Beanstalk instance at startup, enabling the PowerShell script to authenticate to the domain and map the file share. AWS Systems Manager Parameter Store securely stores the file share path, username, and password. The IAM instance profile role provides the necessary permissions to retrieve these parameters from the Parameter Store.

Prerequisites

Implementing this solution relies on some prerequisites. You must have an operational file server environment with Active Directory configured and proper permissions set up. Alternatively, download the CloudFormation template to deploy the Amazon FSx for Windows server test environment along with AWS Managed AD.

This template performs the following steps:

1. Deploy new AWS networking foundational services like VPC, Subnets, Internet gateway, NAT gateway configured with Amazon FSx for Windows file server and AWS Managed AD services (e.g., example.com).in a VPC with private subnets.

1. Deploy one Amazon Elastic Compute Cloud (EC2) Windows instance (Admin instance) with Remote server administrative tools (RSAT). Use this to manage users with AWS Directory Service for Microsoft Active Directory (AWS Managed AD) and Amazon FSx for Windows file server.

3. We are using default admin account from AWS Managed AD for demonstration purposes. (Example, admin@example.com). For Production workload, dedicated Service account recommended.
4. Make sure you have proper IAM permission in place that allows the Amazon Elastic Beanstalk deployed Amazon EC2 instances to access AWS Systems Manager parameter store.

To allow secure access to the file server, create entries in AWS Systems Manager Parameter store. Parameters should specify the username (e. g., admin@example.com), password stored as Secure String, and fileshare name (e. g., \\amznfsxkh2drcf0.example.com\Share). Screenshot on Figure 2 provides an example of creating required entries in the AWS Systems Manager Parameter Store.

Figure 2 – Secure credentials stored in AWS System Manager Parameter store

Finally, create a Key pair for Elastic beanstalk deployment if you want to log in to AWS EB deployed instances interactively.

Walkthrough

As you have now required pre-requisites to test AWS Elastic Beanstalk customized deployment using persistent storage as illustrated in prerequisite section so let’s deploy AWS Elastic Beanstalk Windows Web instances using customized deployment bundle.

Deploy customized AWS Elastic Beanstalk environment.

To create a sample application using the customize deployment package follow best steps.

1. Open the Elastic Beanstalk console.
2. Choose Create application.
   

   Figure 3 -Getting started with Amazon Elastic beanstalk

3. For Application name enter eb-app and Choose Create
4. For domain provide value or keep default to autogenerate value.
   

   Figure 4 – Amazon Elastic beanstalk application name and domain configuration

5. For Platform, choose a platform .NET on Windows Server.
   

   Figure 5 – Elastic Beanstalk Platform details

6. Provide Version label for application version identification example v1, now you need to provide path for your customize source bundle deployment package from your computer, download the customized deployment package and upload the package using choose file options referenced in figure 6.
   

   Figure 6 – Upload Application deployment package

7. Select High availability
8. On Configure service access page, choose Create and use new service role.
9. Provide EC2 key pair and select the EC2 instance profile from dropdown list. Make sure IAM instance profile role must have proper permissions for SSM service and AWS Parameter store as mentioned in prerequisites.
10. Select appropriate Amazon VPC, choose a subnet in each AZ for the instances that run your application, Select activate, Assign a public IP address to the Amazon EC2 instances in your environment.
11. Select proper networking, security groups settings on page and keep defaults.
12. The Review page displays a summary of all your choices.
13. Choose Submit at the bottom of the page

Once sample application deployment completed, Elastic Beanstalk creates an Amazon EC2 instance with mapped Amazon FSx file share drive, and other additional configurations as per ebextensions configuration files mentioned below.

• .ebextensions/amazon-inspector-install.config – This configuration file installs Amazon Inspector Agents on the windows instance launched under Elastic Beanstalk.
• ebextensions/change-iislog-location.config – This configuration file uses appcmd.exe to set new IIS log file directory to a custom folder path.
• ebextensions/enable-windowsupdate-dotnet.config – This configuration file runs a PowerShell script that modifies the Windows registry to allow Windows Update and configures it to automatically download and schedule updates.
• ebextensions/web-http-tracing.conig – This configuration file install Windows feature called Web-http-tracing on windows instance launched under AWS Elastic Beanstalk.
• ebextensions/smbmapping.conig – This configuration file mapped FSx shared network drive on Windows instances deployed by AWS Elastic Beanstalk service.

I have provided sample pre-created config files details for your reference. To use a configuration file, you need a folder named called ebextensions in the root of your application source bundle and save the .config file in that folder. Check downloaded deployment package to see the ebextensions config sample files under ebextensions folder for your reference as shown in Figure 7.

Figure 7 – Ebextensions config sample files

Note:

• For blog post purposes, this deployment uses AWS Managed AD with Amazon FSx for Windows File Server, but the design also supports any SMB storage with self-managed AD. Additionally, Amazon EC2 file servers and Amazon FSx for NetApp ONTAP remain viable alternative integration options for your Windows web environment hosted on AWS Elastic Beanstalk.

Verify mapped drive

• To check mapped drive on scaled EC2 instance, change the desired count in Elastic beanstalk auto scaling group to scale more EC2 instances.
• Connect to your deployed Amazon EC2 instances using Fleet manager or connect Amazon EC2 instance using AWS Session manager to check mapped drive.

Troubleshooting

There are multiple components in this solution that cause the share not to map to the Amazon EC2 instances. For example,

• Network path between the container ENI, the SMB share, and the AD domain controllers is blocked. A tool to use is the AWS VPC Reachability Analyzer.
• Misconfigured Systems Manager Parameter Store parameters: Incorrect password, wrong username, etc.
• IAM permissions to lookup parameter store for credentials and FSx share information.
• Permissions on the SMB share as you align the AD service account that you’re using to map the drive to instances deployed by Amazon Elastic Beanstalk at startup.
• AD service account locked out or need to reset your AD account password.
• Missing your .config file and location of the file. It must be part of “. ebextensions” directory at root level within your deployment package.
• Watch your environment’s eventswhile developing and testing configuration files. Elastic Beanstalk ignores a configuration file that contains validation errors, like an invalid key, and doesn’t process any of the other keys in the same file. When this happens, Elastic Beanstalk adds a warning event to the event log.
• Guidance for troubleshooting issues with your Elastic Beanstalk environment.

Cleanup

• Configuring AWS services from this blog will provision resources which incur cost. It is a best practice to delete configurations and resources that you are no longer using so that you do not incur unintended charges.
• Delete the Elastic beanstalk environment and any resources you have deployed for this past demonstration. Example Delete CloudFormation, AWS Managed AD, Amazon FSx service.

Conclusion

In this blog post, we have presented a custom solution designed to deliver persistent Amazon FSx SMB storage to your Windows EC2 instances operating within the Amazon Elastic Beanstalk environment. This solution is versatile, accommodating any SMB storage type based on your specific workload requirements. Furthermore, the solution details the process of installing custom agents and enabling specific configurations during the deployment of Windows .NET applications. This is achieved through the utilization of Amazon Elastic Beanstalk’s custom deployment features, allowing for tailored application environments that meet precise operational needs.

Additional Resources

Configuring Amazon Elastic beanstalk Windows environment with customizations.

Using the Elastic Beanstalk .NET Windows platform

Elastic beanstalk Tutorials and samples

Elastic beanstalk precedence

How to use .ebextensions to customize elastic beanstalk environment

AWS has significantly more services, and more features within those services, than any other cloud provider, making it faster, easier, and more cost effective to move your existing applications to the cloud and build nearly anything you can imagine. Give your Microsoft applications the infrastructure they need to drive the business outcomes you want. Visit our .NET on AWS and AWS Database blogs for additional guidance and options for your Microsoft workloads. Contact us to start your migration and modernization journey today.