# Administering FSx for ONTAP resources
Administering resources

Using the AWS Management Console, AWS CLI, and ONTAP CLI and API, you can perform the following administrative actions for FSx for ONTAP resources:
+ Creating, listing, updating, and deleting file systems, storage virtual machines (SVMs), volumes, backups, and tags.
+ Managing access, administrative accounts and passwords, password requirements, SMB and iSCSI protocols, network accessibility for the mount targets of existing file systems

**Topics**
+ [

# Managing storage capacity
](managing-storage-capacity.md)
+ [

# Managing FSx for ONTAP file systems
](managing-file-systems.md)
+ [

# Managing FSx for ONTAP storage virtual machines
](managing-svms.md)
+ [

# Managing FSx for ONTAP volumes
](managing-volumes.md)
+ [

# Creating an iSCSI LUN
](create-iscsi-lun.md)
+ [

# Optimizing performance with Amazon FSx maintenance windows
](maintenance-windows.md)
+ [

# Managing throughput capacity
](managing-throughput-capacity.md)
+ [

# Managing SMB shares
](create-smb-shares.md)
+ [

# Managing FSx for ONTAP resources using NetApp applications
](managing-resources-ontap-apps.md)
+ [

# Tagging Amazon FSx resources
](tag-resources.md)

# Managing storage capacity


Amazon FSx for NetApp ONTAP provides a number of storage-related features you can use to manage storage capacity on your file system.

**Topics**
+ [

## FSx for ONTAP storage tiers
](#storage-tiers)
+ [

## Choosing the right amount of file system SSD storage
](#choose-ssd-capacity)
+ [

# File system storage capacity and IOPS
](storage-capacity-and-IOPS.md)
+ [

# Volume storage capacity
](volume-storage-capacity.md)

## FSx for ONTAP storage tiers
Storage tiers

Storage tiers are the physical storage media for an Amazon FSx for NetApp ONTAP file system. FSx for ONTAP offers the following storage tiers:
+ *SSD tier* – The user-provisioned, high-performance solid-state drive (SSD) storage that’s purpose-built for the active portion of your data set.
+ *Capacity pool tier* – Fully elastic storage that automatically scales to petabytes in size, and is cost-optimized for your infrequently accessed data.

An FSx for ONTAP volume is a virtual resource that, similar to folders, doesn't consume storage capacity. The data that you store—and that consumes physical storage—lives inside volumes. When you create a volume, you specify its size—which you can modify after it's created. FSx for ONTAP volumes are thin provisioned, and file system storage is not reserved in advance. Instead, SSD and capacity pool storage are allocated dynamically, as needed. A [tiering policy](volume-storage-capacity.md#data-tiering-policy), which you configure at the volume level, determines if and when data that's stored in the SSD tier transitions to the capacity pool tier.

The following diagram illustrates an example of data laid out across multiple FSx for ONTAP volumes in a file system.

![\[FSx for ONTAP SSD and capacity pool storage tiers logically provisioned across file system volumes.\]](http://docs.aws.amazon.com/fsx/latest/ONTAPGuide/images/fsx-ontap-volume-virtual-resource.png)


The following diagram illustrates how the file system's physical storage capacity is consumed by the data in the four volumes in the previous diagram.

![\[How the SSD, or primary storage tier, and the capacity pool storage tier usage of the file system's physical storage capacity looks across all volumes in a file system.\]](http://docs.aws.amazon.com/fsx/latest/ONTAPGuide/images/fsx-ontap-storage-tiers-physical-resource.png)


You can reduce your storage costs by choosing the tiering policy that best meets the requirements for each volume on your file system. For more information, see [Volume data tiering](volume-storage-capacity.md#volume-data-tiering).

## Choosing the right amount of file system SSD storage
Choosing file system storage capacity

When choosing amount of SSD storage capacity for your FSx for ONTAP file system, you need to keep in mind the following items that impact the amount of SSD storage available for storing your data:
+ Storage capacity reserved for the NetApp ONTAP software overhead.
+ File metadata
+ Recently written data
+ Files that you intend to store on SSD storage, whether it's data that hasn't hit its cooling period, or data that you recently read that was retrieved back to SSD.

### How SSD storage is used


Your file system's SSD storage is used for a combination of NetApp ONTAP software (overhead), file metadata, and your data.

#### NetApp ONTAP software overhead


Like other NetApp ONTAP file systems, up to 16% of a file system's SSD storage capacity is reserved for ONTAP overhead, which means it's not available for storing your files. The ONTAP overhead is allocated as follows:
+ 11% is reserved for NetApp ONTAP software. For file systems with over 30 tebibytes (TiB) of SSD storage capacity, 6% is reserved.
+ 5% is reserved for aggregate snapshots, which are required to synchronize data between both of a file system's file servers.



#### File metadata


File metadata typically consumes 3-7% of the storage capacity that is consumed by the files. This percentage depends on the average file size (a smaller average file size requires more metadata), and the amount of storage efficiency savings achieved on your files. Note that file metadata doesn't benefit from storage efficiency savings. You can use the following guidelines for estimating the amount of SSD storage used for metadata on your file system.


| Average file size | Size of metadata as a percentage of file data | 
| --- | --- | 
|  4 KB  |  7%  | 
|  8 KB  |  3.5%  | 
|  32 KB or greater  |  1-3%  | 

When sizing the amount of SSD storage capacity you need for the metadata of files you plan to store on the capacity pool tier, we recommend using a conservative ratio of 1 GiB of SSD storage for every 10 GiB of data you plan to store on the capacity pool tier.

#### File data stored on your SSD tier


In addition to your active data set and all file metadata, all data written to your file system is initially written to the SSD tier before being tiered-off to capacity pool storage. This is true regardless of the volume's tiering policy, with the exception that data is written directly to capacity pool storage when using SnapMirror on a volume configured with an **All** data tiering policy.

Random reads from the capacity pool tier are cached in the SSD tier, as long as the SSD tier is under 90% utilization. For more information, see [Volume data tiering](volume-storage-capacity.md#volume-data-tiering).

### Recommended SSD capacity utilization


We recommend that you do not exceed 80% utilization of your SSD storage tier on an ongoing basis. For second-generation file systems, we additionally recommend that you don't exceed 80% utilization of any of your file system's aggregates on an ongoing basis. These recommendations is consistent with NetApp's recommendation for ONTAP. Because your file system’s SSD tier is also used for staging writes to, and for random reads from, the capacity pool tier, any sudden changes in access patterns can quickly cause the utilization of your SSD tier to increase.

At 90% SSD utilization, data read from the capacity pool tier is no longer cached on the SSD tier so that the remaining SSD capacity is preserved for any new data that is written to the file system. This causes repeat reads of the same data from the capacity pool tier to be read from capacity pool storage instead of being cached and read from the SSD tier, which can impact the throughput capacity your file system.

All tiering functionality stops when the SSD tier is at or above 98% utilization. For more information, see [Tiering thresholds](volume-storage-capacity.md#storage-tiering-thresholds).

### Storage efficiency
Storage efficiency

NetApp ONTAP offers block-level storage efficiency features at the volume level that include compression, compaction, and deduplication. These features can save you up to 65% in storage capacity for general file shares, without sacrificing performance. You can enable storage efficiency on a per volume basis. These features reduce the amount of storage capacity that your data consumes, allowing you to consume less storage spaces in SSD, capacity pool, and backups storage. You can enable compression and deduplication on each volume for data in SSD storage. Storage savings from compression and deduplication in SSD storage is preserved when data is tiered to capacity pool storage. Storage efficiency is always enabled for backup data, regardless of your file system's storage efficiency configuration.

The following table shows examples of typical storage savings.


|  | Compression only | Deduplication only | Compression & deduplication | 
| --- | --- | --- | --- | 
| General-purpose file shares | 50% | 30% | 65% | 
| Virtual servers and desktops | 55% | 70% | 70% | 
| Databases | 65-70% | 0% | 65-70% | 
| Engineering data | 55% | 30% | 75% | 
| Geoseismic data | 40% | 3% | 40% | 

For most workloads, enabling compression and deduplication will not adversely impact file system performance. For most workloads, compression increases overall performance. To provide fast reads and writes from RAM cache, FSx for ONTAP file servers are equipped with higher levels of network bandwidth on the front-end network interface cards (NICs) than is available between the file servers and storage disks. Since data compression reduces the amount of data sent between file servers and storage disks, for most workloads, you will see an increase in overall file system throughput capacity when using data compression. Increases in throughput capacity related to data compression will be capped once you saturate the front-end NIC of your file system.

Amazon FSx for NetApp ONTAP also supports other ONTAP features that save you space, including snapshots, thin provisioning, and FlexClone volumes.

Storage efficiency features are not enabled by default. You can enable them as follows:
+ On an SVM's root volume when you [create a file system](creating-file-systems.md).
+ When you [create a new volume](creating-volumes.md).
+ When you [modify an existing volume](updating-volumes.md).

To view the amount of storage savings on a file system with storage efficiency enabled, see [Monitoring storage efficiency savings](view-storage-efficiency.md).

#### Calculating storage efficiency savings


You can use the `LogicalDataStored` and `StorageUsed` FSx for ONTAP CloudWatch file system metrics to calculate storage savings from compression, deduplication, compaction, snapshots, and FlexClones. These metrics have a single dimension, `FileSystemId`. For more information, see [File system metrics](file-system-metrics.md).
+ To compute storage-efficiency savings in bytes, take the Average of `StorageUsed` over a given period and subtract it from the Average of `LogicalDataStored` over the same period.
+ To compute storage-efficiency savings as a percentage of total logical data size, take the `Average` of `StorageUsed` over a given period and subtract it from the `Average` of `LogicalDataStored` over the same period. Then divide the difference by the `Average` of `LogicalDataStored` over the same period.

#### SSD sizing example


Assume you want to store 100 TiB of data for an application where 80% of the data is infrequently accessed. In this scenario, 80% (80 TiB) of your data is automatically tiered to the capacity pool tier and the remaining 20% (20 TiB) remains in SSD storage. Based on the typical storage efficiency savings of 65% for general-purpose file sharing workloads, that equates to 7 TiB of data. To maintain an 80% SSD utilization rate, you need 8.75 TiB of SSD storage capacity for the 20 TiB of actively-accessed data. The amount of SSD storage that you provision also needs to account for the ONTAP software storage overhead of 16%, as shown in the following calculation.

```
ssdNeeded = ssdProvisioned * (1 - 0.16)
8.75 TiB / 0.84 = ssdProvisioned
10.42 TiB = ssdProvisioned
```

So in this example, you need to provision at least 10.42 TiB of SSD storage. You will also use 28 TiB of capacity pool storage for the remaining 80 TiB of infrequently accessed data.

# File system storage capacity and IOPS


When you create an FSx for ONTAP file system, you specify the storage capacity of the SSD tier. For second-generation Single-AZ file systems, the storage capacity that you specify is spread evenly among the storage pools of each high-availability (HA) pair; these storage pools are called *aggregates*.

For each GiB of SSD storage that you provision, Amazon FSx automatically provisions 3 SSD input/output operations per second (IOPS) for the file system, up to a maximum of 160,000 SSD IOPS per file system. For second-generation Single-AZ file systems, your SSD IOPS are spread evenly across each of your file system's aggregates. You have the option to specify a level of provisioned SSD IOPS above the automatic 3 SSD IOPS per GiB. For more information about the maximum number of SSD IOPS that you can provision for your FSx for ONTAP file system, see [Impact of throughput capacity on performance](performance.md#impact-throughput-cap-performance).

**Topics**
+ [

## Updating file system SSD storage and IOPS
](#increase-primary-storage)
+ [

## When to increase SSD storage capacity
](#when-to-increase-ssd-capacity)
+ [

## Increasing SSD storage capacity
](#increasing-ssd-capacity)
+ [

## Considerations for increasing SSD storage capacity
](#increasing-considerations)
+ [

## When to decrease SSD storage capacity
](#when-to-decrease-ssd-storage-capacity)
+ [

## Decreasing SSD storage capacity
](#decreasing-ssd-capacity)
+ [

## Considerations for decreasing SSD storage capacity
](#decreasing-considerations)
+ [

## Limitations for decreasing SSD storage capacity
](#decreasing-limitations)
+ [

# Creating a storage capacity utilization alarm for your file system
](alarm-low-primary-storage.md)
+ [

# Updating storage capacity and provisioned IOPS
](increase-storage-capacity.md)
+ [

# Updating storage capacity dynamically
](automate-storage-capacity-increase.md)
+ [

# Monitoring SSD storage utilization
](monitor-fs-storage-console.md)
+ [

# Monitoring storage efficiency savings
](view-storage-efficiency.md)
+ [

# Monitoring storage capacity and IOPS updates
](monitoring-storage-capacity-increase.md)

## Updating file system SSD storage and IOPS
Updating SSD storage and IOPS

When you need additional storage for the active portion of your data set, you can increase the SSD storage capacity of your Amazon FSx for NetApp ONTAP file system. For second-generation file systems, you can even decrease SSD storage capacity to match your workload's changing storage needs. Use the Amazon FSx console, Amazon FSx API, or AWS Command Line Interface (AWS CLI) to increase or decrease the SSD storage capacity. For more information, see [Updating storage capacity and provisioned IOPS](increase-storage-capacity.md).

## When to increase SSD storage capacity


If you're running out of available SSD tier storage, we recommend that you increase the storage capacity of your file system. Running out of storage indicates that your SSD tier is undersized for the active portion of your data set.

To monitor the amount of free storage that's available on the file system, use the file system-level `StorageCapacity` and `StorageUsed` Amazon CloudWatch metrics. You can create a CloudWatch alarm on a metric and be notified when it drops below a specific threshold. For more information, see [Monitoring with Amazon CloudWatch](monitoring-cloudwatch.md).

**Note**  
We recommend that you don't exceed 80% SSD storage capacity utilization to ensure that data tiering, throughput scaling, and other maintenance activities function properly, and that there is capacity available for additional data. For second-generation file systems, this recommendation applies to both the average utilization across all of your file system's aggregates and to each individual aggregate. 

For more information about how a file system's SSD storage is used and how much SSD storage is reserved for file metadata and operating software, see [Choosing the right amount of file system SSD storage](managing-storage-capacity.md#choose-ssd-capacity).

## Increasing SSD storage capacity
Increasing SSD capacity

When you increase the SSD storage capacity of your Amazon FSx file system, the new capacity is typically available for use within minutes. You're billed for the new SSD storage capacity after it becomes available to you. For more information, see [Amazon FSx for NetApp ONTAP Pricing](https://aws.amazon.com/fsx/netapp-ontap/pricing/) and [AWS billing and usage reports for FSx for ONTAP](FSxONTAP-Billing.md).

After you increase your storage capacity, Amazon FSx runs a storage optimization process in the background to rebalance your data. For most file systems, storage optimization takes a few hours with minimal noticeable impact to your workload performance.

You can track the progress of the storage optimization process at any time by using the Amazon FSx console, AWS CLI, and API. For more information, see [Monitoring storage capacity and IOPS updates](monitoring-storage-capacity-increase.md).

## Considerations for increasing SSD storage capacity
Considerations for increasing SSD storage capacity

Here are a few important items to consider when increasing your file system's SSD storage capacity and IOPS:
+ **(First-generation file systems only) Storage capacity increase only** – You can only increase the amount of SSD storage capacity for a file system; you can't decrease the storage capacity.
+ **Storage capacity minimum increase** – Each SSD storage capacity increase must be a minimum of 10% of the file system's current SSD storage capacity, up to the maximum SSD storage capacity for your file system's configuration.
+ **Time between increases** – After increasing SSD storage capacity, provisioned IOPS, or throughput capacity on a file system, you must wait at least six hours before modifying any of these configurations on the same file system again. This is sometimes referred to as a cooldown period.
+ **Provisioned IOPS modes** – For a provisioned IOPS change, you must specify one of the two IOPS modes:
  + **Automatic** mode – Amazon FSx automatically scales your SSD IOPS to maintain 3 provisioned SSD IOPS per GiB of SSD storage capacity, up to the maximum SSD IOPS for your file system configuration.
**Note**  
For more information about the maximum number of SSD IOPS that you can provision for your FSx for ONTAP file system, see [Impact of throughput capacity on performance](performance.md#impact-throughput-cap-performance).
  + **User-provisioned** mode – You specify the number of SSD IOPS, which must be greater than or equal to 3 IOPS per GiB of SSD storage capacity. If you choose to provision a higher level of IOPS, you pay for the average IOPS provisioned above your included rate for the month, which is measured in IOPS-months.

For more information about pricing, see [Amazon FSx for NetApp ONTAP Pricing](https://aws.amazon.com/fsx/netapp-ontap/pricing/).

## When to decrease SSD storage capacity


 You might want to decrease your FSx for ONTAP second-generation file system's SSD storage capacity in scenarios such as the following: 
+  After completing project-based workloads where high-performance storage is no longer needed 
+  After completing large-scale data migrations where temporary extra capacity was used to accelerate data ingestion 

## Decreasing SSD storage capacity


 When you decrease SSD storage capacity of your file system, Amazon FSx attaches a new, smaller set of disks (aggregate) to each of your file system's HA pairs. Amazon FSx then runs a storage optimization process in the background to move data on a per-volume basis from the old disks to the new disks. After data in each volume has been moved, Amazon FSx redirects client access to volumes on the new disks. Amazon FSx then detaches the old disks from your file system. 

 You are billed for the existing and newly requested size of your SSD tier throughout the SSD decrease operation. For example, when you decrease SSD storage capacity from 10 tebibytes (TiB) to 5 TiB, you are billed for 15 TiB during the SSD decrease operation and 5 TiB after the SSD decrease operation is complete. For more information about billing, see [AWS billing and usage reports for FSx for ONTAP](FSxONTAP-Billing.md). 

 Decreasing SSD storage capacity can take between a few hours and a few weeks depending on factors such as the amount of data stored on your file system, the amount of net-new writes driven to your file system during the decrease operation, and the amount of network and disk resources available on the file system. 

 During the decrease operation, your data remains available for reads and writes. Most workloads experience minimal performance impact, though write-heavy workloads might experience temporary performance degradation. Brief I/O pauses (up to 60 seconds) might occur as client access is redirected to the new disks for each volume. 

 To minimize performance impact, you should maintain adequate headroom in your file system by ensuring that ongoing workloads don't consistently consume more than 50% CPU, 50% disk throughput, or 50% SSD IOPS before initiating an SSD decrease operation. You can monitor these utilization metrics in the **Monitoring & performance** tab of your file system in the Amazon FSx console. 

**Note**  
 If your SSD storage tier exceeds 80% utilization during the decrease operation, Amazon FSx pauses the operation and automatically resumes it after utilization falls below 80%. To decrease SSD utilization on the new disks, you can either tier data to capacity pool or delete data from volumes for which client access has been successfully redirected to the new set of disks. 

 If you need additional SSD capacity during a decrease operation, you can submit a request to increase SSD capacity by calling [https://docs.aws.amazon.com/cli/latest/reference/fsx/update-file-system.html](https://docs.aws.amazon.com/cli/latest/reference/fsx/update-file-system.html) in the AWS CLI or the equivalent [UpdateFileSystem](https://docs.aws.amazon.com/fsx/latest/APIReference/API_UpdateFileSystem.html) API operation and providing a new target value. Amazon FSx prioritizes completing the SSD increase request, so that the new SSD capacity is available for use within minutes before resuming the SSD decrease operation. 

## Considerations for decreasing SSD storage capacity


Here are a few important items to consider when decreasing a file system's SSD storage capacity and provisioned IOPS:
+  **Increasing storage capacity during a decrease operation** – You can increase SSD storage capacity of your file system even while a decrease operation is in progress. This flexibility allows you to ensure performance and availability in case any of your aggregates fill up during the decrease operation. If you increase SSD capacity to a size lower than the original capacity, Amazon FSx only adjusts the size of the newly requested (target) aggregate. However, if you increase the SSD capacity to a size greater than the original, Amazon FSx increases the size of both aggregates to match the new target value. For example, if you're decreasing storage capacity from 10,000 GiB to 5,000 GiB, and then request an increase to 7,000 GiB, only the target aggregate is increased to 7,000 GiB, resulting in a final SSD storage capacity of 7,000 GiB for your file system. But if you request an increase to 12,000 GiB, both aggregates are increased to 12,000 GiB. We suggest careful planning to avoid a scenario in which you have to increase SSD capacity to a size equal to or larger than the original SSD capacity. 
+ **Pausing SSD decrease** – Amazon FSx pauses an SSD decrease operation if you exceed 80% utilization on the new aggregate and automatically resumes the decrease operation once utilization falls below 80%.
+ **(Second-generation Single-AZ file systems only) Storage capacity spread** – The new storage capacity or SSD IOPS that you select for your file system is spread evenly across each of your file system's aggregates.
+ **Patching during storage capacity decrease** – Amazon FSx aborts moving data for a volume if your file system is patched during an SSD decrease operation. As a result, you may lose progress on the SSD decrease operation if a patch occurs during the operation. Amazon FSx automatically restarts the `vol move` after the patch operation is complete.
+ **Provisioned IOPS modes** – For a provisioned IOPS change, you must specify one of the two IOPS modes:
  + **Automatic** mode – Amazon FSx automatically scales your SSD IOPS to maintain 3 provisioned SSD IOPS per GiB of SSD storage capacity, up to the maximum SSD IOPS for your file system configuration. When decreasing SSD capacity, your automatic SSD IOPS will scale down proportionally.
**Note**  
For more information about the maximum number of SSD IOPS that you can provision for your FSx for ONTAP file system, see [Impact of throughput capacity on performance](performance.md#impact-throughput-cap-performance).
  +  **User-provisioned** mode – You must provide an IOPS value that is equal to or higher than your currently provisioned IOPS. When decreasing SSD capacity, you can retain additional user-provisioned SSD IOPS as long as they don't exceed the maximum SSD IOPS supported by the smaller aggregate (50 IOPS per GB of requested SSD capacity). If your provisioned IOPS are higher than the maximum supported by the smaller aggregate, reduce IOPS before decreasing SSD capacity. 
+  **Unsupported volume types** – Amazon FSx does not support decreasing storage capacity on file systems with SnapLock volumes, FlexClones, offline volumes, or data protection (DP) volumes that do not contain any snapshots. 
+  **Unsupported Operations During Shrink ** – You cannot offline volumes, move volumes, create FlexClones, create SnapLock volumes, or modify storage efficiency settings of volumes during the decrease operation. 

## Limitations for decreasing SSD storage capacity


The following limitations apply while decreasing SSD storage capacity of your file system:
+ **(Second-generation file systems only) Storage capacity decrease** – You can decrease the storage capacity only on second-generation file systems.
+ **Storage capacity minimum decrease** – Each SSD storage capacity decrease must be a minimum of 9 percent of the file system's current SSD storage capacity. The decrease should also ensure that your file system's resulting SSD capacity does not exceed 80% utilization after the decrease operation. For example, if your file system has 10,000 GiB of storage capacity and 5,000 GiB of storage used, you can decrease storage capacity down to 6,251 GiB such that your SSD utilization remains under 80%. You can decrease SSD storage capacity down to the minimum supported size of 1,024 GiB per HA pair.
+ To decrease SSD storage capacity on file systems that contain one or more volumes with more than 50 TiB of data in the SSD tier, you must provision at least 1,536 MB/s of throughput capacity per HA pair. If any volume contains more than 100 TiB of data in the SSD tier, you must provision at least 3,072 MB/s of throughput capacity per HA pair. For volumes with more than 200 TiB of data in the SSD tier, you must provision 6,144 MB/s of throughput capacity per HA pair.
+ **Time between updates** – After modifying SSD storage capacity, provisioned IOPS, or throughput capacity on a file system, you must wait at least six hours before modifying any of these configurations on the same file system again. This is sometimes referred to as a cooldown period.
+ You can increase but not decrease throughput capacity for your file system
+ You cannot add HA pairs to your file system
+  You cannot revert a volume to a previous state (using `volume snapshot restore`) while data in that volume is being moved to the new aggregate. However, you can run `volume snapshot restore` on other volumes that aren't being moved currently. 

# Creating a storage capacity utilization alarm for your file system
Creating a storage capacity utilization alarm

We recommend that you do not exceed an average SSD storage capacity utilization of 80% on an ongoing basis. Occasional SSD storage utilization spikes above 80% are acceptable. Maintaining an average utilization under 80% provides you with enough capacity to increase your storage without encountering issues. The following procedure shows how to create a CloudWatch alarm that alerts you to when your file system's SSD storage utilization is approaching 80%. 

**To create a file system storage capacity utilization alarm**

You can use the `StorageCapacityUtilization` metric to create an alarm that is triggered when one or more of your FSx for ONTAP file systems have reached a storage utilization threshold. 

1. Open the CloudWatch console at [https://console.aws.amazon.com/cloudwatch/](https://console.aws.amazon.com/cloudwatch/).

1.  In the left navigation pane, under **Alarms**, choose **All alarms**. Then, choose **Create alarm**. Within the create alarm wizard, choose **Select metric**. 

1. In the **graph explorer**, choose the **Multi source query** tab. 

1. In the **query builder**, choose the following: 
   + For **Namespace**, select **AWS/FSx** > **Detailed File System Metrics**. 
   + For **Metric name**, select **MAX(StorageCapacityUtilization)**.
   + For **Filter by**, you can optionally include or exclude specific file systems by their ID. If you leave **Filter by** empty, your alarm will trigger when any of your file systems exceed your alarm’s storage capacity utilization threshold.
   + Leave the rest of the options empty, and choose **Graph query**. 

1. Choose **Select metric**. Back in the wizard, in the **Metric** section, give your metric a **Label**. We recommend keeping the **Period** to 5 minutes.

1.  Under **Conditions**, choose the **Static threshold type**, whenever your metric is **Greater/Equal to 80**. 

1. Choose **Next** to go to the **Configure actions** page. 

**To configure alarm actions**

You can configure a variety of actions for your alarm to trigger when it reaches the threshold you configure. In this example, we choose a Simple Notification Service (SNS) topic, but you can learn about other actions in [Using Amazon CloudWatch alarms](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html) in the *Amazon CloudWatch User Guide*.

1. In the **Notification** section, choose an SNS topic to notify when your alarm is in the `ALARM` state. You can choose an existing topic or create a new one. You will receive a subscription notification that you need to confirm before you’ll receive alarm notifications to the email address. 

1. Choose **Next**. 

**To finish the alarm**

Follow these instructions to complete the process of creating your CloudWatch alarm. 

1. On the **Add name and description** page, give your alarm a name, and optionally a description, then choose **Next**. 

1. Review everything you’ve configured in the **Preview and create** page, and then choose **Create alarm**. 

# Updating storage capacity and provisioned IOPS
Updating storage capacity and IOPS

You can increase or decrease a file system's SSD-based storage and the amount of provisioned SSD IOPS by using the Amazon FSx console, the AWS CLI, and the API.

## To increase SSD storage capacity or provisioned IOPS for a file system (console)


1. Open the Amazon FSx console at [https://console.aws.amazon.com/fsx/](https://console.aws.amazon.com/fsx/).

1. In the left navigation pane, choose **File systems**. In the **File systems** list, select the FSx for ONTAP file system that you want to update SSD storage capacity and SSD IOPS for.

1. Choose **Actions** > **Update storage capacity**. Or, in the **Summary** section, choose **Update** next to the file system's **SSD storage capacity** value.

1. To increase SSD storage capacity, choose **Modify storage capacity**.

1. For **Input type**, choose one of the following: 
   + To enter the new SSD storage capacity as a percentage change from the current value, choose **Percentage**.
   + To enter the new value in GiB, choose **Absolute**.

1. Depending on the input type, enter a value for **Desired % increase**.
   + For **Percentage**, enter the percentage increase value. This value must be at least 10 percent greater than the current value.
   + For **Absolute**, enter the new value in GiB, up to the maximum allowed value of 196,608 GiB.

1. For **Provisioned SSD IOPS**, you have two options to modify the number of provisioned SSD IOPS for your file system:
   + If you want Amazon FSx to automatically scale your SSD IOPS to maintain 3 provisioned SSD IOPS per GiB of SSD storage capacity (up to a maximum of 160,000), choose **Automatic**.
   + If you want to specify the number of SSD IOPS, choose **User-provisioned**. Enter an absolute number of IOPS that's at least three times the amount of GiB of your SSD storage tier, and less than or equal to 160,000.
**Note**  
For more information about the maximum number of SSD IOPS that you can provision for your FSx for ONTAP file system, see [Impact of throughput capacity on performance](performance.md#impact-throughput-cap-performance).

1. Choose **Update**.
**Note**  
At the bottom of the prompt, a configuration preview is shown for your new SSD storage capacity and SSD IOPS. For second-generation file systems, the per-HA-pair value is also shown. 

## To increase SSD storage capacity and provisioned IOPS for a file system (CLI)


To increase the SSD storage capacity and provisioned IOPS for an FSx for ONTAP file system, use the AWS CLI command [update-file-system](https://docs.aws.amazon.com/cli/latest/reference/fsx/update-file-system.html) or the equivalent [UpdateFileSystem](https://docs.aws.amazon.com/fsx/latest/APIReference/API_UpdateFileSystem.html) API action. Set the following parameters with your values:
+ Set `--file-system-id` to the ID of the file system that you are updating.
+ To increase your SSD storage capacity, set `--storage-capacity` to the target storage capacity value, which must be at least 10 percent greater than the current value.
+ To modify your provisioned SSD IOPS, use the `--ontap-configuration DiskIopsConfiguration` property. This property has two parameters, `Iops` and `Mode`:
  + If you want to specify the number of provisioned IOPS, use `Iops=number_of_IOPS` (up to a maximum of 160,000) and `Mode=USER_PROVISIONED`. The IOPS value must be greater than or equal to three times the requested SSD storage capacity. If you're not increasing the storage capacity, the IOPs value must be greater than or equal to three times the current SSD storage capacity.
  + If you want Amazon FSx to automatically increase your SSD IOPS, use `Mode=AUTOMATIC` and don't use the `Iops` parameter. Amazon FSx will automatically maintain 3 SSD IOPS per GiB of the provisioned SSD storage capacity (up to a maximum of 160,000).
**Note**  
For more information about the maximum number of SSD IOPS that you can provision for your FSx for ONTAP file system, see [Impact of throughput capacity on performance](performance.md#impact-throughput-cap-performance).

The following example increases the file system’s SSD storage to 2000 GiB and sets amount of user provisioned SSD IOPS to 7000.

```
aws fsx update-file-system \
--file-system-id fs-0123456789abcdef0 \
--storage-capacity 2000 \
--ontap-configuration 'DiskIopsConfiguration={Iops=7000,Mode=USER_PROVISIONED}'
```

To monitor the progress of the update, use the [describe-file-systems](https://docs.aws.amazon.com/cli/latest/reference/fsx/describe-file-systems.html) AWS CLI command. Look for the `AdministrativeActions` section in the output.

For more information, see [AdministrativeAction](https://docs.aws.amazon.com/fsx/latest/APIReference/API_AdministrativeAction.html) in the *Amazon FSx for NetApp ONTAP API Reference*.

## To decrease SSD storage capacity for a file system (console)


1. Open the Amazon FSx console at [https://console.aws.amazon.com/fsx/](https://console.aws.amazon.com/fsx/).

1. In the left navigation pane, choose **File systems**. In the **File systems** list, select the FSx for ONTAP file system that you want to update SSD storage capacity and SSD IOPS for.

1. Choose **Actions** > **Update file system** > **Update SSD storage capacity/IOPS**. Or, in the **Summary** section, choose **Update** next to the file system's **SSD storage capacity** value.

1. To decrease SSD storage capacity, for **Action type**, choose **Decrease**.

1. For **Input type**, choose one of the following: 
   + To enter the new SSD storage capacity as a percentage change from the current value, choose **Percentage**.
   + To enter the new value in GiB, choose **Absolute**.

1. Depending on the input type, do one of the following.
   + For **Percentage**, enter the **Desired % decrease** value. This value must be at least 9 percent less than the current value.
   + For **Absolute**, enter the **Desired storage capacity** value in GiB.

1. Choose **Update**.
**Note**  
At the bottom of the prompt, a configuration preview is shown for your new SSD storage capacity and SSD IOPS. For second-generation file systems, the per-HA-pair value is also shown. 

## To decrease SSD storage capacity and provisioned IOPS for a file system (CLI)


To decrease the SSD storage capacity and provisioned IOPS for an FSx for ONTAP file system, use the AWS CLI command [update-file-system](https://docs.aws.amazon.com/cli/latest/reference/fsx/update-file-system.html) or the equivalent [UpdateFileSystem](https://docs.aws.amazon.com/fsx/latest/APIReference/API_UpdateFileSystem.html) API action. Set the following parameters with your values:

1. To decrease SSD capacity, use the following command:

   ```
   aws fsx update-file-system \
   --file-system-id fs-0123456789abcdef0 \
   --storage-capacity 4096
   ```

   If you're using the user-provisioned IOPS mode and want to retain your current IOPS level, include the `DiskIopsConfiguration` parameter:

   ```
   aws fsx update-file-system \
   --file-system-id fs-0123456789abcdef0 \
   --storage-capacity 4096 \
   --ontap-configuration 'DiskIopsConfiguration={Iops=15000,Mode=USER_PROVISIONED}'
   ```

1. To monitor the progress of the decrease operation, use the **describe-file-systems** command:

   ```
   aws fsx describe-file-systems --file-system-id fs-0123456789abcdef0
   ```

   The command returns information about the decrease operation in the `AdministrativeActions` section. For example:

   ```
   {
       "FileSystem": {
           "StorageCapacity": 4096,
           "StorageType": "SSD",
           "AdministrativeActions": [
               {
                   "AdministrativeActionType": "FILE_SYSTEM_UPDATE",
                   "Message": "Moving data for [vol1 vol2]. 2 volume(s) remaining. https://docs.aws.amazon.com/fsx/latest/ONTAPGuide/troubleshooting.html",
                   "ProgressPercent": 4,
                   "RequestTime": 1748981251.591,
                   "Status": "IN_PROGRESS",
                   "TargetFileSystemValues": {
                       "StorageCapacity": 4096
                   }
               }
           ]
       }
   }
   ```

To monitor the progress of the update, use the [https://docs.aws.amazon.com/cli/latest/reference/fsx/describe-file-systems.html](https://docs.aws.amazon.com/cli/latest/reference/fsx/describe-file-systems.html) AWS CLI command. Look for the `AdministrativeActions` section in the output.

For more information, see [https://docs.aws.amazon.com/fsx/latest/APIReference/API_AdministrativeAction.html](https://docs.aws.amazon.com/fsx/latest/APIReference/API_AdministrativeAction.html) in the Amazon FSx for NetApp ONTAP API Reference.

# Updating storage capacity dynamically
Updating storage capacity dynamically

You can use the following solution to dynamically increase the SSD storage capacity of an FSx for ONTAP file system when the amount of used SSD storage capacity exceeds a threshold that you specify. This AWS CloudFormation template automatically deploys all of the components that are required to define the storage capacity threshold, the Amazon CloudWatch alarm based on this threshold, and the AWS Lambda function that increases the file system’s storage capacity.

The solution automatically deploys all of the components needed, and uses the following parameters:
+ Your FSx for ONTAP file system ID.
+ The used SSD storage capacity threshold (numerical value). This is the percentage at which the CloudWatch alarm will be triggered.
+ The percentage by which to increase the storage capacity (%).
+ The email address used to receive scaling notifications.

**Topics**
+ [

## Architecture overview
](#storage-inc-architecture)
+ [

## CloudFormation template
](#storage-capacity-CFN-template)
+ [

## Automated deployment with CloudFormation
](#fsx-dynamic-storage-increase-deployment)

## Architecture overview


Deploying this solution builds the following resources in the AWS Cloud.

![\[Architecture diagram of the solution to automatically increase the storage capacity of an FSx for ONTAP file system.\]](http://docs.aws.amazon.com/fsx/latest/ONTAPGuide/images/dynamic-storage-scaling-architecture.png)


The diagram illustrates the following steps:

1. The CloudFormation template deploys a CloudWatch alarm, an AWS Lambda function, an Amazon Simple Notification Service (Amazon SNS) queue, and all required AWS Identity and Access Management (IAM) roles. The IAM role gives the Lambda function permission to invoke the Amazon FSx API operations.

1. CloudWatch triggers an alarm when the file system’s used storage capacity exceeds the specified threshold, and sends a message to the Amazon SNS queue. An alarm is triggered only when the file system’s used capacity exceeds the threshold continuously for a 5-minute period.

1. The solution then triggers the Lambda function that is subscribed to this Amazon SNS topic.

1. The Lambda function calculates the new file system storage capacity based on the specified percent increase value and sets the new file system storage capacity.

1. The original CloudWatch alarm state and results of the Lambda function operations are sent to the Amazon SNS queue.

To receive notifications about the actions that are performed as a response to the CloudWatch alarm, you must confirm the Amazon SNS topic subscription by following the link provided in the **Subscription Confirmation** email.

## CloudFormation template


This solution uses CloudFormation to automate deploying the components that are used to automatically increase the storage capacity of an FSx for ONTAP file system. To use this solution, download the [FSxOntapDynamicStorageScaling](https://solution-references.s3.amazonaws.com/fsx/DynamicScaling/FSxOntapDynamicStorageScaling.yaml) CloudFormation template.

The template uses the **Parameters** described as follows. Review the template parameters and their default values, and modify them for the needs of your file system.



**FileSystemId**  
No default value. The ID of the file system for which you want to automatically increase the storage capacity.

**LowFreeDataStorageCapacityThreshold**  
No default value. Specifies the used storage capacity threshold at which to trigger an alarm and automatically increase the file system's storage capacity, specified in percentage (%) of the file system's current storage capacity. The file system is considered to have low free storage capacity when the used storage exceeds this threshold.

**EmailAddress**  
No default value. Specifies the email address to use for the SNS subscription and receives the storage capacity threshold alerts.

**PercentIncrease**  
Default is **20%**. Specifies the amount by which to increase the storage capacity, expressed as a percentage of the current storage capacity.  
Storage scaling is attempted once every time the CloudWatch alarm enters the `ALARM` state. If your SSD storage capacity utilization remains above the threshold after a storage scaling operation is attempted, the storage scaling operation isn't attempted again.

**MaxFSxSizeinGiB**  
Default is **196608**. Specifies the maximum supported storage capacity for the SSD storage.

## Automated deployment with CloudFormation


The following procedure configures and deploys an CloudFormation stack to automatically increase the storage capacity of an FSx for ONTAP file system. It takes a few minutes to deploy. For more information about creating a CloudFormation stack, see [Creating a stack on the AWS CloudFormation console](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-console-create-stack.html) in the *AWS CloudFormation User Guide*.

**Note**  
Implementing this solution incurs billing for the associated AWS services. For more information, see the pricing details pages for those services.

Before you start, you must have the ID of the Amazon FSx file system that's running in the Amazon Virtual Private Cloud (Amazon VPC) in your AWS account. For more information about creating Amazon FSx resources, see [Getting started with Amazon FSx for NetApp ONTAP](getting-started.md).

**To launch the automatic storage capacity increase solution stack**

1. Download the [FSxOntapDynamicStorageScaling](https://solution-references.s3.amazonaws.com/fsx/DynamicScaling/FSxOntapDynamicStorageScaling.yaml) CloudFormation template.
**Note**  
Amazon FSx is currently only available in specific AWS Regions. You must launch this solution in an AWS Region where Amazon FSx is available. For more information, see [Amazon FSx endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/fsxn.html) in the *AWS General Reference*.

1. From the CloudFormation console, choose **Create stack > With new resources**.

1. Choose **Template is ready**. In the **Specify template** section, choose **Upload a template file** and upload the template that you downloaded.

1. In **Specify stack details**, enter the values for your automatic storage capacity increase solution.  
![\[The values entered for the Specify stack details page for the CloudFormation template\]](http://docs.aws.amazon.com/fsx/latest/ONTAPGuide/images/dynamic-storage-capacity-increase-cfn-stack.png)

1. Enter a **Stack name**.

1. For **Parameters**, review the parameters for the template and modify them to meet the needs of your file system. Then choose **Next**.
**Note**  
To receive email notifications when scaling is attempted by this CloudFormation template, confirm the SNS subscription email that you receive after deploying the template.

1. Enter the **Options** settings that you want for your custom solution, and then choose **Next**.

1. For **Review**, review and confirm the solution settings. You must select the check box acknowledging that the template creates IAM resources.

1. Choose **Create** to deploy the stack.

You can view the status of the stack in the CloudFormation console in the **Status** column. You should see a status of **CREATE\$1COMPLETE** in a few minutes.

### Updating the stack


After the stack is created, you can update it by using the same template and providing new values for the parameters. For more information, see [Updating stacks directly](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-direct.html) in the *AWS CloudFormation User Guide*.

# Monitoring SSD storage utilization


You can monitor your file system's SSD storage capacity utilization using a variety of AWS and NetApp tools. Using Amazon CloudWatch you can monitor storage capacity utilization and set alarms to alert you when storage capacity utilization reaches a customizable threshold.

**Note**  
We recommend that you don't exceed 80% storage capacity utilization of your SSD storage tier. This ensures that tiering functions properly, and provides overhead for new data. If your SSD storage tier is consistently above 80% storage capacity utilization, you can increase your SSD storage tier's capacity. For more information, see [Updating file system SSD storage and IOPS](storage-capacity-and-IOPS.md#increase-primary-storage).

You can view a file system's available SSD storage and the overall storage distribution in the Amazon FSx console. The **Available primary storage capacity** graph displays the amount of available SSD-based storage capacity on a file system over time. The **Storage distribution** graph shows how a file system's overall storage capacity is currently distributed over 3 categories:
+ Capacity pool tier
+ SSD tier - available
+ SSD tier - used

You can monitor your file system's SSD storage capacity utilization in the AWS Management Console, using the following procedure.

**To monitor file system available SSD tier storage capacity (console)**

1. Open the Amazon FSx console at [https://console.aws.amazon.com/fsx/](https://console.aws.amazon.com/fsx/).

1. Choose **File systems** in the left-hand navigation column, then choose the ONTAP file system that you want to view storage capacity information for. The file system detail page appears.

1. In the second panel, choose the **Monitoring & performance** tab, then choose **Storage**. The **Available primary storage capacity** and **Storage capacity utilization per aggregate** graphs are displayed.

# Monitoring storage efficiency savings


 When enabled, you can see how much storage capacity you are saving in the Amazon FSx console, the Amazon CloudWatch console, and the ONTAP CLI.

**To view storage efficiency savings (console)**

The storage efficiency savings displayed in the Amazon FSx console for an FSx for ONTAP file system includes the savings from FlexClones and SnapShots.

1. Open the Amazon FSx console at [https://console.aws.amazon.com/fsx/](https://console.aws.amazon.com/fsx/).

1. Choose the FSx for ONTAP file system that you want to view storage efficiency saving for from the list of **File systems**.

1. Choose **Summary** in the **Monitoring & performance** tab on the second panel in the file system details page.

1. The **Storage efficiency savings** chart shows how much space you are saving as a percentage of your logical data size and in physical bytes.<a name="storage-efficient-ontap-cli"></a>

**To view storage efficiency savings (ONTAP CLI)**

You can see storage efficiency savings of just compaction, compression, and deduplication – without the effects of snapshots and FlexClones – by running the `storage aggregate show-efficiency` command using the ONTAP CLI. For more information, see [storage aggregate show-efficiency](https://docs.netapp.com/us-en/ontap-cli-9131/storage-aggregate-show-efficiency.html) in the NetApp ONTAP Documentation Center.

1. To access the ONTAP CLI, establish an SSH session on the management port of the Amazon FSx for NetApp ONTAP file system or SVM by running the following command. Replace `management_endpoint_ip` with the IP address of the file system's management port.

   ```
   [~]$ ssh fsxadmin@management_endpoint_ip
   ```

   For more information, see [Managing file systems with the ONTAP CLI](managing-resources-ontap-apps.md#fsxadmin-ontap-cli). 

1. The **storage aggregate show-efficiency** command displays information about the storage efficiency of all the aggregates. The storage efficiency is displayed at four different levels:
   + Total
   + Aggregate
   + Volume
   + Snapshot and FlexClone volume

   ```
   ::*> aggr show-efficiency
   
   Aggregate: aggr1
        Node: node1
   
   Total Data Reduction Efficiency Ratio:  3.29:1
   Total Storage Efficiency Ratio:         4.29:1
   Aggregate: aggr2
        Node: node1
   
   Total Data Reduction Efficiency Ratio:  4.50:1
   Total Storage Efficiency Ratio:         5.49:1
   
   cluster::*> aggr show-efficiency -details
   
   Aggregate: aggr1
        Node: node1
   
   Total Data Reduction Ratio:                    2.39:1
   Total Storage Efficiency Ratio:                4.29:1
   
   Aggregate level Storage Efficiency
   (Aggregate Deduplication and Data Compaction): 1.00:1
   Volume Deduplication Efficiency:               5.03:1
   Compression Efficiency:                        1.00:1
   
   Snapshot Volume Storage Efficiency:            8.81:1
   FlexClone Volume Storage Efficiency:           1.00:1
   Number of Efficiency Disabled Volumes:         1
   
   Aggregate: aggr2
        Node: node1
   Total Data Reduction Ratio:                    2.39:1
   Total Storage Efficiency Ratio:                4.29:1
   
   Aggregate level Storage Efficiency
   (Aggregate Deduplication and Data Compaction): 1.00:1
   Volume Deduplication Efficiency:               5.03:1
   Compression Efficiency:                        1.00:1
   
   Snapshot Volume Storage Efficiency:            8.81:1
   FlexClone Volume Storage Efficiency:           1.00:1
   Number of Efficiency Disabled Volumes:         1
   ```

# Monitoring storage capacity and IOPS updates


You can monitor the progress of an SSD storage capacity and IOPS update by using the Amazon FSx console, CLI, and API.

## To monitor storage and IOPS updates (console)


In the **Updates** tab on the **File system details** page for your FSx for ONTAP file system, you can view the 10 most recent updates for each update type.

![\[A recent updates list for a file system as it appears in the Console.\]](http://docs.aws.amazon.com/fsx/latest/ONTAPGuide/images/fs-updates-panel.png)


For SSD storage capacity and IOPS updates, you can view the following information:

****Update type****  
Supported types are **Storage capacity**, **Mode**, and **IOPS**. The **Mode** and **IOPS** values are listed for all storage capacity and IOPS scaling requests. 

****Target value****  
The value that you specified to update the file system's SSD storage capacity or IOPS to.

****Status****  
The current status of the update. The possible values are as follows:  
+ **Pending** – Amazon FSx received the update request, but hasn't started processing it.
+ **In progress** – Amazon FSx is processing the update request.
+ **Updated; Optimizing** – Amazon FSx increased the file system's SSD storage capacity. The storage-optimization process is now rebalancing your data in the background.
+ **Completed** – The update finished successfully.
+ **Failed** – The update request failed. Choose the question mark (**?**) to see details.

****Progress %****  
Displays the progress of the storage-optimization process as the percentage complete.

****Request time****  
The time that Amazon FSx received the update action request.

## To monitor storage and IOPS updates (CLI)


You can view and monitor file system SSD storage capacity increase and decrease requests by using the [https://docs.aws.amazon.com/cli/latest/reference/fsx/describe-file-systems.html](https://docs.aws.amazon.com/cli/latest/reference/fsx/describe-file-systems.html) AWS CLI command and the [DescribeFileSystems](https://docs.aws.amazon.com/fsx/latest/APIReference/API_DescribeFileSystems.html) API operation. The `AdministrativeActions` array lists the 10 most recent update actions for each administrative action type. When you increase a file system's SSD storage capacity, two `AdministrativeActions` actions are generated: a `FILE_SYSTEM_UPDATE` and a `STORAGE_OPTIMIZATION` action. When you decrease a file system's SSD storage capacity, only one `AdministrativeActions` action is generated: a `FILE_SYSTEM_UPDATE` action. 

The following example shows an excerpt of the response of a `describe-file-systems` CLI command. The file system has a pending administrative action to increase the SSD storage capacity to 2000 GiB and the provisioned SSD IOPS to 7000.

```
"AdministrativeActions": [
    {
        "AdministrativeActionType": "FILE_SYSTEM_UPDATE",
        "RequestTime": 1586797629.095,
        "Status": "PENDING",
        "TargetFileSystemValues": {
            "StorageCapacity": 2000,
            "OntapConfiguration": {
                "DiskIopsConfiguration": {
                    "Mode": "USER_PROVISIONED",
                    "Iops": 7000
                }
             }
        }
    },
    {
        "AdministrativeActionType": "STORAGE_OPTIMIZATION",
        "RequestTime": 1586797629.095,
        "Status": "PENDING"
    }
]
```

Amazon FSx processes the `FILE_SYSTEM_UPDATE` action first, adding the new larger storage disks to the file system. When the new storage is available to the file system, the `FILE_SYSTEM_UPDATE` status changes to `UPDATED_OPTIMIZING`. The storage capacity shows the new larger value, and Amazon FSx begins processing the `STORAGE_OPTIMIZATION` administrative action. This behavior is shown in the following excerpt of the response of a `describe-file-systems` CLI command. 

The `ProgressPercent` property displays the progress of the storage-optimization process. After the storage-optimization process has completed successfully, the status of the `FILE_SYSTEM_UPDATE` action changes to `COMPLETED`, and the `STORAGE_OPTIMIZATION` action no longer appears.

```
"AdministrativeActions": [
    {
        "AdministrativeActionType": "FILE_SYSTEM_UPDATE",
        "RequestTime": 1586799169.445,
        "Status": "UPDATED_OPTIMIZING",
        "TargetFileSystemValues": {
            "StorageCapacity": 2000,
            "OntapConfiguration": {
                "DiskIopsConfiguration": {
                    "Mode": "USER_PROVISIONED",
                    "Iops": 7000
                }
            }
        }
    },
    {
        "AdministrativeActionType": "STORAGE_OPTIMIZATION",
        "ProgressPercent": 41,
        "RequestTime": 1586799169.445,
        "Status": "IN_PROGRESS"
    }
]
```

When decreasing SSD capacity, the `FILE_SYSTEM_UPDATE` action includes a `Message` property that provides information about which volumes are currently being moved and how many volumes remain. For example:

```
"AdministrativeActions": [
    {
        "AdministrativeActionType": "FILE_SYSTEM_UPDATE",
        "Message": "Moving data for [vol1 vol2]. 2 volume(s) remaining. https://docs.aws.amazon.com/fsx/latest/ONTAPGuide/troubleshooting.html",
        "ProgressPercent": 8,
        "RequestTime": 1748981251.591,
        "Status": "IN_PROGRESS",
        "TargetFileSystemValues": {
            "StorageCapacity": 4096,
            "OntapConfiguration": {
                "DiskIopsConfiguration": {
                    "Mode": "AUTOMATIC",
                    "Iops": 12288
                }
            }
        }
    }
]
```

If the SSD decrease operation is paused because the target aggregate has exceeded 80% utilization, the status will change to `PAUSED` with an appropriate message:

```
"AdministrativeActions": [
    {
        "AdministrativeActionType": "FILE_SYSTEM_UPDATE",
        "Message": "Your file system has insufficient free space in its SSD tier. Please free up space or increase your file system's storage capacity.",
        "ProgressPercent": 8,
        "RequestTime": 1748981251.591,
        "Status": "PAUSED",
        "TargetFileSystemValues": {
            "StorageCapacity": 4096,
            "OntapConfiguration": {
                "DiskIopsConfiguration": {
                    "Mode": "AUTOMATIC",
                    "Iops": 12288
                }
            }
        }
    }
]
```

 If the storage capacity or IOPS update request fails, the status of the `FILE_SYSTEM_UPDATE` action changes to `FAILED`, as shown in the following example. The `FailureDetails` property provides information about the failure.

```
"AdministrativeActions": [
    {
        "AdministrativeActionType": "FILE_SYSTEM_UPDATE",
        "RequestTime": 1586373915.697,
        "Status": "FAILED",
        "TargetFileSystemValues": {
            "StorageCapacity": 2000,
            "OntapConfiguration": {
                "DiskIopsConfiguration": {
                    "Mode": "USER_PROVISIONED",
                    "Iops": 7000
                }
            }
        },
        "FailureDetails": {
            "Message": "failure-message"
        }
    }
]
```

# Volume storage capacity


FSx for ONTAP volumes are virtual resources that you use for grouping data, determining how data is stored, and determining the type of access to your data. Volumes, like folders, don't consume file system storage capacity themselves. Only the data that's stored in a volume consumes SSD storage and, depending on the [volume's tiering policy](#data-tiering-policy), capacity pool storage. You set a volume's size when you create it, and you can change its size later. You can monitor and manage the storage capacity of your FSx for ONTAP volumes using the AWS Management Console, AWS CLI and API, and the ONTAP CLI.

**Topics**
+ [

## Volume data tiering
](#volume-data-tiering)
+ [

## Snapshots and volume storage capacity
](#managing-snapshots)
+ [

## Volume file capacity
](#managing-volume-file-capacity)
+ [

# Managing storage efficiencies
](manage-vol-SE.md)
+ [

# Enabling autosizing
](enable-volume-autosizing.md)
+ [

# Enabling cloud write mode
](cloud-write-mode.md)
+ [

# Updating storage capacity
](manage-volume-capacity.md)
+ [

# Updating a tiering policy
](modify-volume-tiering-policy.md)
+ [

# Updating the minimum cooling days
](set-cooling-days.md)
+ [

# Updating a volume's cloud retrieval policy
](set-cloud-retrieval.md)
+ [

# Updating the maximum number of files on a volume
](increase-volume-max-files.md)
+ [

# Monitoring volume storage capacity
](monitor-volume-storage-console.md)
+ [

# Monitoring a volume's file capacity
](view-volume-file-capacity.md)

## Volume data tiering


An Amazon FSx for NetApp ONTAP file system has two storage tiers: primary storage and capacity pool storage. Primary storage is provisioned, scalable, high-performance SSD storage that’s purpose-built for the active portion of your data set. Capacity pool storage is a fully elastic storage tier that can scale to petabytes in size and is cost-optimized for infrequently accessed data.

The data on each volume is automatically tiered to the capacity pool storage tier based on the volume's tiering policy, cooling period, and threshold settings. The following sections describe ONTAP volume tiering policies and the thresholds used to determine when data is tiered to the capacity pool.

**Note**  
FSx for ONTAP supports tiering data to the capacity pool on all SnapLock volumes, regardless of the SnapLock type. For more information, see [How SnapLock works](how-snaplock-works.md).

### Volume tiering policies


You determine how to use your FSx for ONTAP file system’s storage tiers by choosing the tiering policy for each of volume on the file system. You choose the tiering policy when you create a volume, and you can modify it at any time with the Amazon FSx console, AWS CLI, API, or using [NetApp management tools](managing-resources-ontap-apps.md). You can choose from one of the following policies that determine which data, if any, is tiered to the capacity pool storage.

**Note**  
Tiering can move your file data and snapshot data to the capacity pool tier. However, file metadata always remains on the SSD tier. For more information, see [How SSD storage is used](managing-storage-capacity.md#how-ssd-is-used).
+ **Auto** – This policy moves all cold data—user data and snapshots—to the capacity pool tier. The cooling rate of data is determined by the policy's cooling period, which by default is 31 days, and is configurable to values between 2–183 days. When the underlying cold data blocks are read randomly (as in typical file access), they are made hot and written to the primary storage tier. When cold data blocks are read sequentially (for example, by an antivirus scan), they remain cold and remain on the capacity pool storage tier. This is the default policy when creating a volume using the Amazon FSx console.
+ **Snapshot Only** – This policy moves only snapshot data to the capacity pool storage tier. The rate at which snapshots are tiered to the capacity pool is determined by the policy's cooling period, which by default is set to 2 days, and is configurable to values between 2–183 days. When cold snapshot data are read, they are made hot and written to the primary storage tier. This is the default policy when creating a volume using the AWS CLI, Amazon FSx API, or the NetApp ONTAP CLI.
+ **All** – This policy marks all user data and snapshot data as cold, and stores it in the capacity pool tier. When data blocks are read, they remain cold and are not written to the primary storage tier. When data is written to a volume with the **All** tiering policy, it is still initially written to the SSD storage tier, and is tiered to the capacity pool by a background process. If the **All** policy is applied to a volume that already contains data, the existing data is tiered from SSD to the capacity pool. Note that file metadata always remains on the SSD tier.
+ **None** – This policy keeps all of your volume’s data on the primary storage tier, and prevents it from being moved to capacity pool storage. If you set a volume to this policy after it uses any other policy, existing data (including snapshots) in the volume that was in capacity pool storage is moved to SSD storage by a background process. This data migration only occurs when your SSD utilization is below 90% and the cloud retrieval policy is set to `promote` or `on-read`. This background process can be sped up by intentionally reading data. For more information, see [Cloud retrieval policies](#cloud-retrieval-policies).

For more information about setting or modifying a volume's tiering policy, see [Updating a tiering policy](modify-volume-tiering-policy.md).

 As a best practice, when migrating data that you plan to store long-term in capacity pool storage, we recommend that you use the **Auto** tiering policy on your volume. With **Auto** tiering, data is stored on the SSD storage tier for a minimum of 2 days (based on the volume's cooling period) before it's moved to the capacity pool tier. ONTAP runs post-process deduplication on data stored in the SSD storage tier periodically, automatically adjusting the frequency based on the rate of data change in the volume—higher rates trigger post-process deduplication jobs more frequently. 

By default, post-process compression is disabled in ONTAP due to the performance impact it can have on ongoing workloads on the file system. You should evaluate the impact on your workload's performance before enabling post-process compression. To enable post-process compression, assume the diagnostic privilege level in the ONTAP CLI and run the following command:

```
::> volume efficiency inactive-data-compression modify -vserver svm-name -volume vol-name -is-enabled true
```

ONTAP runs post-process compression for data that is retained on SSD storage for a minimum of 14 days. For workloads where data is unlikely to be accessed after a shorter period, you can modify the post-process compression settings to run post-process compression sooner. For example, to apply post-process compression savings to data that has not been accessed for 5 days, run the following ONTAP CLI command:

```
::> volume efficiency inactive-data-compression modify -vserver svm-name -volume vol-name -threshold-days 5 -threshold-days-min 2 -threshold-days-max 14
```

For more information about the command, see [volume efficiency inactive-data-compression modify](https://docs.netapp.com/us-en/ontap-cli-9141/volume-efficiency-inactive-data-compression-modify.html)

 By retaining data on SSD, you maximize the transfer speeds of volume backups that you create, as data transfer rates are higher for SSD storage.

### Tiering cooling period


A volume's tiering cooling period sets the amount of time that it takes for data in the SSD tier to be marked as cold. The cooling period applies to the `Auto` and `Snapshot-only` tiering policies. You can set the cooling period to a value in the range of 2–183 days. For more information about setting the cooling period, see [Updating the minimum cooling days](set-cooling-days.md).

Data is tiered 24–48 hours after its cooling period expires. Tiering is a background process that consumes network resources, and has a lower priority than client-facing requests. Tiering activities are throttled when there are ongoing client-facing requests.

### Cloud retrieval policies


A volume's cloud retrieval policy sets the conditions that specify when data that's read from the capacity pool tier is allowed to be promoted to the SSD tier. When the cloud retrieval policy is set to anything other than `Default`, this policy overrides the retrieval behavior of your volume’s tiering policy. A volume can have one of the following cloud retrieval policies:
+ **Default** – This policy retrieves tiered data based on the volume's underlying tiering policy. This is the default cloud retrieval policy for all volumes.
+ **Never** – This policy never retrieves tiered data, regardless of whether the reads are sequential or random. This is similar to setting the tiering policy of your volume to **All**, except that you can use it with other policies–**Auto**, **Snapshot-only**–to tier data according to the minimum cooling period instead of immediately.
+ **On-read** – This policy retrieves tiered data for all client-driven data reads. This policy has no effect when using the **All** tiering policy.
+ **Promote** – This policy marks all of a volume’s data that's in the capacity pool for retrieval to the SSD tier. The data is marked the next time the daily background tiering scanner runs. This policy is beneficial for applications that have cyclical workloads that run infrequently, but require SSD tier performance when they do run. This policy has no effect when using the **All** tiering policy.

For information on setting a volume's cloud retrieval policy, see [Updating a volume's cloud retrieval policy](set-cloud-retrieval.md).

### Tiering thresholds


A file system's SSD storage capacity utilization determines how ONTAP manages the tiering behavior for all of your volumes. Based on a file system's SSD storage capacity usage, the following thresholds set the tiering behavior as described. For information about how to monitor the capacity utilization of a volume's SSD storage tier, see [Monitoring volume storage capacity](monitor-volume-storage-console.md). 

**Note**  
We recommend that you don't exceed 80% storage capacity utilization of your SSD storage tier. For second-generation file systems, this recommendation applies to both the total average utilization across all of your file system's aggregates and to the utilization of each individual aggregate. This ensures that tiering functions properly, and provides overhead for new data. If your SSD storage tier is consistently above 80% storage capacity utilization, you can increase your SSD storage tier's capacity. For more information, see [Updating file system SSD storage and IOPS](storage-capacity-and-IOPS.md#increase-primary-storage).

FSx for ONTAP uses the following storage capacity thresholds to manage tiering on volumes:
+ **<=50% SSD storage tier utilization** – At this threshold, the SSD storage tier is considered to be underutilized, and only volumes that are using the **All** tiering policy have data tiered to capacity pool storage. Volumes with **Auto** and **Snapshot-only** policies don't tier data at this threshold.
+ **> 50% SSD storage tier utilization** – Volumes with **Auto** and **Snapshot-only** tiering policies tier data based on the tiering minimum cooling days setting. The default setting is 31 days.
+ **>=90% SSD storage tier utilization** – At this threshold, Amazon FSx prioritizes preserving space in the SSD storage tier. Cold data from the capacity pool tier is no longer moved into the SSD storage tier when read for volumes using **Auto** and **Snapshot-only** policies.
+ **>=98% SSD storage tier utilization** – All tiering functionality stops when the SSD storage tier is at or above 98% utilization. You can continue to read from storage tiers, but you can't write to the tiers.

## Snapshots and volume storage capacity
Snapshots and storage capacity

A *snapshot* is a read-only image of an Amazon FSx for NetApp ONTAP volume at a point in time. Snapshots offer protection against accidental deletion or modification of files in your volumes. With snapshots, your users can easily view and restore individual files or folders from an earlier snapshot.

Snapshots are stored alongside your file system's data, and they consume the file system's storage capacity. However, snapshots consume storage capacity only for the portions of files that changed since the last snapshot. Snapshots are not included in backups of your file system volumes.

Snapshots are enabled by default on your volumes, using the default snapshot policy. Snapshots are stored in the `.snapshot` directory at the root of a volume. You can manage volume storage capacity for snapshots in the following ways:
+ [Snapshot policies](snapshots-ontap.md#snapshot-policies) – Select a built-in snapshot policy or choose a custom policy that you created in the ONTAP CLI or REST API.
+ [Manually delete snapshots](manually-delete-snapshots.md) – Reclaim storage capacity by deleting snapshots manually.
+ [Create a snapshot autodelete policy](snapshot-autodelete-policy.md) – Create a policy that deletes more snapshots than the default snapshot policy.
+ [Turn off automatic snapshots](disable-snapshots.md) – Conserve storage capacity by turning off automatic snapshots.

For more information, see [Protecting your data with snapshots](snapshots-ontap.md).

## Volume file capacity


Amazon FSx for NetApp ONTAP volumes have file pointers that are used to store file metadata such as file name, last accessed time, permissions, size, and to serve as pointers to data blocks. These file pointers are called inodes, and each volume has a finite capacity for the number of inodes, which is called the volume file capacity. When a volume runs low on or exhausts its available files (inodes), you can't write additional data to that volume.

The number of file system objects—files, directories, Snapshot copies—a volume can contain is determined by how many inodes it has. The number of inodes in a volume increases commensurately with the volume's storage capacity (and the number of volume constituents for FlexGroup volumes). By default, FlexVol volumes (or FlexGroup constituents) with a storage capacity of 648 GiB or more all have the same number of inodes: 21,251,126. If you create a volume larger than 648 GiB and you want it to have more than 21,251,126 inodes, you must increase the maximum number of inodes (files) manually. For more information about viewing the maximum number of files for a volume, see [Monitoring a volume's file capacity](view-volume-file-capacity.md).

The default number of inodes on a volume is 1 inode for every 32 KiB of volume storage capacity, up to a volume size of 648 GiB. For a 1 GiB volume:

Volume\$1size\$1in\$1bytes × (1 file ÷ inode\$1size\$1in\$1bytes) = maximum\$1number\$1of\$1files

1,073,741,824 bytes × (1 file ÷ 32,768 bytes) = 32,768 files

You can increase the maximum number of inodes that a volume can contain, up to a maximum of 1 inode for every 4 KiB of storage capacity. For a 1 GiB volume. this increases the maximum number of inodes or files from 32,768 to 262,144:

1,073,741,824 bytes × (1 file ÷ 4096 bytes) = 262,144 files

An FSx for ONTAP volume can have a maximum of 2 billion inodes.

For information about changing the maximum number of files that a volume can store, see [Updating the maximum number of files on a volume](increase-volume-max-files.md).

# Managing storage efficiencies


By enabling storage efficiencies on your FSx for ONTAP volumes, you can optimize storage utilization, reduce storage costs, and improve your file system's performance overall.

**Note**  
We recommend enabling storage efficiencies using the Amazon FSx console, API, or AWS CLI to ensure that the optimal storage efficiency settings are applied to your volumes.

ONTAP organizes files into 4 kibibyte (KiB) data blocks. Storage efficiencies take place at the data block level rather than at the level of individual files. When storage efficiencies are enabled, ONTAP employs a combination of data reduction techniques to eliminate duplicate data, compress the size of data, and reorganize the layout of data for optimal disk usage.

Storage efficiencies are applied in two ways. They are applied to data inline (before data is written to disk, in memory) to provide immediate storage savings. They are also applied to data in the background (after the data is written to disk) in the SSD storage tier through periodic efficiency jobs to optimize storage utilization over time. Background storage efficiencies don't run on data after it's tiered to the capacity pool. However, if the data had any storage savings while it was in SSD, these savings are preserved when the data is tiered to the capacity pool.

**Note**  
ONTAP doesn't support enabling storage efficiencies on data protection (DP) volumes. However, storage savings achieved in the source read-writable (RW) volume are preserved when data is replicated to the destination DP volume.

## Compression of data blocks


Compression groups are logical groupings of data that are managed and compressed together as a single block. ONTAP automatically packs data blocks into compression groups, which reduces the space consumed on disk. To optimize performance and storage utilization, ONTAP provides a balanced approach to managing data by adjusting the degree of compression that's applied to the data based on its access patterns.

By default, data is compressed inline using 8 KB compression groups to ensure optimal performance when writing data to a volume. Optionally, you can apply heavier compression to data by enabling inactive data compression on a volume to further compress data in SSD. Inactive data compression uses 32 KB compression groups on cold data for additional storage savings. For more information, see the [https://docs.netapp.com/us-en/ontap-cli-9131/volume-efficiency-inactive-data-compression-modify.html#description](https://docs.netapp.com/us-en/ontap-cli-9131/volume-efficiency-inactive-data-compression-modify.html#description) command in the NetApp ONTAP Documentation Center.

**Note**  
Inactive data compression consumes additional CPU and disk IOPS and can be a resource-intensive task. We recommend that you evaluate the performance impact of running inactive data compression on your workload before enabling this feature.

The following image illustrates the storage savings that can be achieved by compressing data blocks.

![\[\]](http://docs.aws.amazon.com/fsx/latest/ONTAPGuide/images/fsx-ontap-before-compression.png)


## Deduplication of data blocks


 ONTAP detects and eliminates duplicate data blocks to reduce redundancies in data. The duplicate blocks are replaced with references to shared unique blocks. 

By default, data is deduplicated inline to reduce the storage footprint before data is written to disk. ONTAP also runs a background deduplication scanner at specified intervals to identify and eliminate duplicate data after it's been written to disk. During these scheduled scans, ONTAP processes a change log to identify new or modified data blocks since the last scan that haven't been deduplicated yet. When duplicates are found, ONTAP updates the metadata to point to a single copy of the duplicated blocks and marks the redundant blocks as free space that's ready to be reclaimed.

**Note**  
 ONTAP applies deduplication to 4 KB of incoming writes at a time, so you might see lower deduplication savings when running workloads with writes that are smaller than 4 KB in size.   
   
FSx for ONTAP doesn't support cross-volume deduplication.

The following image illustrates the storage savings that can be achieved with deduplication.

![\[\]](http://docs.aws.amazon.com/fsx/latest/ONTAPGuide/images/fsx-ontap-before-deduplication.png)


## Compaction of data blocks


ONTAP consolidates partially filled data blocks that are less than 4 KB each into a more efficiently utilized 4 KB block.

By default, data is compacted inline to optimize the layout of data as it's written to disk to minimize storage overhead, reduce fragmentation, and improve read performance.

The following image illustrates the storage savings that can be achieved with compaction.

![\[\]](http://docs.aws.amazon.com/fsx/latest/ONTAPGuide/images/fsx-ontap-before-compaction.png)


## Example: storage efficiencies


The following image illustrates how storage efficiencies are applied to data.

![\[\]](http://docs.aws.amazon.com/fsx/latest/ONTAPGuide/images/fsx-ontap-se-example.png)


# Enabling autosizing


Volume autosizing so that the volume will automatically grow to a specified size when it reaches a used space threshold. You can do this for FlexVol volume types (the default volume type for FSx for ONTAP) using the [https://docs.netapp.com/us-en/ontap-cli-9111/volume-autosize.html](https://docs.netapp.com/us-en/ontap-cli-9111/volume-autosize.html) ONTAP CLI command.

**To enable volume autosizing (ONTAP CLI)**

1. To access the ONTAP CLI, establish an SSH session on the management port of the Amazon FSx for NetApp ONTAP file system or SVM by running the following command. Replace `management_endpoint_ip` with the IP address of the file system's management port.

   ```
   [~]$ ssh fsxadmin@management_endpoint_ip
   ```

   For more information, see [Managing file systems with the ONTAP CLI](managing-resources-ontap-apps.md#fsxadmin-ontap-cli). 

1. Use the `volume autosize` command as shown, replacing the following values:
   + Replace *`svm_name`* with the name of the SVM that the volume is created on.
   + Replace *`vol_name`* with name of the volume that you want to resize.
   + Replace *`grow_threshold`* with a used space percentage value (such as `90`) at which the volume will automatically increase in size (up to the *`max_size`* value).
   + Replace *`max_size`* with the maximum size that the volume can grow to. Use the format *`integer`*`[KB|MB|GB|TB|PB]`; for example, `300TB`. The maximum size is 300 TB. The default is 120% of the volume size.
   + Replace *min\$1size* with the minimum size that the volume will shrink to. Use the same format as for *max\$1size*.
   + Replace *shrink\$1threshold* with the used space percentage at which the volume will automatically shrink in size.

   ```
   ::> volume autosize -vserver svm_name -volume vol_name -mode grow_shrink -grow-threshold-percent grow_threshold -maximum-size max_size -shrink-threshold-percent shrink_threshold -minimum-size min_size
   ```

1. To show the current autosize setting, run the following command. Replace *svm\$1name* and *vol\$1name* with your information.

   ```
   ::> volume autosize -vserver svm_name -volume vol_name
   ```

# Enabling cloud write mode
Enabling cloud write mode

Use the `volume modify` ONTAP CLI command to enable or disable cloud write mode for an existing volume. For more information, see [https://docs.netapp.com/us-en/ontap-cli-9131/volume-modify.html](https://docs.netapp.com/us-en/ontap-cli-9131/volume-modify.html) in the NetApp ONTAP Documentation Center.

Prerequisites for setting cloud write mode are:
+ The volume must be an existing volume. You can only enable the feature on an existing volume.
+ The volume must be a read-write (RW) volume.
+ The volume must have the **All** tiering policy. For more information about modifying a volume's tiering policy, see [Updating a tiering policy](modify-volume-tiering-policy.md).

Cloud write mode is helpful for cases like migrations, for example, where large amounts of data are transferred to a file system using the NFS protocol.

**To set a volume's cloud write mode (ONTAP CLI)**

1. To access the ONTAP CLI, establish an SSH session on the management port of the Amazon FSx for NetApp ONTAP file system or SVM by running the following command. Replace `management_endpoint_ip` with the IP address of the file system's management port.

   ```
   [~]$ ssh fsxadmin@management_endpoint_ip
   ```

   For more information, see [Managing file systems with the ONTAP CLI](managing-resources-ontap-apps.md#fsxadmin-ontap-cli). 

1. Enter the ONTAP CLI advanced mode using the following command.

   ```
   FSx::> set -privilege advanced
   Warning: These advanced commands are potentially dangerous; use them only when
        directed to do so by NetApp personnel.
   Do you want to continue? {y|n}: y
   ```

1. Use the following command to set the volume’s cloud write mode, replacing the following values:
   + Replace *`svm_name`* with the name of the SVM that the volume is created on.
   + Replace *`vol_name`* with name of the volume for which you are setting cloud write mode.
   + Replace `vol_cw_mode` with either `true` to enable cloud write mode on the volume or `false` to disable it.

   ```
   FSx::> volume modify -vserver svm_name -volume vol_name -is-cloud-write-enabled vol_cw_mode
   ```

   The system responds as follows for a successful request.

   ```
   Volume modify successful on volume vol_name of Vserver svm_name.
   ```

# Updating storage capacity


You can manage volume storage capacity by manually increasing or decreasing volume size using the AWS Management Console, AWS CLI and API, and the ONTAP CLI. You can also enable volume autosizing so that the volume size automatically grows or shrinks when it reaches certain used storage capacity thresholds. You use the ONTAP CLI to manage volume autosizing.<a name="increase-volume-size"></a>

**To change a volume's storage capacity (console)**
+ You can increase or decrease a volume's storage capacity using the Amazon FSx console, AWS CLI, and API. For more information, see [Updating volumes](updating-volumes.md).

You can also use the ONTAP CLI to modify a volume's storage capacity using the [https://docs.netapp.com/us-en/ontap-cli-9111/volume-modify.html](https://docs.netapp.com/us-en/ontap-cli-9111/volume-modify.html) command.

**To modify a volume's size (ONTAP CLI)**

1. To access the ONTAP CLI, establish an SSH session on the management port of the Amazon FSx for NetApp ONTAP file system or SVM by running the following command. Replace `management_endpoint_ip` with the IP address of the file system's management port.

   ```
   [~]$ ssh fsxadmin@management_endpoint_ip
   ```

   For more information, see [Managing file systems with the ONTAP CLI](managing-resources-ontap-apps.md#fsxadmin-ontap-cli). 

1. Use the **volume modify** ONTAP CLI command to modify a volume's storage capacity. Run the following command, using your data in place of the following values:
   + Replace *`svm_name`* with the name of the storage virtual machine (SVM) that the volume is created on.
   + Replace *`vol_name`* with name of the volume that you want to re-size.
   + Replace *`vol_size`* with the new size of the volume in the format *`integer`*`[KB|MB|GB|TB|PB]`; for example, `100GB` to increase the volume size to 100 gigabytes.

   ```
   ::> volume modify -vserver svm_name -volume vol_name -size vol_size
   ```

# Updating a tiering policy


You can modify a volume's tiering policy using the AWS Management Console, AWS CLI and API, and the ONTAP CLI.

## To modify a volume's data tiering policy (console)


Use the following procedure to modify a volume's data-tiering policy using the AWS Management Console.

1. Open the Amazon FSx console at [https://console.aws.amazon.com/fsx/](https://console.aws.amazon.com/fsx/).

1. Choose **Volumes** in the left navigation pane, then choose the ONTAP volume for which you want to modify the data-tiering policy.

1. Choose **Update volume** from the **Actions** drop down menu. The **Update volume** window appears.

1. For **Capacity pool tiering policy**, choose the new policy for the volume. For more information, see [Volume tiering policies](volume-storage-capacity.md#data-tiering-policy).

1. Choose **Update** to apply the new policy to the volume.

## To set a volume's tiering policy (CLI)

+ Modify a volume's tiering policy using the [update-volume](https://docs.aws.amazon.com/cli/latest/reference/fsx/update-volume.html) CLI command ([UpdateVolume](https://docs.aws.amazon.com/fsx/latest/APIReference/API_UpdateVolume.html) is the equivalent Amazon FSx API action). The following CLI command example sets a volume's data-tiering policy to `SNAPSHOT_ONLY`.

  ```
  aws fsx update-volume \
      --volume-id fsxvol-abcde0123456789f
      --ontap-configuration TieringPolicy={Name=SNAPSHOT_ONLY}
  ```

  For a successful request, the system responds with the volume description.

  ```
  {
      "Volume": {
          "CreationTime": "2021-10-05T14:27:44.332000-04:00",
          "FileSystemId": "fs-abcde0123456789f",
          "Lifecycle": "CREATED",
          "Name": "vol1",
          "OntapConfiguration": {
              "FlexCacheEndpointType": "NONE",
              "JunctionPath": "/vol1",
              "SecurityStyle": "UNIX",
              "SizeInMegabytes": 1048576,
              "StorageEfficiencyEnabled": true,
              "StorageVirtualMachineId": "svm-abc0123de456789f",
              "StorageVirtualMachineRoot": false,
              "TieringPolicy": {
                  "CoolingPeriod": 2,
                  "Name": "SNAPSHOT_ONLY"
              },
              "UUID": "aaaa1111-bb22-cc33-dd44-abcde01234f5",
              "OntapVolumeType": "RW"
          },
          "ResourceARN": "arn:aws:fsx:us-east-2:111122223333:volume/fs-abcde0123456789f/fsvol-abc012def3456789a",
          "VolumeId": "fsvol-abc012def3456789a",
          "VolumeType": "ONTAP"
      }
  }
  ```

## To modify a volume's tiering policy (ONTAP CLI)


You use the `volume modify` ONTAP CLI command to set a volume's tiering policy. For more information, see [https://docs.netapp.com/us-en/ontap-cli-9111/volume-modify.html](https://docs.netapp.com/us-en/ontap-cli-9111/volume-modify.html) in the NetApp ONTAP Documentation Center.

1. To access the ONTAP CLI, establish an SSH session on the management port of the Amazon FSx for NetApp ONTAP file system or SVM by running the following command. Replace `management_endpoint_ip` with the IP address of the file system's management port.

   ```
   [~]$ ssh fsxadmin@management_endpoint_ip
   ```

   For more information, see [Managing file systems with the ONTAP CLI](managing-resources-ontap-apps.md#fsxadmin-ontap-cli). 

1. Enter the ONTAP CLI advanced mode using the following command.

   ```
   FSx::> set adv
   
   Warning: These advanced commands are potentially dangerous; use them only when
        directed to do so by NetApp personnel.
   Do you want to continue? {y|n}: y
   ```

1. Use the following command to modify the volume data-tiering policy, replacing the following values:
   + Replace *`svm_name`* with the name of the SVM that the volume is created on.
   + Replace *`vol_name`* with name of the volume for which you are setting the data-tiering policy.
   + Replace *`tiering_policy`* with the desired policy. Valid values are `snapshot-only`, `auto`, `all`, or `none`. For more information, see [Volume tiering policies](volume-storage-capacity.md#data-tiering-policy).

   ```
   FSx::> volume modify -vserver svm_name -volume vol_name -tiering-policy tiering_policy
   ```

# Updating the minimum cooling days
Updating cooling days

Minimum cooling days for a volume set the threshold that's used to determine which data is warm and which data is cold. You can set a volume's minimum cooling days using AWS CLI and API, and the ONTAP CLI.

## To set a volume's minimum cooling days (CLI)

+ Modify a volume configuration by using the [update-volume](https://docs.aws.amazon.com/cli/latest/reference/fsx/update-volume.html) CLI command ([UpdateVolume](https://docs.aws.amazon.com/fsx/latest/APIReference/API_UpdateVolume.html) is the equivalent Amazon FSx API action). The following CLI command example sets a volume's `CoolingPeriod` to 104 days.

  ```
  aws fsx update-volume \
      --volume-id fsxvol-abcde0123456789f
      --ontap-configuration TieringPolicy={Name=SNAPSHOT_ONLY}
  aws fsx update-volume --volume-id fsvol-006530558c14224ac --ontap-configuration TieringPolicy={CoolingPeriod=104}
  ```

  The system responds with the volume description for a successful request.

  ```
  {
      "Volume": {
          "CreationTime": "2021-10-05T14:27:44.332000-04:00",
          "FileSystemId": "fs-abcde0123456789f",
          "Lifecycle": "CREATED",
          "Name": "vol1",
          "OntapConfiguration": {
              "FlexCacheEndpointType": "NONE",
              "JunctionPath": "/vol1",
              "SecurityStyle": "UNIX",
              "SizeInMegabytes": 1048576,
              "StorageEfficiencyEnabled": true,
              "StorageVirtualMachineId": "svm-abc0123de456789f",
              "StorageVirtualMachineRoot": false,
              "TieringPolicy": {
                  "CoolingPeriod": 104,
                  "Name": "SNAPSHOT_ONLY"
              },
              "UUID": "aaaa1111-bb22-cc33-dd44-abcde01234f5",
              "OntapVolumeType": "RW"
          },
          "ResourceARN": "arn:aws:fsx:us-east-2:111122223333:volume/fs-abcde0123456789f/fsvol-abc012def3456789a",
          "VolumeId": "fsvol-abc012def3456789a",
          "VolumeType": "ONTAP"
      }
  }
  ```

## To set a volume's minimum cooling days (ONTAP CLI)


Use the `volume modify` ONTAP CLI command to set the minimum number of cooling days for an existing volume. For more information, see [https://docs.netapp.com/us-en/ontap-cli-9111/volume-modify.html](https://docs.netapp.com/us-en/ontap-cli-9111/volume-modify.html) in the NetApp ONTAP Documentation Center.

1. To access the ONTAP CLI, establish an SSH session on the management port of the Amazon FSx for NetApp ONTAP file system or SVM by running the following command. Replace `management_endpoint_ip` with the IP address of the file system's management port.

   ```
   [~]$ ssh fsxadmin@management_endpoint_ip
   ```

   For more information, see [Managing file systems with the ONTAP CLI](managing-resources-ontap-apps.md#fsxadmin-ontap-cli). 

1. Enter the ONTAP CLI advanced mode using the following command.

   ```
   FSx::> set adv
   
   Warning: These advanced commands are potentially dangerous; use them only when
        directed to do so by NetApp personnel.
   Do you want to continue? {y|n}: y
   ```

1. Use the following command to change your volume’s tiering minimum cooling days, replacing the following values:
   + Replace *`svm_name`* with the name of the SVM that the volume is created on.
   + Replace *`vol_name`* with name of the volume for which you are setting the cooling days.
   + Replace `cooling_days` with the desired, an integer between 2-183.

   ```
   FSx::> volume modify -vserver svm_name -volume vol_name -tiering-minimum-cooling-days cooling_days
   ```

   The system responds as follows for a successful request.

   ```
   Volume modify successful on volume vol_name of Vserver svm_name.
   ```

# Updating a volume's cloud retrieval policy
Updating cloud retrieval policy

Use the `volume modify` ONTAP CLI command to set the cloud retrieval policy for an existing volume. For more information, see [https://docs.netapp.com/us-en/ontap-cli-9111/volume-modify.html](https://docs.netapp.com/us-en/ontap-cli-9111/volume-modify.html) in the NetApp ONTAP Documentation Center.

**To set a volume's cloud retrieval policy (ONTAP CLI)**

1. To access the ONTAP CLI, establish an SSH session on the management port of the Amazon FSx for NetApp ONTAP file system or SVM by running the following command. Replace `management_endpoint_ip` with the IP address of the file system's management port.

   ```
   [~]$ ssh fsxadmin@management_endpoint_ip
   ```

   For more information, see [Managing file systems with the ONTAP CLI](managing-resources-ontap-apps.md#fsxadmin-ontap-cli). 

1. Enter the ONTAP CLI advanced mode using the following command.

   ```
   FSx::> set adv
   
   Warning: These advanced commands are potentially dangerous; use them only when
        directed to do so by NetApp personnel.
   Do you want to continue? {y|n}: y
   ```

1. Use the following command to set the volume’s cloud retrieval policy, replacing the following values:
   + Replace *`svm_name`* with the name of the SVM that the volume is created on.
   + Replace *`vol_name`* with name of the volume for which you are setting the cloud retrieval policy.
   + Replace `retrieval_policy` with the desired value, either `default`, `on-read`, `never`, or `promote`.

   ```
   FSx::> volume modify -vserver svm_name -volume vol_name -cloud-retrieval-policy retrieval_policy
   ```

   The system responds as follows for a successful request.

   ```
   Volume modify successful on volume vol_name of Vserver svm_name.
   ```

# Updating the maximum number of files on a volume
Updating the maximum number of files

FSx for ONTAP volumes can run out of file capacity when the number of available inodes, or file pointers, is exhausted.<a name="increase-max-files"></a>

**To increase the maximum number of files on a volume (ONTAP CLI)**

You use the `volume modify` ONTAP CLI command to increase the maximum number of files on a volume. For more information, see [https://docs.netapp.com/us-en/ontap-cli-9111/volume-modify.html](https://docs.netapp.com/us-en/ontap-cli-9111/volume-modify.html) in the NetApp ONTAP Documentation Center.

1. To access the ONTAP CLI, establish an SSH session on the management port of the Amazon FSx for NetApp ONTAP file system or SVM by running the following command. Replace `management_endpoint_ip` with the IP address of the file system's management port.

   ```
   [~]$ ssh fsxadmin@management_endpoint_ip
   ```

   For more information, see [Managing file systems with the ONTAP CLI](managing-resources-ontap-apps.md#fsxadmin-ontap-cli). 

1. Do one of the following, depending on your use case. Replace *`svm_name`* and *`vol_name`* with your values.
   + To configure a volume to always have the maximum number of files (inodes) available, perform the following:

     1. Enter advanced mode in the ONTAP CLI by using the following command.

        ```
        ::> set adv
        ```

     1. After running this command, you'll see this output. Enter `y` to continue.

        ```
        Warning: These advanced commands are potentially dangerous; use them only when
        directed to do so by NetApp personnel.
        Do you want to continue? {y|n}: y
        ```

     1. Enter the following command to always use the maximum number of files on the volume:

        ```
        ::> volume modify -vserver svm_name -volume vol_name -files-set-maximum true
        ```
   + To manually specify the total number of files permitted on the volume, with `max_number_files = (current_size_of_volume) × (1 file ÷ 4 KiB)`, up to a maximum possible value of 2 billion, use the following command:

     ```
     ::> volume modify -vserver svm_name -volume vol_name -files max_number_files
     ```

# Monitoring volume storage capacity
Monitoring storage capacity

 You can view a volume's available storage and it's storage distribution in AWS Management Console, AWS CLI, and the NetApp ONTAP CLI.<a name="volume-capacity-usage"></a>

**To monitor a volume's storage capacity (console)**

The **Available storage** graph displays the amount of free storage capacity on a volume over time. The **Storage distribution** graph shows how a volume's storage capacity is currently distributed over 4 categories:
+ User data
+ Snapshot data
+ Available volume capacity
+ Other data

1. Open the Amazon FSx console at [https://console.aws.amazon.com/fsx/](https://console.aws.amazon.com/fsx/).

1. Choose **Volumes** in the left navigation column, then choose the ONTAP volume that you want to view storage capacity information for. The volume detail page appears.

1. In the second panel, choose the **Monitoring** tab. The **Available storage** and **Storage distribution** graphs display, along with several other graphs.  
![\[\]](http://docs.aws.amazon.com/fsx/latest/ONTAPGuide/images/fsx-ontap-volume-storage-graphs.png)  
![\[\]](http://docs.aws.amazon.com/fsx/latest/ONTAPGuide/images/fsx-ontap-volume-storage-graphs2.png)

**To monitor a volume's storage capacity (ONTAP CLI)**

You can monitor how your volume's storage capacity is being consumed by using the `volume show-space` ONTAP CLI command. For more information, see [https://docs.netapp.com/us-en/ontap-cli-9111/volume-show-space.html](https://docs.netapp.com/us-en/ontap-cli-9111/volume-show-space.html) in the NetApp ONTAP Documentation Center.

1. To access the ONTAP CLI, establish an SSH session on the management port of the Amazon FSx for NetApp ONTAP file system or SVM by running the following command. Replace `management_endpoint_ip` with the IP address of the file system's management port.

   ```
   [~]$ ssh fsxadmin@management_endpoint_ip
   ```

   For more information, see [Managing file systems with the ONTAP CLI](managing-resources-ontap-apps.md#fsxadmin-ontap-cli). 

1. View a volume's storage capacity usage by issuing the following command, replacing the following values:
   + Replace *`svm_name`* with the name of the SVM that the volume is created on.
   + Replace *`vol_name`* with name of the volume for which you are setting the data-tiering policy.

   ```
   ::> volume show-space -vserver svm_name -volume vol_name
   ```

   If the command is successful, you'll see output similar to the following:

   ```
   Vserver : svm_name
   Volume  : vol_name
   Feature                                    Used      Used%
   --------------------------------     ----------     ------
   User Data                                 140KB         0%
   Filesystem Metadata                     164.4MB         1%
   Inodes                                  10.28MB         0%
   Snapshot Reserve                        563.2MB         5%
   Deduplication                              12KB         0%
   Snapshot Spill                           9.31GB        85%
   Performance Metadata                      668KB         0%
   
   Total Used                              10.03GB        91%
   
   Total Physical Used                     10.03GB        91%
   ```

   The output of this command shows the amount of physical space that different types of data occupy on this volume. It also shows the percentage of the total volume's capacity that each type of data consumes. In this example, `Snapshot Spill` and `Snapshot Reserve` consume a combined 90 percent of the volume's capacity.

`Snapshot Reserve` shows the amount of disk space reserved for storing Snapshot copies. If the Snapshot copies storage exceeds the reserve space, it spills into the file system and this amount is shown under `Snapshot Spill`.

To increase the amount of available space, you can either [increase the size](manage-volume-capacity.md#increase-volume-size) of the volume, or you can [delete snapshots](snapshots-ontap.md#delete-snapshots) that you are not using, as shown in the following procedures. 

For FlexVol volume types (the default volume type for FSx for ONTAP volumes), you can also enable [volume autosizing](enable-volume-autosizing.md). When you enable autosizing, the volume size automatically increases when it reaches certain thresholds. You can also disable automatic snapshots. Both of these features are explained in the following sections.

# Monitoring a volume's file capacity
Monitoring file capacity

You can use either of the following methods to view the maximum number of files allowed and the number of files already used on a volume.
+ The CloudWatch volume metrics `FilesCapacity` and `FilesUsed`.
+ In the Amazon FSx console, navigate to the **Available files (inodes)** chart in your volume's **Monitoring** tab. The following image shows the **Available files (inodes)** on a volume decreasing over time.  
![\[\]](http://docs.aws.amazon.com/fsx/latest/ONTAPGuide/images/fsx-ontap-available-files.png)

  

# Managing FSx for ONTAP file systems
Managing file systems

A file system is the primary Amazon FSx resource, analogous to an on-premises ONTAP cluster. You specify the solid state drive (SSD) storage capacity and throughput capacity for your file system, and choose a virtual private cloud (VPC) in which to create the file system. Each file system has a management endpoint that you can use to manage resources and data with the ONTAP CLI or REST API. 

## File system resources


An Amazon FSx for NetApp ONTAP file system is composed of the following primary resources:
+ The physical hardware of the file system itself, which includes the file servers and storage media.
+ One or more highly-available (HA) file server pairs, which host your storage virtual machines (SVMs). First-generation file systems and Multi-AZ second-generation file systems have one HA pair, and second-generation Single-AZ file systems have up to 12 HA pairs. Each HA pair has a storage pool called an aggregate. The collection of aggregates across all HA pairs makes up your SSD storage tier. 
+ One or more SVMs that host the file system volumes and have their own credentials and access management.
+ One or more volumes that virtually organize your data and are mounted by your clients.

The following image illustrates the architecture of a first-generation FSx for ONTAP file system with one HA pair, and the relationship between its primary resources. The FSx for ONTAP file system on the left is the simplest file system, with one SVM and one volume. The file system on the right has multiple SVMs, with some SVMs having multiple volumes. File systems and SVMs each have multiple management endpoints, and SVMs also have data access endpoints.

![\[The architecture of FSx for ONTAP file systems\]](http://docs.aws.amazon.com/fsx/latest/ONTAPGuide/images/ontap-file-system-structure.png)


When creating an FSx for ONTAP file system, you define the following properties:
+ **Deployment type** – The deployment type of your file system (Multi-AZ or Single-AZ). Single-AZ file systems replicate your data and offer automatic failover within a single Availability Zone. First-generation Single-AZ file systems support one HA pair. Second-generation Single-AZ file systems support up to 12 HA pairs. Multi-AZ file systems provide added resiliency by also replicating your data and supporting failover across multiple Availability Zones within the same AWS Region. First-generation and second-generation Multi-AZ file systems both support one HA pair.
**Note**  
You can't change your file system's deployment type after creation. If you want to change the deployment type (for example, to move from Single-AZ 1 to Single-AZ 2), you can back up your data and restore it on a new file system. You can also migrate your data with NetApp SnapMirror, with AWS DataSync, or with a third-party data copying tool. For more information, see [Migrating to FSx for ONTAP using NetApp SnapMirror](migrating-fsx-ontap-snapmirror.md) and [Migrating to FSx for ONTAP using AWS DataSync](migrate-files-to-fsx-datasync.md).
+ **Storage capacity** – This is the amount of SSD storage, up to 192 tebibytes (TiB) for first-generation file systems, 512 TiB for second-generation Multi-AZ file systems, and 1 pebibyte (PiB) for second-generation Single-AZ file systems.
+ **SSD IOPS** – By default, each gigabyte of SSD storage includes three SSD IOPS (up to the maximum supported by your file system configuration). You can optionally provision additional SSD IOPS as needed.
+ **Throughput capacity** – The sustained speed at which the file server can serve data.
+ **Networking** – The VPC and subnets for the management and data access endpoints that your file system creates. For a Multi-AZ file system, you also define an IP address range and route tables.
+ **Encryption** – The AWS Key Management Service (AWS KMS) key that's used to encrypt the file system data at rest.
+ **Administrative access** – You can specify the password for the `fsxadmin` user. You can use this user to administer the file system by using the NetApp ONTAP CLI and REST API.

You can manage FSx for ONTAP file systems by using the NetApp ONTAP CLI or REST API. You can also set up SnapMirror or SnapVault relationships between an Amazon FSx file system and another ONTAP deployment (including another Amazon FSx file system). Each FSx for ONTAP file system has the following file system endpoints that provide access to NetApp applications:
+ **Management** – Use this endpoint to access the NetApp ONTAP CLI over Secure Shell (SSH), or to use the NetApp ONTAP REST API with your file system.
+ **Intercluster** – Use this endpoint when setting up replication using NetApp SnapMirror or caching using NetApp FlexCache.

For more information, see [Managing FSx for ONTAP resources using NetApp applications](managing-resources-ontap-apps.md) and [Replicating your data using NetApp SnapMirror](scheduled-replication.md).

# Creating file systems


This section describes how to create an FSx for ONTAP file system using the Amazon FSx console, AWS CLI, or the Amazon FSx API. You can create a file system in a virtual private cloud (VPC) that you own, or in a VPC that another AWS account has shared with you. There are considerations when creating a Multi-AZ file system in a VPC in which you are a participant. These considerations are explained in this topic.

By default, when you create a new file system from the Amazon FSx console, Amazon FSx automatically creates a file system with a single storage virtual machine (SVM) and one volume, allowing for quick access to data from Linux instances over the Network File System (NFS) protocol. When creating the file system, you can optionally join the SVM to an Active Directory to enable access from Windows and macOS clients over the Server Message Block (SMB) protocol. After your file system is created, you can create additional SVMs and volumes as needed.

## To create a file system (console)


This procedure uses the **Standard create** creation option to create an FSx for ONTAP file system with a configuration that you customize for your needs. For information about using the **Quick create** creation option to rapidly create a file system with a default set of configuration parameters, see [Create an Amazon FSx for NetApp ONTAP file system](getting-started.md#getting-started-step1).

1. Open the Amazon FSx console at [https://console.aws.amazon.com/fsx/](https://console.aws.amazon.com/fsx/).

1. On the dashboard, choose **Create file system**. 

1. On the **Select file system type** page, for **File system options**, choose **Amazon FSx for NetApp ONTAP**, and then choose **Next**. 

1. In the **Creation method** section, choose **Standard create**. 

1. In the **File system details** section, provide the following information: 
   + For **File system name - optional**, enter a name for your file system. It's easier to find and manage your file systems when you name them. You can use a maximum of 256 Unicode letters, white space, and numbers, plus these special characters: \$1 - = . \$1 : /
   + For **Deployment type** choose **Multi-AZ 2**, **Single-AZ 2**, **Multi-AZ 1**, or **Single-AZ 1**. 
     + **Multi-AZ** file systems replicate your data and support failover across multiple Availability Zones in the same AWS Region. Multi-AZ 1 is a first-generation FSx for ONTAP file system. Multi-AZ 2 is a second-generation file system. They both support one high-availability (HA) pair. 
     + **Single-AZ** file systems replicate your data and offer automatic failover within a single Availability Zone. Single-AZ 1 is a first-generation FSx for ONTAP file system that supports one HA pair. Single-AZ 2 is a second-generation file system that supports up to 12 HA pairs. For more information, see [Managing high-availability (HA) pairs](HA-pairs.md). 

        For more information about deployment types, see [Availability, durability, and deployment options](high-availability-AZ.md).
**Note**  
You can't change your file system's deployment type after creation. If you want to change the deployment type (for example, to move from Single-AZ 1 to Single-AZ 2), you can back up your data and restore it on a new file system. You can also migrate your data with NetApp SnapMirror, with AWS DataSync, or with a third-party data copying tool. For more information, see [Migrating to FSx for ONTAP using NetApp SnapMirror](migrating-fsx-ontap-snapmirror.md) and [Migrating to FSx for ONTAP using AWS DataSync](migrate-files-to-fsx-datasync.md).
   + For **SSD storage capacity**, enter the storage capacity of your file system, in gibibytes (GiB). Enter any whole number in the range of 1,024–1,048,576 GiB (up to 1 pebibyte [PiB]). 

     You can increase the amount of storage capacity as needed at any time after you create the file system. For more information, see [Managing storage capacity](managing-storage-capacity.md). 
   + For **Provisioned SSD IOPS**, you have two options to provision the number of IOPS for your file system:
     + Choose **Automatic** (the default) if you want Amazon FSx to automatically provision 3 IOPS per GiB of SSD storage.
     + Choose **User-provisioned** if you want to specify the number of IOPS. You can provision a maximum of 200,000 SSD IOPS per file system.
**Note**  
You can increase your provisioned SSD IOPS after you create the file system. Keep in mind that the maximum level of SSD IOPS your file system can achieve is also dictated by your file system's throughput capacity even when provisioning additional SSD IOPS. For more information, see [Impact of throughput capacity on performance](performance.md#impact-throughput-cap-performance) and [Managing storage capacity](managing-storage-capacity.md).
   + For **Throughput capacity**, you have two options for determining your throughput capacity in megabytes per second (MBps): 
     +  Choose **Recommended throughput capacity** if you want Amazon FSx to automatically choose the throughput capacity based on the amount of storage capacity that you chose. 
     +  Choose **Specify throughput capacity** if you want to specify the amount of throughput capacity. If you choose this option, a **Throughput capacity** dropdown appears and is populated based on the deployment type that you chose. You can also choose the number of HA pairs (up to 12). For more information, see [Managing high-availability (HA) pairs](HA-pairs.md). 

     Throughput capacity is the sustained speed at which the file server that hosts your file system can serve data. For more information, see [Amazon FSx for NetApp ONTAP performancePerformance](performance.md). 

1. In the **Networking** section, provide the following information: 
   + For **Virtual Private Cloud (VPC)**, choose the VPC that you want to associate with your file system. 
   + For **VPC Security Groups**, you can choose a security group to associate with your file system's network interface. If you don't specify one, Amazon FSx will associate the VPC's default security group with your file system.
   + (Multi-AZ only) For **Preferred subnet**, choose any value from the list of available subnets. Also choose a **Standby subnet** for the standby file server.
   + (Single-AZ only) For **Subnet**, choose any value from the list of available subnets.
   + (Multi-AZ only) For **VPC route tables**, specify the VPC route tables to create your file system's endpoints. Select all VPC route tables associated with the subnets in which your clients are located. By default, Amazon FSx selects your VPC's default route table. For more information, see [Accessing data from outside the deployment VPC](supported-fsx-clients.md#access-from-outside-deployment-vpc).
**Note**  
Amazon FSx manages these route tables for Multi-AZ file systems using tag-based authentication. These route tables are tagged with `Key: AmazonFSx; Value: ManagedByAmazonFSx`. When creating FSx for ONTAP Multi-AZ file systems using CloudFormation we recommend that you add the `Key: AmazonFSx; Value: ManagedByAmazonFSx` tag manually.
   + For **Network type**, select either **IPv4** (for only IPv4 support) or **Dual-stack** (for both IPv4 and IPv6 support). You can change the network type of an existing file system at any time. For more information, see [Changing network typeTo change a file system's network type (console)](manage-network-type.md#change-network-type).
**Note**  
If you intend to create an FSx for ONTAP file system that uses dual-stack mode, you must first assign an Amazon-provided IPv6 CIDR block to your VPC and subnets. For more information, see [Add IPv6 support for your VPC](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-migrate-ipv6-add.html) in the *Amazon Virtual Private Cloud User Guide*.
   + (Multi-AZ only) **Endpoint IPv4 address range** specifies the IPv4 address range in which the endpoints to access your file system are created.

     You have three options for the endpoint IPv4 address range:
     + **Unallocated IPv4 address range from your VPC** – Amazon FSx chooses the last 64 IP addresses from the VPC’s primary CIDR range to use as the endpoint IPv4 address range for the file system. This range is shared across multiple file systems if you choose this option multiple times.
**Note**  
This option is grayed out if any of the last 64 IP addresses in a VPC's primary CIDR range are in use by a subnet. In this case, you can still choose an in-VPC address range (that is, a range that's not at the end of your primary CIDR range or a range that's in a secondary CIDR of your VPC) by choosing the **Enter an IP address range** option.
     + **Floating IPv4 address range outside your VPC** – Amazon FSx chooses a 198.19.x.0/24 address range that isn't already used by any other file systems with the same VPC and route tables.
     + **Enter an IPv4 address range** – You can provide a CIDR range of your own choosing. The IPv4 address range that you choose can either be inside or outside the VPC’s IP address range, as long as it doesn't overlap with any subnet.
**Note**  
Do not choose any range that falls within the following CIDR ranges, as they are incompatible with FSx for ONTAP:  
0.0.0.0/8
127.0.0.0/8
198.19.0.0/20
224.0.0.0/4
240.0.0.0/4
255.255.255.255/32
   + (Multi-AZ and dual-stack only) **Endpoint IPv6 address range** specifies the IPv6 address range in which the endpoints to access your file system are created. You have two options for the endpoint IPv6 address range:
     + **Unallocated IPv6 address range from your VPC** – Amazon FSx chooses a block of 1024 available IPv6 addresses from one of the VPC’s IPv6 CIDR ranges to use as the endpoint IPv6 address range for the file system.
     + **Enter an IPv6 address range** – You can provide an IPv6 CIDR range of your own choosing. The IPv6 address range that you choose can either be inside or outside the VPC’s IPv6 address range, as long as it doesn't overlap with any subnet.

1. In the **Encryption** section, for **Encryption key**, choose the AWS Key Management Service (AWS KMS) encryption key that protects your file system's data at rest.

1. For **File system administrative password**, enter a secure password for the `fsxadmin` user. Confirm the password.

   You can use the `fsxadmin` user to administer your file system using the ONTAP CLI and REST API. For more information about the `fsxadmin` user, see [Managing file systems with the ONTAP CLI](managing-resources-ontap-apps.md#fsxadmin-ontap-cli).

1. In the **Default storage virtual machine configuration** section, provide the following information:
   + In the **Storage virtual machine name** field, provide a name for the storage virtual machine. You can use a maximum of 47 alphanumeric characters, plus the underscore (\$1) special character.
   + For **SVM administrative password**, you can optionally choose **Specify a password** and provide a password for the SVM's `vsadmin` user. You can use the `vsadmin` user to administer the SVM using the ONTAP CLI or REST API. For more information about the `vsadmin` user, see [Managing SVMs with the ONTAP CLI](managing-resources-ontap-apps.md#vsadmin-ontap-cli).

     If you choose **Don't specify a password** (the default), you can still use the file system's `fsxadmin` user to manage your file system using the ONTAP CLI or REST API, but you can't use your SVM's `vsadmin` user to do the same.
   + For **Volume security style**, choose between **Unix (Linux)** and ** NTFS** for the volume. For more information, see [Volume security style](managing-volumes.md#volume-security-style). 
   + In the **Active Directory** section, you can join an Active Directory to the SVM. For more information, see [Working with Microsoft Active Directory in FSx for ONTAP](ad-integration-ontap.md).

     If you don't want to join your SVM to an Active Directory, choose **Do not join an Active Directory**.

     If you want to join your SVM to a self-managed Active Directory domain, choose **Join an Active Directory**, and provide the following details for your Active Directory:
     + The NetBIOS name of the Active Directory computer object to create for your SVM. The NetBIOS name cannot exceed 15 characters.
     + The fully qualified domain name of your Active Directory. The domain name cannot exceed 255 characters.
     + **DNS server IP addresses** – The IPv4 or IPv6 addresses of the Domain Name System (DNS) servers for your domain.
     + **Service account credentials** – Choose how to provide your service account credentials:
       + **Option 1**: AWS Secrets Manager secret ARN - The secret containing the username and password for a service account on your Active Directory domain. For more information, see [Storing Active Directory credentials using AWS Secrets Manager](self-managed-AD-best-practices.md#bp-store-ad-creds-using-secret-manager).
       + **Option 2**: Plaintext credentials
         + **Service account username** – The user name of the service account in your existing Microsoft Active Directory. Don't include a domain prefix or suffix. For example, for `EXAMPLE\ADMIN`, use only `ADMIN`.
         + **Service account password** – The password for the service account.
         + **Confirm password** – The password for the service account.
     + (Optional) **Organizational Unit (OU)** – The distinguished path name of the organizational unit to which you want to join your file system.
     + **Delegated file system administrators group** – The name of the group in your Active Directory that can administer your file system.

       If you are using AWS Managed Microsoft AD, you need to specify a group such as AWS Delegated FSx Administrators, AWS Delegated Administrators, or a custom group with delegated permissions to the OU.

       If you are joining to a self-managed AD, use the name of the group in your AD. The default group is `Domain Admins`.

1. In the **Default volume configuration** section, provide the following information for the default volume that is created with your file system: 
   + In the **Volume name** field, provide a name for the volume. You can use up to 203 alphanumeric or underscore (\$1) characters. 
   + (File systems with one HA pair only) For **Volume style**, choose either **FlexVol** or **FlexGroup**. FlexVol volumes are general-purpose volumes that can be up to 300 tebibytes (TiB) in size. FlexGroup volumes are intended for high-performance workloads and can be up to 20 PiB in size. 
   + For **Volume size**, enter any whole number in the range of 20–314,572,800 mebibytes (MiB) for FlexVol volumes or 800 gibibytes (GiB)–2,400 TiB per HA pair for FlexGroup volumes. For example, a file system with 12 HA pairs would have a minimum volume size of 9,600 GiB and a maximum size of 20,480 TiB. 
   + For **Volume type**, choose **Read-Write (RW)** to create a volume that is readable and writable or **Data Protection (DP)** to create a volume that is read-only and can be used as the destination of a NetApp SnapMirror or SnapVault relationship. For more information, see [Volume types](managing-volumes.md#volume-types).
   + For **Junction path**, enter a location within the file system to mount the volume. The name must have a leading forward slash, for example `/vol3`. 
   + For **Storage efficiency**, choose **Enabled** to enable the ONTAP storage-efficiency features (deduplication, compression, and compaction). For more information, see [Storage efficiency](managing-storage-capacity.md#storage-efficiency). 
   + For **Snapshot policy**, choose a snapshot policy for the volume. For more information about snapshot policies, see [Snapshot policies](snapshots-ontap.md#snapshot-policies).

     If you choose **Custom policy**, you must specify the policy's name in the **custom-policy** field. The custom policy must already exist on the SVM or in the file system. You can create a custom snapshot policy with the ONTAP CLI or REST API. For more information, see [Create a Snapshot Policy](https://docs.netapp.com/us-en/ontap/data-protection/create-snapshot-policy-task.html) in the NetApp ONTAP Product Documentation. 

1. In the **Default volume storage tiering** section, for **Capacity pool tiering policy**, choose the storage pool tiering policy for the volume, which can be **Auto** (the default), **Snapshot Only**, **All**, or **None**. For more information about capacity pool tiering policies, see [Volume tiering policies](volume-storage-capacity.md#data-tiering-policy).

   For **Tiering policy cooling period**, if you have set storage tiering to either `Auto` and `Snapshot-only` policies.valid values are 2-183 days. A volume's tiering policy cooling period defines the number of days before data that has not been accessed is marked cold and moved to capacity pool storage. 

1. In the **Default Volume SnapLock Configuration** section, for **SnapLock Configuration**, choose between **Enabled** and **Disabled**. For more information about configuring a SnapLock Compliance volume or a SnapLock Enterprise volume, see [Understanding SnapLock Compliance](snaplock-compliance.md) and [Understanding SnapLock Enterprise](snaplock-enterprise.md). For more information about SnapLock, see [Protecting your data with SnapLock](snaplock.md).

1. In **Backup and maintenance - *optional***, you can set the following options:
   + For **Daily automatic backup**, choose **Enabled** for automatic daily backups. This option is enabled by default.
   + For **Daily automatic backup window**, set the time of the day in Coordinated Universal Time (UTC) that you want the daily automatic backup window to start. The window is 30 minutes starting from this specified time. This window can't overlap with the weekly maintenance backup window.
   + For **Automatic backup retention period**, set a period from 1–90 days that you want to retain automatic backups.
   + For **Weekly maintenance window**, you can set the time of the week that you want the maintenance window to start. Day 1 is Monday, 2 is Tuesday, and so on. The window is 30 minutes starting from this specified time. This window can't overlap with the daily automatic backup window.

1. For **Tags - *optional***, you can enter a key and value to add tags to your file system. A tag is a case-sensitive key-value pair that helps you manage, filter, and search for your file system.

   Choose **Next**.

1. Review the file system configuration shown on the **Create file system** page. For your reference, note which file system settings you can modify after the file system is created.

1. Choose **Create file system**.

## To create a file system (CLI)

+ To create an FSx for ONTAP file system, use the [create-file-system](https://docs.aws.amazon.com/cli/latest/reference/fsx/create-file-system.html) CLI command (or the equivalent [CreateFileSystem](https://docs.aws.amazon.com/fsx/latest/APIReference/API_CreateFileSystem.html) API operation), as shown in the following example.
**Note**  
You can't change your file system's deployment type after creation. If you want to change the deployment type (for example, to move from Single-AZ 1 to Single-AZ 2), you can back up your data and restore it on a new file system. You can also migrate your data with NetApp SnapMirror, with AWS DataSync, or with a third-party data copying tool. For more information, see [Migrating to FSx for ONTAP using NetApp SnapMirror](migrating-fsx-ontap-snapmirror.md) and [Migrating to FSx for ONTAP using AWS DataSync](migrate-files-to-fsx-datasync.md).

  ```
  aws fsx create-file-system \
      --file-system-type ONTAP \
      --storage-capacity 1024 \
      --storage-type SSD \
      --security-group-ids security-group-id \
  
      --subnet-ids subnet-abcdef1234567890b subnet-abcdef1234567890c \
      --ontap-configuration DeploymentType=MULTI_AZ_1,
          ThroughputCapacity=512,PreferredSubnetId=subnet-abcdef1234567890b
  ```

After successfully creating the file system, Amazon FSx returns the file system's description in JSON format as shown in the following example.

```
{
  "FileSystem": {
    "OwnerId": "111122223333",
    "CreationTime": 1625066825.306,
    "FileSystemId": "fs-0123456789abcdef0",
    "FileSystemType": "ONTAP",
    "Lifecycle": "CREATING",
    "StorageCapacity": 1024,
    "StorageType": "SSD",
    "VpcId": "vpc-11223344556677aab",
    "SubnetIds": [
      "subnet-abcdef1234567890b",
      "subnet-abcdef1234567890c"
    ],
    "KmsKeyId": "arn:aws:kms:us-east-1:111122223333:key/wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY",
    "ResourceARN": "arn:aws:fsx:us-east-1:111122223333:file-system/fs-0123456789abcdef0",
    "Tags": [],
    "OntapConfiguration": {
      "DeploymentType": "MULTI_AZ_HA_1",
      "EndpointIpAddressRange": "198.19.0.0/24",
      "Endpoints": {
        "Management": {
          "DnsName": "management.fs-0123456789abcdef0.fsx.us-east-1.amazonaws.com"
        },
        "Intercluster": {
          "DnsName": "intercluster.fs-0123456789abcdef0.fsx.us-east-1.amazonaws.com"   
        }
      },
      "DiskIopsConfiguration": {
                "Mode": "AUTOMATIC",
                "Iops": 3072
      }, 
      "PreferredSubnetId": "subnet-abcdef1234567890b",
      "RouteTableIds": [
        "rtb-abcdef1234567890e",
        "rtb-abcd1234ef567890b"
      ],
      "ThroughputCapacity": 512,
      "WeeklyMaintenanceStartTime": "4:10:00"
    }
  }
}
```

**Note**  
Unlike the process of creating a file system in the console, the `create-file-system` CLI command and the `CreateFileSystem` API operation don't create a default SVM or volume. To create an SVM, see [Creating storage virtual machines (SVM)](creating-svms.md); to create a volume, see [Creating volumes](creating-volumes.md).

## Creating FSx for ONTAP file systems in shared subnets
Creating file systems in shared subnets

VPC sharing enables multiple AWS accounts to create resources into shared, centrally-managed virtual private clouds (VPCs). In this model, the account that owns the VPC (owner) shares one or more subnets with other accounts (participants) that belong to the same organization from AWS Organizations.

Participant accounts can create FSx for ONTAP Single-AZ and Multi-AZ file systems in a VPC subnet that the owner account has shared with them. For a participant account to create a Multi-AZ file system, the owner account also needs to grant Amazon FSx permission to modify route tables in the shared subnets on behalf of the participant account. For more information, see [Managing shared VPC support for Multi-AZ file systems](#maz-shared-vpc).

**Note**  
It is the participant account’s responsibility to coordinate with the VPC owner to prevent the creation of any subsequent VPC subnets that will overlap with the in-VPC CIDR of the participant's file systems. If subnets do overlap, traffic to the file system can get interrupted.

### Shared subnet requirements and considerations


When creating FSx for ONTAP file systems into shared subnets, note the following:
+ The owner of the VPC subnet must share a subnet with a participant account before that account can create an FSx for ONTAP file system in it.
+ You can't launch resources using the default security group for the VPC because it belongs to the owner. Additionally, participant accounts can't launch resources using security groups that are owned by other participants or the owner.
+ In a shared subnet, the participant and the owner separately controls the security groups within each respective account. The owner account can see security groups that are created by the participants, but cannot perform any actions on them. If the owner account wants to remove or modify these security groups, the participant that created the security group must take the action.
+ Participant accounts can view, create, modify, and delete Single-AZ file systems and their associated resources in subnets that the owner account has shared with them.
+ Participant accounts can create, view, modify, and delete Multi-AZ file systems and their associated resources in subnets that the owner account has shared with them. Additionally, the owner account must also grant the Amazon FSx service permissions to modify route tables in the shared subnets on behalf of the participants account. For more information, see [Managing shared VPC support for Multi-AZ file systems](#maz-shared-vpc)
+ The shared VPC owner cannot view, modify, or delete resources that a participant creates in the shared subnet. This is in addition to the VPC resources that each account has different access to. For more information, see [Responsibilities and permissions for owners and participants](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-sharing.html#vpc-share-limitations) in the Amazon VPC User Guide.

For more information, see [Share your VPC with other accounts](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-sharing.html) in the Amazon VPC User Guide.

#### When sharing a VPC subnet
Prerequisites

When sharing your subnets with participant accounts that will be creating FSx for ONTAP file systems in the shared subnets, you will need to do the following:
+ The VPC owner needs to use AWS Resource Access Manager to securely share VPCs and subnets with other AWS accounts. For more information, see [ Sharing your AWS resources](https://docs.aws.amazon.com/ram/latest/userguide/getting-started-sharing.html#getting-started-sharing-orgs) in the AWS Resource Access Manager User Guide.
+ The VPC owner needs to share one or more VPCs with a participant account. For more information, see [Share your VPC with other accounts](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-sharing.html) in the Amazon Virtual Private Cloud User Guide.
+ For participant accounts to create FSx for ONTAP Multi-AZ file systems, the VPC owner must also grant the Amazon FSx service permissions to create and modify route tables in the shared subnets on behalf of the participant accounts. This is because FSx for ONTAP Multi-AZ file systems use floating IP addresses so that connected clients can seamlessly transition between the preferred and standby file servers during a failover event. When a failover event occurs, Amazon FSx updates all routes in all route tables associated with the file system to point to the currently active file server.

#### Managing shared VPC support for Multi-AZ file systems


Owner accounts can manage whether or not participant accounts can create Multi-AZ FSx for ONTAP file systems in VPC subnets that the owner has shared with participants using the AWS Management Console, AWS CLI, and API, as described in the following sections.

**To manage VPC sharing for Multi-AZ file systems (console)**

Open the Amazon FSx console at [https://console.aws.amazon.com/fsx/](https://console.aws.amazon.com/fsx/).

1. In the navigation pane, choose **Settings**.

1. Locate the **Multi-AZ shared VPC settings** on the **Settings** page.
   + To enable VPC sharing for Multi-AZ file systems in VPC subnets that you share, choose **Enable route table updates from participant accounts**.
   + To disable VPC sharing for Multi-AZ file systems in all VPCs that you own, choose **Disable route table updates from participant accounts**. The confirmation screen is displayed.
**Important**  
We strongly recommend that participant-created Multi-AZ file systems in the shared VPC are deleted before you disable this feature. Once the feature is disabled, these file systems will enter a `MISCONFIGURED` state and will be at risk of becoming unavailable. 

1. Enter **confirm** and choose **Confirm** to disable the feature.

**To manage VPC sharing for Multi-AZ file systems (AWS CLI)**

1. To view the current setting for Multi-AZ VPC sharing, use the [describe-shared-vpc-configuration](https://docs.aws.amazon.com/cli/latest/reference/fsx/describe-shared-vpc-configuration) CLI command, or the equivalent [DescribeSharedVpcConfiguration](https://docs.aws.amazon.com/fsx/latest/APIReference/API_DescribeSharedVpcConfiguration.html) API command, shown as follows:

   ```
   $ aws fsx describe-shared-vpc-configuration
   ```

   The service responds to a successful request as follows:

   ```
   {
       "EnableFsxRouteTableUpdatesFromParticipantAccounts": "false"
   }
   ```

1. To manage the Multi-AZ shared VPC configuration, use the [update-shared-vpc-configuration](https://docs.aws.amazon.com/cli/latest/reference/fsx/update-shared-vpc-configuration) CLI command, or the equivalent [UpdateSharedVpcConfiguration](https://docs.aws.amazon.com/fsx/latest/APIReference/API_UpdateSharedVpcConfiguration.html) API command. The following example enables VPC sharing for Multi-AZ file systems.

   ```
   $ aws fsx update-shared-vpc-configuration --enable-fsx-route-table-updates-from-participant-accounts true
   ```

   The service responds to a successful request as follows:

   ```
   {
       "EnableFsxRouteTableUpdatesFromParticipantAccounts": "true"
   }
   ```

1. To disable the feature, set `EnableFsxRouteTableUpdatesFromParticipantAccounts` to `false`, as shown in the following example. 

   ```
   $ aws fsx update-shared-vpc-configuration --enable-fsx-route-table-updates-from-participant-accounts false
   ```

   The service responds to a successful request as follows:

   ```
   {
       "EnableFsxRouteTableUpdatesFromParticipantAccounts": "false"
   }
   ```

# Updating file systems


This topic explains which properties of an existing file system that you can update, and provides procedures to do so using the Amazon FSx console and CLI. You can update the following FSx for ONTAP file system properties using the Amazon FSx console, AWS CLI, and API:
+ **Automatic daily backups**. Turns automatic daily backups on or off, modifies the backup window and the backup retention period. For more information, see [Automatic daily backups](using-backups.md#automatic-backups).
+ **Weekly maintenance window**. Sets the day of the week and time that Amazon FSx performs file system maintenance and updates. For more information, see [Optimizing performance with Amazon FSx maintenance windows](maintenance-windows.md).
+ **File system administrative password**. Changes the password for the file system's `fsxadmin` user. You can use the `fsxadmin` user to administer your file system using the ONTAP CLI and REST API. For more information about the `fsxadmin` user, see [Managing file systems with the ONTAP CLI](managing-resources-ontap-apps.md#fsxadmin-ontap-cli).
+ **Amazon VPC route tables**. With Multi-AZ FSx for ONTAP file systems, the endpoints you use to access data over NFS or SMB and the management endpoints to access the ONTAP CLI, API, and NetApp Console use floating IP addresses in the Amazon VPC route tables that you associate with your file system. You can associate new route tables that you create with your existing Multi-AZ file systems—allowing you to configure which clients can access your data even as your network evolves. You can also disassociate (remove) existing route tables from your file system.
**Note**  
Amazon FSx manages VPC route tables for Multi-AZ file systems using tag-based authentication. These route tables are tagged with `Key: AmazonFSx; Value: ManagedByAmazonFSx`. When creating or updating FSx for ONTAP Multi-AZ file systems using CloudFormation we recommend that you add the `Key: AmazonFSx; Value: ManagedByAmazonFSx` tag manually.

## To update a file system (console)


The following procedures provide you with instructions on how to make updates to an existing FSx for ONTAP file system using the AWS Management Console.

**To update automatic daily backups**

1. Open the Amazon FSx console at [https://console.aws.amazon.com/fsx/](https://console.aws.amazon.com/fsx/).

1. To display the file system details page, in the left navigation pane, choose **File systems**, and then choose the FSx for ONTAP file system that you want to update.

1. Choose the **Backups** tab in the second panel on the page.

1. Choose **Update**.

1. Modify the automatic daily backup settings for this file system.

1. Choose **Save** to save your changes.

**To update the weekly maintenance window**

1. Open the Amazon FSx console at [https://console.aws.amazon.com/fsx/](https://console.aws.amazon.com/fsx/).

1. To display the file system details page, in the left navigation pane, choose **File systems**, and then choose the FSx for ONTAP file system that you want to update.

1. Choose the **Administration** tab in the second panel on the page.

1. In the **Maintenance** pane, choose **Update**.

1. Modify when the weekly maintenance window occurs for this file system.

1. Choose **Save** to save your changes.

**To change the file system administrative password**

1. Open the Amazon FSx console at [https://console.aws.amazon.com/fsx/](https://console.aws.amazon.com/fsx/).

1. To display the file system details page, in the left navigation pane, choose **File systems**, and then choose the FSx for ONTAP file system that you want to update.

1. Choose the **Administration** tab.

1. In the **ONTAP administration** panel, choose **Update** under **ONTAP administrator password**.

1. In the **Update ONTAP administrator credentials** dialog box, enter a new password in the **ONTAP administrative password** field.

1. Use the **Confirm password** field to confirm the password.

1. Choose **Update credentials** to save your change.
**Note**  
If you receive an error stating that the new password does not meet the password requirements, you can use the [https://docs.netapp.com/us-en/ontap-cli-9141/security-login-role-config-show.html#description](https://docs.netapp.com/us-en/ontap-cli-9141/security-login-role-config-show.html#description) ONTAP CLI command to view the password requirement settings on the file system. For more information, including instructions on how to change password setting, see [Updating the `fsxadmin` account password fails](updating-admin-password.md).

**To update VPC route tables on Multi-AZ file systems**

1. Open the Amazon FSx console at [https://console.aws.amazon.com/fsx/](https://console.aws.amazon.com/fsx/).

1. To display the file system details page, in the left navigation pane, choose **File systems**, and then choose the FSx for ONTAP file system that you want to update.

1. For **Actions**, choose **Update file system > Update route tables**. Or, in the **Network & security** panel, choose **Manage** next to the file system's **Route tables**.

1. In the **Manage route tables** dialog box. do one of the following:
   + To associate a new VPC route table, select a route table from the **Associate new route tables** dropdown list, and then choose **Associate**.
   + To disassociate an existing VPC route table, select a route table from the **Current route tables** pane, and then choose **Disassociate**.

1. Choose **Close**.

## To update a file system (CLI)


The following procedure illustrates how to make updates to an existing FSx for ONTAP file system using the AWS CLI.

1. To update the configuration of an FSx for ONTAP file system, use the [update-file-system](https://docs.aws.amazon.com/cli/latest/reference/fsx/update-file-system.html) CLI command (or the equivalent [UpdateFileSystem](https://docs.aws.amazon.com/fsx/latest/APIReference/API_UpdateFileSystem.html) API operation), as shown in the following example.

   ```
   aws fsx update-file-system \
       --file-system-id fs-0123456789abcdef0 \
       --ontap-configuration AutomaticBackupRetentionDays=30,DailyAutomaticBackupStartTime=01:00, \
         WeeklyMaintenanceStartTime=1:01:30,AddRouteTableIds=rtb-0123abcd, \
         FsxAdminPassword=new-fsx-admin-password
   ```

1. To disable automatic daily backups, set the `AutomaticBackupRetentionDays` property to 0.

   ```
   aws fsx update-file-system \
       --file-system-id fs-0123456789abcdef0 \
       --ontap-configuration AutomaticBackupRetentionDays=0
   ```

# Managing high-availability (HA) pairs
Managing HA pairs

Each FSx for ONTAP file system is powered by one or more high-availability (HA) pairs of file servers in an active-standby configuration. In this configuration, there is a preferred file server that actively serves traffic and a secondary file server that takes over if the active server is unavailable. FSx for ONTAP first-generation file systems are powered by one HA pair, which delivers up to 4 GBps of throughput capacity and 160,000 SSD IOPs. FSx for ONTAP second-generation Multi-AZ file systems are powered by one HA pair as well, and they deliver up to 6 GBps of throughput capacity and 200,000 SSD IOPS. FSx for ONTAP second-generation Single-AZ file systems are powered by up to 12 HA pairs, which can deliver up to 72 GBps of throughput capacity and 2,400,000 SSD IOPS (6 GBps of throughput capacity and 200,000 SSD IOPS per HA pair). 

When you create your file system from the Amazon FSx console, Amazon FSx recommends the number of HA pairs that you should use based on your desired SSD storage. You can also manually choose the number of HA pairs based on your workload and performance requirements. We recommend that you use a single HA pair if your file system requirements are satisfied by up to 6 GBps of throughput capacity and 200,000 SSD IOPs, and multiple HA pairs if your workloads need higher levels of performance scalability. 

Each HA pair has one aggregate, which is a logical set of physical disks. 

**Note**  
You can add HA pairs to second-generation Single-AZ file systems. For more information, see [Adding high-availability (HA) pairs](adding-HA-pairs.md). Otherwise, you can migrate data between file systems (with different HA pairs) using SnapMirror, AWS DataSync, or by restoring your data from a backup to a new file system. 

# Adding high-availability (HA) pairs
Adding HA pairs

FSx for ONTAP file systems are composed of one or more HA pairs of file servers. First-generation file systems and second-generation Multi-AZ file systems support one HA pair whereas second-generation Single-AZ file systems support up to 12 HA pairs. You can also add more HA pairs after creating a second-generation Single-AZ file system (up to the maximum of 12). Adding HA pairs isn't disruptive and typically takes only a few minutes to complete.

Consider the following points when adding HA pairs to your file system:
+ Adding HA pairs to your file system introduces new file servers with their own storage (or aggregate). The new HA pairs have the same throughput capacity and storage capacity as your file system's existing HA pairs. For example, assume that your file system has two HA pairs with a total of 12 GBps of throughput capacity and 2 tebibytes (TiB) of SSD storage. If you add one new HA pair, then your file system will have 18 GBps of throughput capacity and 3 TiB of SSD storage. 
+ To benefit from the additional performance of the new HA pairs, you need to move some of your existing volumes to the new HA pairs and remount clients to connect to them. For more information, see [Balancing workloads across HA pairs](monitor-workload-balance.md).
+ You can't modify your file system's throughput capacity, SSD storage capacity, or provisioned SSD IOPS when adding HA pairs or while an update to add HA pairs is in progress.
+ You can't remove HA pairs after you add them. We recommend scaling the throughput capacity of your file system if you need more performance temporarily (assuming that your file system isn't at the highest throughput capacity). This increases the throughput capacity of your file system's existing HA pairs. 
+ The iSCSI protocol is available on file systems that have six or fewer high-availability pairs (HA pairs). The NVMe/TCP protocol is available on second-generation file systems that have six or fewer HA pairs. For more information, see [Accessing your FSx for ONTAP data](supported-fsx-clients.md).
+ When you add new HA pairs to your file system, the NVMe cache is enabled by default for the new file system nodes. We recommend disabling it for throughput-heavy workloads. For more information, see [Managing the NVMe cache](nvme-cache.md).

**To add HA pairs**

1. Open the Amazon FSx console at [https://console.aws.amazon.com/fsx/](https://console.aws.amazon.com/fsx/).

1. To display the file system details page, in the left navigation pane, choose **File systems**, and then choose the FSx for ONTAP file system that you want to update.

1. On the **Summary** panel, for **Number of HA pairs**, choose **Update**.

1. From the **HA Pairs** dropdown, select the number of HA pairs that you want to add to your file system.

1. Choose the **Update** button.

After you add HA pairs, it's important to rebalance your existing data to ensure that your I/O remains evenly distributed across your file system's HA pairs. For more information, see [Balancing workloads across HA pairs](monitor-workload-balance.md).

# Balancing workloads across HA pairs
Balancing HA pairs

If you have a file system with multiple high-availability (HA) pairs, then its throughput and storage are spread across each of your HA pairs. FSx for ONTAP automatically balances your files as they are written to your file system, but your workload data and I/O are no longer balanced once you add HA pairs. Additionally, in rare cases, your workload data or I/O could become unbalanced across your file system's existing HA pairs, which can impact your workload's overall performance. If your workload is ever imbalanced, you can rebalance it across each of your file system’s HA pairs (and their commensurate file servers and *aggregates*—the storage pools which make up your primary storage tier).

**Topics**
+ [

## Primary storage utilization balance
](#primary-storage-balance)
+ [

## File server and disk performance utilization imbalance
](#server-disk-imbalance)
+ [

## Mapping CloudWatch dimensions to ONTAP CLI and REST API resources
](#map-dimensions-to-resources)
+ [

## Rebalancing clients
](#rebalancing-clients)
+ [

## Rebalancing volumes
](#rebalancing-volumes)

## Primary storage utilization balance


Your file system’s primary storage capacity is divided evenly among each of your HA pairs in storage pools called aggregates. Each HA pair has one aggregate. We recommend that you maintain an average utilization no higher than 80% for your primary storage tier on an ongoing basis. For file systems with multiple HA pairs, we recommend that you maintain an average utilization of up to 80% for every aggregate.

Maintaining 80% utilization ensures there is free space for new incoming data, and maintains a healthy overhead for maintenance operations which can temporarily claim free space on your aggregates.

If you notice that your aggregates are imbalanced, you can either increase your file system’s primary storage capacity (commensurately increasing the storage capacity of each aggregate), or you can move your volumes between aggregates. For more information, see [Moving volumes between aggregates](moving-fg-volumes.md).

## File server and disk performance utilization imbalance


Your file system’s total performance capabilities (such as the network throughput, file server to disk throughput and IOPS, and disk IOPS) is divided evenly among your file system’s HA pairs. We recommend that you maintain an average utilization below 50% (and a maximum peak utilization below 80%) for all performance limits on an ongoing basis—this goes for both the overall utilization of your file system’s file server resources across all HA pairs, as well as on a per-file server basis.

If you notice that your file server performance utilization is imbalanced—and the file servers on which your workload is imbalanced have an ongoing utilization of over 80%—you can use the ONTAP CLI and REST API to further diagnose the cause of performance imbalance and remediate it. Following is a table of possible imbalance indicators and next steps for further diagnosis.


| If your file system's... | Then... | 
| --- | --- | 
| File server disk throughput or file server disk IOPS are imbalanced | You may be experiencing I/O hotspotting on a subset of HA pairs (a subset of your volumes containing an outsized amount of data being accessed) which can limit your workload's overall performance because it's bottlenecked against a subset of HA pairs. For each highly-utilized file server, check the most-utilized volumes to see which volumes have the most activity within an aggregate. For more information on this procedure, see [Rebalancing volumes](#rebalancing-volumes). | 
| Network throughput is imbalanced, but your file server disk throughput, file server disk IOPS, or disk IOPS are not imbalanced  | Your data is evenly-distributed across HA pairs, but your clients are not. For the file servers which have more network throughput utilization than others, check the top clients for each file server, then rebalance those clients by unmounting any volumes from those clients and remounting them using a different endpoint on a different HA pair. For more information on this procedure, see [Rebalancing clients](#rebalancing-clients).  | 

## Mapping CloudWatch dimensions to ONTAP CLI and REST API resources


Your second-generation file system has Amazon CloudWatch metrics with the `FileServer` or `Aggregate` dimension. In order to further diagnose cases of imbalance, you need to map these dimension values to specific file servers (or *nodes*) and aggregates in the ONTAP CLI or REST API.
+ For file servers, each file server name maps to a file server (or node) name in ONTAP (for example, `FsxId01234567890abcdef-01`). Odd-numbered file servers are preferred file servers (that is, they service traffic unless the file system has failed over to the secondary file server), while even-numbered file servers are secondary file servers (that is, they serve traffic only when their partner is unavailable). Because of this, secondary file servers will typically show less utilization than preferred file servers.
+ For aggregates, each aggregate name maps to an aggregate in ONTAP (for example, `aggr1`). There is one aggregate for every HA pair, meaning aggregate `aggr1` is shared by file servers `FsxId01234567890abcdef-01` (the active file server) and `FsxId01234567890abcdef-02` (the secondary file server) in an HA pair, aggregate `aggr2` is shared by file servers `FsxId01234567890abcdef-03` and `FsxId01234567890abcdef-04`, and so on.

You can view the mappings between all aggregates and file servers using the ONTAP CLI.

1.  To SSH into the NetApp ONTAP CLI of your file system, follow the steps documented in the [Using the NetApp ONTAP CLI](managing-resources-ontap-apps.md#netapp-ontap-cli) section of the *Amazon FSx for NetApp ONTAP User Guide*.

   ```
   ssh fsxadmin@file-system-management-endpoint-ip-address
   ```

1. Use the [storage aggregate show](https://docs.netapp.com/us-en/ontap-cli-9131/storage-aggregate-show.html) command, specifying the `-fields node` parameter.

   ```
   ::> storage aggregate show -fields node
   aggregate                       node                      
   ------------------------------- ------------------------- 
   aggr1                           FsxId01234567890abcdef-01
   aggr2                           FsxId01234567890abcdef-03
   aggr3                           FsxId01234567890abcdef-05 
   aggr4                           FsxId01234567890abcdef-07
   aggr5                           FsxId01234567890abcdef-09
   aggr6                           FsxId01234567890abcdef-11 
   6 entries were displayed.
   ```

## Rebalancing clients


After adding HA pairs or if you’re experiencing I/O imbalance across file servers (specifically with network throughput utilization), you can rebalance your clients. If you’re rebalancing clients after adding HA pairs, you can skip to [Remounting clients](#remounting-clients). Otherwise, you should first identify high-traffic clients you want to move to rebalance your workload I/O. 

If you're experiencing I/O imbalance across file servers (specifically with Network throughput utilization), high I/O clients may be the cause. To identify high-traffic clients, use the ONTAP CLI.

**Identify high-traffic clients**

1. To SSH into the NetApp ONTAP CLI of your file system, follow the steps documented in the [Using the NetApp ONTAP CLI](managing-resources-ontap-apps.md#netapp-ontap-cli) section of the *Amazon FSx for NetApp ONTAP User Guide*.

   ```
   ssh fsxadmin@file-system-management-endpoint-ip-address
   ```

1. To view the highest-traffic clients, use the [statistics top client show](https://docs.netapp.com/us-en/ontap-cli-9131/statistics-top-client-show.html) ONTAP CLI command. You can optionally specify the `-node` parameter to only view the top clients for a specific file server. If you are diagnosing imbalance for a specific file server, use the `-node` parameter, replacing `node_name` with the name of the file server (for example, `FsxId01234567890abcdef-01`).

   You can optionally add the `-interval` parameter, providing the interval over which to measure (in seconds) before each report is output. Increasing the interval (for example, to the maximum 300 seconds) provides a longer-term sample for the amount of traffic driven to each volume. The default is `5` (seconds).

   ```
   ::> statistics top client show -node FsxId01234567890abcdef-01 [-interval [5,300]]
   ```

   In the output, the top clients are shown by their IP address and port.

   ```
                                                          *Total     Total
               Client   Vserver          Node                Ops     (Bps)
   ------------------ --------- ------------------------- ------ ---------
    172.17.236.53:938 svm01     FsxId01234567890abcdef-01   2143 140443648
   172.17.236.160:898 svm02     FsxId01234567890abcdef-01    812  53215232
   ```<a name="remounting-clients"></a>

**Remounting clients**
+ You can rebalance clients to other HA pairs. To do so, unmount the volume from the client and remount it using the DNS name for the SVM’s NFS/SMB endpoint—this returns a random endpoint corresponding to a random HA pair.

  We recommend you re-use the DNS name, but you have the option to explicitly choose which HA pair a given client mounts. To guarantee that you are mounting a client to a different endpoint, you can instead specify a different endpoint IP address than the one that corresponds to the file server that is experiencing high traffic. You can do so by running the following command:

  ```
  ::> network interface show -vserver svm_name -lif nfs_smb_management* -fields address,curr-node
  vserver   lif                  address      curr-node                 
  --------- -------------------- ------------ ------------------------- 
  svm01 nfs_smb_management_1 172.31.15.89 FsxId01234567890abcdef-01 
  svm01 nfs_smb_management_3 172.31.8.112 FsxId01234567890abcdef-03 
  2 entries were displayed.
  ```

  According to the example output for the `statistics top client show` command, client `172.17.236.53` is driving high traffic to `FsxId01234567890abcdef-01`. The output of the `network interface show` command indicates this is the address `172.31.15.89`. To mount to a different endpoint, select any other address (in this example, the only other address is `172.31.8.112`, corresponding to `FsxId01234567890abcdef-03`).

## Rebalancing volumes


If you're experiencing I/O imbalance across your volumes or aggregates, you can rebalance volumes in order to redistribute your I/O traffic across your volumes.

**Note**  
If you're experiencing storage utilization imbalance across your aggregates, there is generally not any performance impact unless the high utilization is coupled with I/O imbalance. While you can move volumes between aggregates to balance storage utilization, we recommend only moving volumes if you are seeing a performance impact, as moving volumes can have adverse impact on performance if you don't also consider the I/O driven to each volume you're considering moving.

1. To SSH into the NetApp ONTAP CLI of your file system, follow the steps documented in the [Using the NetApp ONTAP CLI](managing-resources-ontap-apps.md#netapp-ontap-cli) section of the *Amazon FSx for NetApp ONTAP User Guide*.

   ```
   ssh fsxadmin@file-system-management-endpoint-ip-address
   ```

1. Use the [statistics volume show](https://docs.netapp.com/us-en/ontap-cli-9131/statistics-volume-show.html) ONTAP CLI command to view the highest-traffic volumes for a given aggregate, with the following changes:
   + Replace *aggregate\$1name* with the aggregate’s name (for example, `aggr1`).
   + You can optionally add the `-interval` parameter, providing the interval over which to measure (in seconds) before each report is output. Increasing the interval (for example, to the maximum 300 seconds) provides a longer-term sample for the amount of traffic driven to each volume. The default is `5` (seconds).

   ```
   ::> statistics volume show -aggregate aggregate_name -sort-key total_ops [-interval [5,300]]
   ```

   Depending on the interval you chose, it can take up to 5 minutes to show data. The command shows all volumes in the aggregate, along with the amount of traffic being driven to each aggregate.

   ```
                                *Total Read Write Other      Read Write Latency 
       Volume Vserver Aggregate    Ops  Ops   Ops   Ops     (Bps) (Bps)    (us) 
   ---------- ------- --------- ------ ---- ----- ----- --------- ----- ------- 
   vol1__0007    svm1     aggr1   4078 4078     0     0 267255808     0    1092 
   vol1__0005    svm1     aggr1   4078 4078     0     0 267255808     0    1086 
   vol1__0003    svm1     aggr1   4077 4077     0     0 267223040     0    1086 
   vol1__0001    svm1     aggr1   4077 4077     0     0 267239424     0    1087 
   vol1__0008    svm1     aggr2   2314 2314     0     0 151650304     0    1112 
   vol1__0006    svm1     aggr2   2144 2144     0     0 140509184     0    1104 
   vol1__0002    svm1     aggr2   2183 2183     0     0 143065088     0    1106 
   vol1__0004    svm1     aggr2   2183 2183     0     0 143065088     0    1103
   ```

   The volume statistics are shown on a per-constituent basis (for example, `vol1__0015` is the 15th constituent for FlexGroup `vol1`). You can see from the example output, the constituents for `aggr1` are more highly-utilized than the constituents for `aggr2`. To balance traffic between aggregates, you can move the constituent volumes between aggregates so that traffic is more evenly distributed.

1. If you have added new HA pairs, then you should move existing volumes to new aggregates. For more information, see [Moving volumes between aggregates](moving-fg-volumes.md).

# Managing the NVMe cache
Managing the NVMe cache

The NVMe cache is enabled by default on your second-generation file system. If your second-generation file system has a throughput-heavy workload, you can disable the NVMe cache to improve performance. The following procedure explains how to enable, disable, and validate your file system's NVMe cache.

**To manage the NVMe cache**

1. SSH into your ONTAP file system. For more information, see [Using the NetApp ONTAP CLI](managing-resources-ontap-apps.md#netapp-ontap-cli).

   ```
   ssh fsxadmin@file-system-management-endpoint-ip-address
   ```

1. Use the [https://docs.netapp.com/us-en/ontap-cli-9131/system-node-external-cache-modify.html](https://docs.netapp.com/us-en/ontap-cli-9131/system-node-external-cache-modify.html) ONTAP CLI commnd. Choose **true** to enable the NVMe cache or **false** to disable it.

   ```
   ::> system node external-cache modify -node * -is-enabled [true|false]
   ```

1. Use the [https://docs.netapp.com/us-en/ontap-cli-9131/system-node-external-cache-show.html](https://docs.netapp.com/us-en/ontap-cli-9131/system-node-external-cache-show.html) ONTAP CLI command to check if the NVMe cache is enabled or disabled.

   ```
   ::> system node external-cache show -node * -fields is-enabled
   ```

The NVMe cache is enabled or disabled on a per-node basis. When you add new high-availability (HA) pairs to your file system, each new node has the same default behavior of a new file system's nodes. Therefore, the NVMe cache would be enabled for any new nodes on a file system even if the existing nodes have it disabled. For more information, see [Adding high-availability (HA) pairs](adding-HA-pairs.md).

# Managing network type
Managing network type

When you create an FSx for ONTAP file system, you must specify a network type, which must be one of the following options:
+ `IPv4` allows your file system to communicate using only Internet Protocol version 4 (IPv4).
+ `Dual-stack` allows your file system to communicate using both Internet Protocol version 6 (IPv6) and IPv4.

You can change the network type of an existing FSx for ONTAP file system at any time using the Amazon FSx Management Console, AWS CLI, AWS API, or one of the AWS SDKs. For example, if your subnets support both IPv4 and IPv6 addressing, you can update your existing file system from IPv4-only to dual-stack mode, You can also update your dual-stack file system to IPv4-only.

## Using dual-stack mode


You should use dual-stack mode if you need to access and manage your Amazon FSx file systems natively from IPv6 clients. By configuring your Amazon FSx file system to use dual-stack addressing, you can access your file data from IPv6 clients, as well as IPv4 clients, in the same Amazon VPC, in another AWS account's VPC, or in your on-premises network. For example, with an Amazon FSx file system configured to use dual-stack, you can have existing IPv4 clients and new IPv6 clients accessing your file data stored on your file system.

By default, Amazon FSx and Amazon VPC use the IPv4 addressing protocol. So as a prerequisite to using IPv6, you must first assign an Amazon-provided IPv6 Classless Inter-Domain Range (CIDR) block to your VPC and subnets before you can use IPv6 with your Amazon FSx file systems. For information on enabling IPv6 for your VPC, see [Add IPv6 support for your VPC](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-migrate-ipv6-add.html) in the *Amazon Virtual Private Cloud User Guide*.

When creating FSx for ONTAP file systems set to dual-stack mode, you can specify the IPv6 address range, in addition to the existing IPv4 address range, in which the endpoints to access your file system will be created. By default, Amazon FSx chooses a block of 1024 IP addresses from one of the VPC's IPv6 CIDR ranges to use as the endpoint IPv6 address range for the file system.

## Changing network type


You can modify a file system's network type using the Amazon FSx console, the AWS Command Line Interface (AWS CLI), or the Amazon FSx API.

### To change a file system's network type (console)


1. Open the Amazon FSx console at [https://console.aws.amazon.com/fsx/](https://console.aws.amazon.com/fsx/).

1. Navigate to **File systems**, and choose the FSx for ONTAP file system that you want to change the network type for.

1. For **Actions**, choose **Update network type**. Or, in the **Network & security** panel, choose **Manage** next to the file system's **Network type**.

   The **Update network type** window appears.

1. For **Desired network type**, choose either **IPv4** or **Dual-stack**.
   + If you choose `IPv4`, no further configuration is required.
   + If you choose `Dual-stack`, specify the IPv6 address range that your file system endpoints will use:
     + **Unallocated IPv6 address range from your VPC** – Amazon FSx chooses an available /118 IP address range from one of the VPC's IPv6 CIDR ranges to use as the endpoint IPv6 address range for the file system.
     + **Enter an IPv6 address range** – You can provide an IPv6 CIDR range of your own choosing. The IP address range that you choose can either be inside or outside the VPC’s IP address range, as long as it doesn't overlap with any subnet.

1. Choose **Update**.

### To modify a file system's network type (CLI)

+ To modify a file system's network type, use the [update-file-system](https://docs.aws.amazon.com/cli/latest/reference/fsx/update-file-system.html) CLI command (or the equivalent [UpdateFileSystem](https://docs.aws.amazon.com/fsx/latest/APIReference/API_UpdateFileSystem.html) API operation), as shown in the following example.

  ```
  aws fsx update-file-system \
      --file-system-id fs-0123456789abcdef0 \
      --network-type DUAL
  ```

# Monitoring file system details


You can view detailed configuration information for your FSx for ONTAP file system using the Amazon FSx console, the AWS CLI, and the API and supported AWS SDKs.

**To view detailed file system information:**
+ **Using the console** – Choose a file system to view the **File systems** detail page. The **Summary** panel shows the file system's ID, life cycle status, deployment type, SSD storage capacity, throughput capacity, provisioned IOPS, Availability Zones, and creation time.

  The following tabs provide detailed configuration information and editing for properties that can be modified:
  + Network & security – Displays the following file system administration information:
    + Default Amazon VPC
    + Amazon VPC route tables associated with a Multi-AZ file system
    + File system's network type (IPv4-only or dual-stack)
    + Endpoint IPv4 or IPv6 address range
    + The AWS Key Management Service (AWS KMS) key ID
  + Monitoring & performance – Displays CloudWatch alarms you've created, and metrics and warnings for the following categories:
    + Summary – high level summary of file system activity metrics
    + File system storage capacity
    + File server and disk performance

    For more information, see [Monitoring with Amazon CloudWatch](monitoring-cloudwatch.md).
  + Administration – Displays the following file system administration information:
    + The DNS names and IP addresses of the file system's management and inter-cluster endpoints.
    + The ONTAP administrator username.
    + The option to update the ONTAP administrator password.
  + List of the file system's SVMs
  + List of the file system's volumes
  + Backup settings – change the file system's automatic daily backup setting.
  + Updates – shows the status of user initiated updates made to the file system's configuration.
  + Tags – view, edit, add, remove tag Key:Value pairs.
+ **Using the CLI or API **– Use the [describe-file-systems](https://docs.aws.amazon.com/cli/latest/reference/fsx/describe-file-systems.html) CLI command or the [DescribeFileSystems](https://docs.aws.amazon.com/fsx/latest/APIReference/API_DescribeFileSystems.html) API operation.

## FSx for ONTAP file system status
File system status

You can view the status of an Amazon FSx file system by using the Amazon FSx console, the AWS CLI command [describe-file-systems](https://docs.aws.amazon.com/cli/latest/reference/fsx/describe-file-systems.html), or the API operation [DescribeFileSystems](https://docs.aws.amazon.com/fsx/latest/APIReference/API_DescribeFileSystems.html).


| File system status  | Description | 
| --- | --- | 
|  AVAILABLE  |  The file system has been successfully created and is available for use.  | 
|  CREATING  |  Amazon FSx is creating a new file system.  | 
|  DELETING  |  Amazon FSx is deleting an existing file system.  | 
|  MISCONFIGURED  |  The file system is in a misconfigured but recoverable state.  | 
|  FAILED  |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/fsx/latest/ONTAPGuide/viewing-file-system.html)  | 

# Deleting file systems


You can delete an FSx for ONTAP file system using the Amazon FSx console, the AWS CLI, and the Amazon FSx API and SDKs.

**To delete a file system:**
+ **Using the console** – Follow the procedure described in [Cleaning up resources](getting-started.md#getting-started-step3).
+ **Using the CLI or API** – First delete all the volumes and SVMs on your file system. Then use the [delete-file-system](https://docs.aws.amazon.com/cli/latest/reference/fsx/delete-file-system.html) CLI command or the [DeleteFileSystem](https://docs.aws.amazon.com/fsx/latest/APIReference/API_DeleteFileSystem.html) API operation.

# Managing FSx for ONTAP storage virtual machines
Managing SVMs

In FSx for ONTAP, volumes are hosted on virtual file servers called storage virtual machines (SVMs). An SVM is an isolated file server with its own administrative credentials and endpoints for administering and accessing data. When you access data in FSx for ONTAP, your clients and workstations mount a volume, SMB share, or iSCSI LUN hosted by an SVM using the SVM's endpoint (IP address).

Amazon FSx automatically creates a default SVM on your file system when you create a file system using the AWS Management Console. You can create additional SVMs on your file system at any time using the console, AWS CLI, or Amazon FSx API and SDKs. You cannot create SVMs using the ONTAP CLI or REST API.

You can join your SVMs to a Microsoft Active Directory for file access authentication and authorization. For more information, see [Working with Microsoft Active Directory in FSx for ONTAP](ad-integration-ontap.md).

## Maximum number of SVMs per file system


The following table lists the maximum number of SVMs that you can create for a file system. The maximum number of SVMs depends on the amount of throughput capacity provisioned in megabytes per second (MBps), and also on the file system's [network type](manage-network-type.md).

[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/fsx/latest/ONTAPGuide/managing-svms.html)

**Topics**
+ [

## Maximum number of SVMs per file system
](#max-svms)
+ [

# Creating storage virtual machines (SVM)
](creating-svms.md)
+ [

# Updating storage virtual machines (SVM)
](updating-svms.md)
+ [

# Managing SVM Microsoft Active Directory configurations
](manage-svm-ad-config-secrets-manager.md)
+ [

# Auditing file access
](file-access-auditing.md)
+ [

# Setting up an SMB server in a workgroup
](smb-server-workgroup-setup.md)
+ [

# Monitoring storage virtual machine (SVM) configuration details
](viewing-svms.md)
+ [

# Deleting storage virtual machines (SVM)
](deleting-svms.md)

# Creating storage virtual machines (SVM)
Creating SVMs

You can create an FSx for ONTAP SVM using the AWS Management Console, AWS CLI, and API.

The maximum number of SVMs you can create for a file system depends on your file system's deployment type, network type, and the amount of throughput capacity provisioned. For more information, see [Maximum number of SVMs per file system](managing-svms.md#max-svms).

## SVM properties


When creating an SVM, you define the following properties:
+ The FSx for ONTAP file system to which it belongs.
+ The Microsoft Active Directory (AD) configuration – You can optionally join your SVM to a self-managed AD for authentication and access control of Windows and macOS clients. For more information, see [Working with Microsoft Active Directory in FSx for ONTAP](ad-integration-ontap.md).
+ The root volume security style – Set the root volume security style (Unix or NTFS) to align with the type of clients that you're using to access your data within the SVM. For more information, see [Volume security style](managing-volumes.md#volume-security-style).
+ The SVM administrative password – you can optionally set the password for the SVM's `vsadmin` user. For more information, see [Managing SVMs with the ONTAP CLI](managing-resources-ontap-apps.md#vsadmin-ontap-cli).<a name="create-svm-console"></a>

**To create a storage virtual machine (console)**

1. Open the Amazon FSx console at [https://console.aws.amazon.com/fsx/](https://console.aws.amazon.com/fsx/).

1. In the left navigation pane, choose **Storage virtual machines**.

1. Choose **Create new storage virtual machine**.

1. For **File system**, choose the file system to create the storage virtual machine on.

1. In the **Storage virtual machine name** field, provide a name for the storage virtual machine. You can use a maximum of 47 alphanumeric characters, plus the underscore (\$1) special character.

1. For **SVM administrative password**, you can optionally choose **Specify a password** and provide a password for this SVM's `vsadmin` user. You can use the `vsadmin` user to administer the SVM using the ONTAP CLI or REST API. For more information about the `vsadmin` user, see [Managing SVMs with the ONTAP CLI](managing-resources-ontap-apps.md#vsadmin-ontap-cli).

   If you choose **Don't specify a password** (the default), you can still use the file system's `fsxadmin` user to manage your file system using the ONTAP CLI or REST API, but you can't use your SVM's `vsadmin` user to do the same.

1. For **Active Directory**, you have the following options:
   + If you are not joining your file system to an Active Directory (AD), choose **Do not join an Active Directory**.
   + If you are joining your SVM to a self-managed AD domain, choose **Join an Active Directory**, and provide the following details for your AD. For more information, see [Prerequisites for joining an SVM to a self-managed Microsoft AD](self-manage-prereqs.md).
     + The NetBIOS name of the Active Directory computer object to create for your SVM. The NetBIOS name cannot exceed 15 characters. This is the name of this SVM in Active Directory.
     + The fully qualified domain name (FQDN) of your Active Directory. The FQDN cannot exceed 255 characters.
     + **DNS server IP addresses** – The IPv4 or IPv6 addresses of the DNS servers for your domain.
     + **Service account credentials** – Choose how to provide your service account credentials:
       + **Option 1**: AWS Secrets Manager secret ARN - The secret containing the username and password for a service account on your Active Directory domain. For more information, see [Storing Active Directory credentials using AWS Secrets Manager](self-managed-AD-best-practices.md#bp-store-ad-creds-using-secret-manager).
       + **Option 2**: Plaintext credentials
         + **Service account username** – The user name of the service account in your existing Microsoft Active Directory. Don't include a domain prefix or suffix. For example, for `EXAMPLE\ADMIN`, use only `ADMIN`.
         + **Service account password** – The password for the service account.
         + **Confirm password** – The password for the service account.
     + (Optional) **Organizational Unit (OU)** – The distinguished path name of the organizational unit to which you want to join your file system.
     + **Delegated file system administrators group** – The name of the group in your AD that can administer your file system.

       If you are using AWS Managed Microsoft AD, you must specify a group such as AWS Delegated FSx Administrators, AWS Delegated Administrators, or a custom group with delegated permissions to the OU.

       If you are joining to a self-managed AD, use the name of the group in your AD. The default group is `Domain Admins`.

1. For **SVM root volume security style**, choose the security style for the SVM depending on the type of clients that access your data. Choose **Unix (Linux)** if you primarily access your data using Linux clients; choose **NTFS** if you primarily access your data using Windows clients. For more information, see [Volume security style](managing-volumes.md#volume-security-style).

1. Choose **Confirm** to create the storage virtual machine.

You can monitor the update progress on the **File systems** detail page, in the **Status** column of the **Storage virtual machines** pane. The storage virtual machine is ready for use when its status is **Created**.

## To create a storage virtual machine (CLI)

+ To create an FSx for ONTAP storage virtual machine (SVM), use the [create-storage-virtual-machine](https://docs.aws.amazon.com/cli/latest/reference/fsx/create-storage-virtual-machine.html) CLI command (or the equivalent [CreateStorageVirtualMachine](https://docs.aws.amazon.com/fsx/latest/APIReference/API_CreateStorageVirtualMachine.html) API operation), as shown in the following example.

  ```
  aws fsx create-storage-virtual-machine \
      --file-system-id fs-0123456789abcdef0 \
      --name svm1 \
      --svm-admin-password password \
      --active-directory-configuration SelfManagedActiveDirectoryConfiguration='{DomainName="corp.example.com", \
  OrganizationalUnitDistinguishedName="OU=FileSystems,DC=corp,DC=example,DC=com",FileSystemAdministratorsGroup="FSxAdmins", \
  UserName="FSxService",Password="password", \
     DnsIps=["10.0.1.18"]}',NetBiosName=amznfsx12345
  ```

After successfully creating the storage virtual machine, Amazon FSx returns its description in JSON format, as shown in the following example.

```
{
  "StorageVirtualMachine": {
    "CreationTime": 1625066825.306,
    "Endpoints": {
      "Management": {
        "DnsName": "svm-abcdef0123456789a.fs-0123456789abcdef0.fsx.us-east-1.amazonaws.com",
        "IpAddressses": ["198.19.0.4"]    
      },
      "Nfs": {
        "DnsName": "svm-abcdef0123456789a.fs-0123456789abcdef0.fsx.us-east-1.amazonaws.com",
        "IpAddressses": ["198.19.0.4"]    
      },
      "Smb": {
        "DnsName": "amznfsx12345",
        "IpAddressses": ["198.19.0.4"]        
      },
      "SmbWindowsInterVpc": {
        "IpAddressses": ["198.19.0.5", "198.19.0.6"]    
      },
      "Iscsi": {
        "DnsName": "iscsi.svm-abcdef0123456789a.fs-0123456789abcdef0.fsx.us-east-1.amazonaws.com",
        "IpAddressses": ["198.19.0.7", "198.19.0.8"]    
      }
    },
    "FileSystemId": "fs-0123456789abcdef0",
    "Lifecycle": "CREATING",
    "Name": "vol1",
    "ResourceARN": "arn:aws:fsx:us-east-1:123456789012:storage-virtual-machine/fs-0123456789abcdef0/svm-abcdef0123456789a",
    "StorageVirtualMachineId": "svm-abcdef0123456789a",
    "Subtype": "default",
    "Tags": [],
    "ActiveDirectoryConfiguration": {
      "NetBiosName": "amznfsx12345",
      "SelfManagedActiveDirectoryConfiguration": {
        "UserName": "Admin",
        "DnsIps": [
          "10.0.1.3",
          "10.0.91.97"
        ],
        "OrganizationalUnitDistinguishedName": "OU=Computers,OU=customer-ad,DC=customer-ad,DC=example,DC=com",
        "DomainName": "customer-ad.example.com"
      }
    }
  }
}
```

# Updating storage virtual machines (SVM)
Updating SVMs

You can update the following storage virtual machine (SVM) configuration properties using the Amazon FSx console, AWS CLI, and Amazon FSx API:
+ SVM administrative account password.
+ SVM Active Directory (AD) configuration – You can join an SVM to an AD, or modify the AD configuration of an SVM already joined to an AD. For more information, see [Managing SVM Microsoft Active Directory configurations](manage-svm-ad-config-secrets-manager.md).<a name="update-svm-admin-credentials-console"></a>

**To update the SVM administrator account credentials (console)**

1. Open the Amazon FSx console at [https://console.aws.amazon.com/fsx/](https://console.aws.amazon.com/fsx/).

1. Choose the SVM to update as follows:
   + In the left navigation pane, choose **File systems**, and then choose the ONTAP file system for which you want to update an SVM.
   + Choose the **Storage virtual machines** tab.

     –Or–
   + To display a list of all the SVMs available in your AWS account in the current AWS Region, expand **ONTAP** and choose **Storage virtual machines**.

1. Choose the storage virtual machine that you want to update.

1. Choose **Actions > Update administrator password**. The **Update SVM administrative credentials** window appears.

1. Enter the new password for the `vsadmin` user, and confirm it.

1. Choose **Update credentials** to save the new password.

**To update the SVM administrator account credentials (CLI)**
+ To update the configuration of an FSx for ONTAP SVM, use the [update-storage-virtual-machine](https://docs.aws.amazon.com/cli/latest/reference/fsx/update-storage-virtual-machine.html) CLI command (or the equivalent [UpdateStorageVirtualMachine](https://docs.aws.amazon.com/fsx/latest/APIReference/API_UpdateStorageVirtualMachine.html) API operation), as shown in the following example.

  ```
  aws fsx update-storage-virtual-machine \
  --storage-virtual-machine-id svm-abcdef01234567890 \
  --svm-admin-password new-svm-password \
  ```

After successfully creating the storage virtual machine, Amazon FSx returns its description in JSON format, as shown in the following example.

```
{
  "StorageVirtualMachine": {
    "CreationTime": 1625066825.306,
    "Endpoints": {
      "Management": {
        "DnsName": "svm-abcdef01234567890.fs-0123456789abcdef0.fsx.us-east-1.amazonaws.com",
        "IpAddressses": ["198.19.0.4"]    
      },
      "Nfs": {
        "DnsName": "svm-abcdef01234567890.fs-0123456789abcdef0.fsx.us-east-1.amazonaws.com",
        "IpAddressses": ["198.19.0.4"]    
      },
      "Smb": {
        "DnsName": "amznfsx12345",
        "IpAddressses": ["198.19.0.4"]        
      },
      "SmbWindowsInterVpc": {
        "IpAddressses": ["198.19.0.5", "198.19.0.6"]    
      },
      "Iscsi": {
        "DnsName": "iscsi.svm-abcdef01234567890.fs-0123456789abcdef0.fsx.us-east-1.amazonaws.com",
        "IpAddressses": ["198.19.0.7", "198.19.0.8"]    
      }
    },
    "FileSystemId": "fs-0123456789abcdef0",
    "Lifecycle": "CREATING",
    "Name": "vol1",
    "ResourceARN": "arn:aws:fsx:us-east-1:123456789012:storage-virtual-machine/fs-0123456789abcdef0/svm-abcdef01234567890",
    "StorageVirtualMachineId": "svm-abcdef01234567890",
    "Subtype": "default",
    "Tags": [],
    "ActiveDirectoryConfiguration": {
      "NetBiosName": "amznfsx12345",
      "SelfManagedActiveDirectoryConfiguration": {
        "UserName": "Admin",
        "DnsIps": [
          "10.0.1.3",
          "10.0.91.97"
        ],
        "OrganizationalUnitDistinguishedName": "OU=Computers,OU=customer-ad,DC=customer-ad,DC=example,DC=com",
        "DomainName": "customer-ad.example.com"
      }
    }
  }
}
```

# Managing SVM Microsoft Active Directory configurations
Managing SVM Microsoft Active Directory configurations

You can join an SVM to Microsoft Active Directory or modify the Microsoft Active Directory configuration of an SVM that's already joined to Microsoft Active Directory. FSx for ONTAP integrates with AWS Secrets Manager to securely manage your domain join service account credentials.<a name="update-svm-ad-config-console"></a>

**To update SVM Microsoft Active Directory configuration (console)**

1. Open the Amazon FSx console at [https://console.aws.amazon.com/fsx/](https://console.aws.amazon.com/fsx/).

1. Choose the SVM to update as follows:
   + In the left navigation pane, choose **File systems**, and then choose the ONTAP file system for which you want to update an SVM.
   + Choose the **Storage virtual machines** tab.

     –Or–
   + To display a list of all the SVMs available in your AWS account in the current AWS Region, expand **ONTAP** and choose **Storage virtual machines**.

1. Choose the storage virtual machine that you want to update.

1. Choose **Actions > Update Microsoft Active Directory configuration**. The **Update Microsoft Active Directory configuration** window appears.

1. For **Domain join service account credentials**, choose **Managed in Secrets Manager** (recommended) to use Secrets Manager for secure credential management.
**Note**  
Using Secrets Manager eliminates the need to store plaintext credentials and provides centralized credential management. For more information, see [Storing Active Directory credentials using AWS Secrets Manager](self-managed-AD-best-practices.md#bp-store-ad-creds-using-secret-manager).

1. For **Secret**, choose an existing secret from Secrets Manager that contains your updated domain join service account credentials, or choose **Create new secret** to create one.

1. Update other Microsoft Active Directory configuration fields as needed for your environment.

1. Choose **Update configuration** to save the changes.

**To update SVM Microsoft Active Directory configuration (CLI)**
+ To update the Microsoft Active Directory configuration of an FSx for ONTAP SVM, use the [update-storage-virtual-machine](https://docs.aws.amazon.com/cli/latest/reference/fsx/update-storage-virtual-machine.html) CLI command with the `--active-directory-configuration` parameter, as shown in the following example.

  ```
  aws fsx update-storage-virtual-machine \
  --storage-virtual-machine-id svm-abcdef01234567890 \
  --active-directory-configuration DomainJoinServiceAccountSecret=secret-arn
  ```

# Auditing file access


Amazon FSx for NetApp ONTAP supports auditing of end-user accesses to files and directories in a storage virtual machine (SVM).

**Topics**
+ [

## File access auditing overview
](#auditing-overview)
+ [

## Overview of tasks for setting up file access auditing
](#auditing-tasks)

## File access auditing overview


File access auditing enables you to record end-user accesses of individual files and directories based on audit policies you define. File access auditing can help you improve your system's security and reduce the risk of unauthorized access to your system data. File access auditing helps your organizations remain compliant with data protection requirements, identify potential threats early, and reduce the risk of a data breach.

Across file and directory accesses, Amazon FSx supports logging of successful attempts (such as a user with sufficient permissions successfully accessing a file), failed attempts, or both. You can also turn off file access auditing at any time.

By default, audit event logs are stored in the `EVTX` file format, which allows you to view them using Microsoft Event Viewer.

### SMB access events that can be audited


The following table lists the SMB file and folder access events can be audited.


****  

| Event ID (EVT/EVTX) | Event | Description | Category | 
| --- | --- | --- | --- | 
|  560/4656  |  Open Object/Create Object  |  OBJECT ACCESS: Object (file or directory) open  |  File Access  | 
|  563/4659  |  Open Object with the Intent to Delete  |  OBJECT ACCESS: A handle to an object (file or directory) was requested with the Intent to Delete  |  File Access  | 
|  564/4660  |  Delete Object  |  OBJECT ACCESS: Delete Object (file or directory). ONTAP generates this event when a Windows client attempts to delete the object (file or directory)  |  File Access  | 
|  567/4663  |  Read Object/Write Object/Get Object Attributes/Set Object Attributes  |  OBJECT ACCESS: Object access attempt (read, write, get attribute, set attribute). For this event, ONTAP audits only the first SMB read and first SMB write operation (success or failure) on an object. This prevents ONTAP from creating excessive log entries when a single client opens an object and performs many successive read or write operations to the same object.  |  File Access  | 
|  N/A/4664  |  Hard link  |  OBJECT ACCESS: An attempt was made to create a hard link  |  File Access  | 
|  N/A/N/A ONTAP Event ID 9999  |  Rename Object  |  OBJECT ACCESS: Object renamed. This is an ONTAP event. It is not currently supported by Windows as a single event.  |  File Access  | 
|  N/A/N/A ONTAP Event ID 9998  |  Unlink Object  |  OBJECT ACCESS: Object unlinked. This is an ONTAP event. It is not currently supported by Windows as a single event.  |  File Access  | 

### NFS access events that can be audited


The following NFS file and folder access events can be audited.
+ READ
+ OPEN
+ CLOSE
+ READDIR
+ WRITE
+ SETATTR
+ CREATE
+ LINK
+ OPENATTR
+ REMOVE
+ GETATTR
+ VERIFY
+ NVERIFY
+ RENAME

## Overview of tasks for setting up file access auditing


Setting up FSx for ONTAP for file access auditing involves the following high-level tasks:

1. [Familiarize yourself](#auditing-requirements) with the file access auditing requirements and considerations.

1. [Create an auditing configuration](#create-audit-config) on a specific SVM.

1. [Enable auditing](#enable-auditing) on that SVM.

1. [Configure audit policies](#file-audit-policies) on your files and directories.

1. [View the audit event logs](#view-audit-logs) after FSx for ONTAP emits them.

Task details are provided in the following procedures.

Repeat the tasks for any other SVM on your file system that you want to enable file access auditing for.

### Auditing requirements


Before you configure and enable auditing on an SVM, you should be aware of the following requirements and considerations.
+ NFS auditing supports audit Access Control Entries (ACEs) designated as type `u`, which generate an audit log entry when access is attempted on the object. For NFS auditing, there is no mapping between mode bits and audit ACEs. When converting ACLs to mode bits, audit ACEs are skipped. When converting mode bits to ACLs, audit ACEs are not generated.
+ Auditing is dependent on having available space in the staging volumes. (A staging volume is dedicated volume created by ONTAP to store staging files, which are intermediate binary files on individual nodes where audit records are stored prior to conversion to an EVTX or XML file format.) You must ensure that there is sufficient space for the staging volumes in aggregates that contain audited volumes.
+ Auditing is dependent on having available space in the volume containing the directory where converted audit event logs are stored. You must ensure that there is sufficient space in the volumes used to store event logs. You can specify the number of audit logs to retain in the auditing directory by using the `-rotate-limit` parameter when creating an auditing configuration, which can help to ensure that there is enough available space for the audit logs in the volume.

### Creating auditing configurations on SVMs


Before you can begin auditing file and directory events, you must create an auditing configuration on the Storage Virtual Machine (SVM). After you create the auditing configuration, you must enable it on the SVM.

Before you use the `vserver audit create` command to create the auditing configuration, make sure you've created a directory to be used as the destination for logs, and that the directory doesn't have symlinks. You specify the destination directory with the `-destination` parameter.

You can create an auditing configuration that rotates audit logs based on log size or a schedule, as follows:
+ To rotate audit logs based on log size, use this command:

  ```
  vserver audit create -vserver svm_name -destination path [-format {xml|evtx}] [-rotate-limit integer] [-rotate-size {integer[KB|MB|GB|TB|PB]}]
  ```

  The following example creates an auditing configuration for the SVM named `svm1` that audits file operations and CIFS (SMB) logon and logoff events (the default) using size-based rotation. The log format is `EVTX` (the default), logs are stored in the `/audit_log` directory, and you'll have a single log file at a time (up to 200MB in size).

  ```
  vserver audit create -vserver svm1 -destination /audit_log -rotate-size 200MB
  ```
+ To rotate audit logs based on a schedule, use this command:

  ```
  vserver audit create -vserver svm_name -destination path [-format {xml|evtx}]
          [-rotate-limit integer] [-rotate-schedule-month chron_month]
          [-rotate-schedule-dayofweek chron_dayofweek] [-rotate-schedule-day chron_dayofmonth]
          [-rotate-schedule-hour chron_hour] [-rotate-schedule-minute chron_minute]
  ```

  The `-rotate-schedule-minute` parameter is required if you are configuring time-based audit log rotation.

  The following example creates an auditing configuration for the SVM named `svm2` using time-based rotation. The log format is `EVTX` (the default) and the audit logs are rotated monthly, at 12:30 PM on all days of the week.

  ```
  vserver audit create -vserver svm2 -destination /audit_log -rotate-size 200MB  -rotate-schedule-month all -rotate-schedule-dayofweek all -rotate-schedule-hour 12 -rotate-schedule-minute 30
  ```

You can use the `-format` parameter to specify whether the audit logs are created in the converted `EVTX` format (the default) or in the `XML` file format. The `EVTX` format allows you to view the log files with Microsoft Event Viewer.

By default, the categories of events to be audited are file access events (both SMB and NFS), CIFS (SMB) logon and logoff events, and authorization policy change events. You can have greater control over which events to log by the `-events` parameter, which has the following format:

```
-events {file-ops|cifs-logon-logoff|cap-staging|file-share|audit-policy-change|user-account|authorization-policy-change|security-group}
```

For example, using `-events file-share` enables auditing of file share events.

For more information on the `vserver audit create` command, see [ Create an audit configuration](https://docs.netapp.com/ontap-9/topic/com.netapp.doc.dot-cm-cmpr-9101/vserver__audit__create.html).

### Enabling auditing on an SVM


After you finish setting up the auditing configuration, you must enable auditing on the SVM. To do so, use the following command:

```
vserver audit enable -vserver svm_name
```

For example, use the following command to enable auditing on the SVM named `svm1`.

```
vserver audit enable -vserver svm1
```

You can disable access auditing at any time. For example, use the following command to turn off auditing on the SVM named `svm4`.

```
vserver audit disable -vserver svm4
```

When you disable auditing, the audit configuration isn't deleted on the SVM, which means that you can re-enable auditing on that SVM at any time.

### Configuring file and folder audit policies


You need to configure audit policies on the files and folders that you want audited for user access attempts. You can configure audit policies to monitor both successful and failed access attempts.

You can configure both SMB and NFS audit policies. SMB and NFS audit policies have different configuration requirements and audit capabilities based on the security style of the volume.

#### Audit policies on NTFS security-style files and directories


You can configure NTFS audit policies by using the Windows Security tab or the ONTAP CLI.

##### To configure NTFS audit policies (Windows Security tab)


You configure NTFS audit policies by adding entries to NTFS SACLs that are associated with an NTFS security descriptor. The security descriptor is then applied to NTFS files and directories. These tasks are automatically handled by the Windows GUI. The security descriptor can contain discretionary access control lists (DACLs) for applying file and folder access permissions, SACLs for file and folder auditing, or both SACLs and DACLs.

1. From the **Tools** menu in Windows Explorer, select **Map network drive**.

1. Complete the **Map Network Drive** box:

   1. Choose a **Drive** letter.

   1. In the **Folder** box, type the SMB (CIFS) server name that contains the share, holding the data you want to audit and the name of the share.

   1. Choose **Finish**.

   The drive you selected is mounted and ready with the Windows Explorer window displaying files and folders contained within the share.

1. Select the file or directory for which you want to enable auditing access.

1. Right-click the file or directory, and then choose **Properties**.

1. Choose the **Security** tab.

1. Click **Advanced**.

1. Choose the **Auditing** tab.

1. Perform the desired actions:    
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/fsx/latest/ONTAPGuide/file-access-auditing.html)

   If you are setting up auditing on a user or group or changing auditing on an existing user or group, the **Auditing Entry for *object*** box opens.

1. In the **Apply to** box, select how you want to apply this auditing entry.

   If you are setting up auditing on a single file, the **Apply to** box is not active, as it defaults to This object only.

1. In the **Access** box, select what you want audited and whether you want to audit successful events, failure events, or both.
   + To audit successful events, choose the **Success** box.
   + To audit failure events, choose the **Failure** box.

   Choose the actions that you need to monitor to meet your security requirements. For more information about these auditable events, see your Windows documentation. You can audit the following events:
   + Full control
   + Traverse folder / execute file
   + List folder / read data
   + Read attributes
   + Read extended attributes
   + Create files / write data
   + Create folders / append data
   + Write attributes
   + Write extended attributes
   + Delete subfolders and files
   + Delete
   + Read permissions
   + Change permissions
   + Take ownership

1. If you do not want the auditing setting to propagate to subsequent files and folders of the original container, choose the **Apply these auditing entries to objects and/or containers within this container only** box.

1. Choose **Apply**.

1. After you finish adding, removing, or editing auditing entries, choose **OK**.

   The **Auditing Entry for *object*** box closes.

1. In the **Auditing** box, choose the inheritance settings for this folder. Choose only the minimal level that provides the auditing events that meet your security requirements.

   You can choose one of the following:
   + Choose the **Include inheritable auditing entries from this object's parent** box.
   + Choose the **Replace all existing inheritable auditing entries on all descendants with inheritable auditing entries from this object** box.
   + Choose both boxes.
   + Choose neither box.

   If you are setting SACLs on a single file, the **Replace all existing inheritable auditing entries on all descendants with inheritable auditing entries from this object** box is not present in the **Auditing** box.

1. Choose **OK**.

##### To configure NTFS audit policies (ONTAP CLI)


By using the ONTAP CLI, you can configure NTFS audit policies without needing to connect to the data using an SMB share on a Windows client.
+ You can configure NTFS audit policies by using the [ vserver security file-directory ntfs sacl add](https://docs.netapp.com/us-en/ontap-cli-9101/vserver-security-file-directory-ntfs-sacl-add.html#description) command family.

For example, the following command creates a security policy named `p1` for the SVM named `vs0`.

```
vserver security file-directory policy create -policy-name p1 -vserver vs0
```

Then, the following command applies the `p1` security policy to the `vs0` SVM.

```
vserver security file-directory apply -vserver vs0 -policy-name p1
```

#### Audit policies on UNIX security-style files and directories


You configure auditing for UNIX security-style files and directories by adding audit ACEs (access control expressions) to NFS v4.x ACLs (access control lists). This allows you to monitor certain NFS file and directory access events for security purposes.

**Note**  
For NFS v4.x, both discretionary and system ACEs are stored in the same ACL. Therefore, you must be careful when adding audit ACEs to an existing ACL to avoid overwriting and losing an existing ACL. The order in which you add the audit ACEs to an existing ACL does not matter.

##### To configure UNIX audit policies


1. Retrieve the existing ACL for the file or directory by using the `nfs4_getfacl` or equivalent command.

1. Append the desired audit ACEs.

1. Apply the updated ACL to the file or directory by using the `nfs4_setfacl` or equivalent command.

   This example uses the `-a` option to give a user (named `testuser`) read permissions to the file named `file1`.

   ```
   nfs4_setfacl -a "A::testuser@example.com:R" file1
   ```

### Viewing audit event logs


You can view audit event logs saved in the `EVTX` or `XML` file formats.
+ `EVTX` file format – You can open the converted `EVTX` audit event logs as saved files using Microsoft Event Viewer.

  There are two options that you can use when viewing event logs using Event Viewer:
  + **General view**: Information that is common to all events is displayed for the event record. The event-specific data for the event record is not displayed. You can use the detailed view to display event-specific data.
  + **Detailed view**: A friendly view and a XML view are available. The friendly view and the XML view display both the information that is common to all events and the event-specific data for the event record.
+ `XML` file format – You can view and process XML audit event logs on third-party applications that support the XML file format. XML viewing tools can be used to view the audit logs provided you have the XML schema and information about definitions for the XML fields.

# Setting up an SMB server in a workgroup
Setting up workgroups

You can configure a Server Message Block (SMB) server in a workgroup as an alternative to joining an [SVM to a Microsoft Active Directory](ad-integration-ontap.md) when the Microsoft Active Directory domain infrastructure is not available. A workgroup is a peer-to-peer network that uses the SMB protocol, and has only local accounts and groups.

The process of setting up an SMB server as a member in a workgroup consists of the following:
+ Creating the SMB server on a storage virtual machine (SVM).
+ Creating local users and groups.
+ Adding local users or groups as members of the workgroup.

Keep in mind that SMB servers in workgroup mode do not support the following SMB features:
+ SMB3 Witness protocol
+ SMB3 CA shares
+ SQL over SMB
+ Folder Redirection
+ Roaming Profiles
+ Group Policy Object (GPO)
+ Volume Snapshot Service (VSS)

Also, an SMB server in workgroup mode supports only NTLM authentication and does not support Kerberos authentication.

The following procedures take you through the process of setting up an SMB server on an SVM in a workgroup, create local accounts, and adding these accounts to the workgroup membership. You will use the NetApp ONTAP CLI from either the file system or SVM management interface to implement these procedures. For more information, see [Using the NetApp ONTAP CLI](managing-resources-ontap-apps.md#netapp-ontap-cli).

**Topics**
+ [

# Creating an SMB server in a workgroup
](create-smb-server-workgroup.md)
+ [

# Creating a local user account on the SMB server
](smb-workgroup-create-local-accounts.md)
+ [

# Creating local groups on the SMB server
](smb-workgroup-create-local-groups.md)
+ [

# Adding local users to the local group
](smb-workgroup-add-users-to-group.md)

# Creating an SMB server in a workgroup


You can use the [https://docs.netapp.com/us-en/ontap-cli/vserver-cifs-create.html](https://docs.netapp.com/us-en/ontap-cli/vserver-cifs-create.html) ONTAP CLI command to create an SMB server on the SVM and specify the workgroup to which it belongs.

## Before you begin


The SVM and volumes (and interfaces) that you are using to serve data must have been configured to allow the SMB protocol.

The LIFs must be able to connect to the DNS servers that are configured on the SVM. A CIFS license may be required on the file system, however a CIFS license is not required if the SMB server will be used for authentication only.

**To create an SMB server in a workgroup**

1. To access the ONTAP CLI, establish an SSH session on the management port of the Amazon FSx for NetApp ONTAP file system or SVM by running the following command. Replace `management_endpoint_ip` with the IP address of the file system's management port.

   ```
   [~]$ ssh fsxadmin@management_endpoint_ip
   ```

   For more information, see [Managing file systems with the ONTAP CLI](managing-resources-ontap-apps.md#fsxadmin-ontap-cli). 

1. Create the SMB server in a workgroup:

   ```
   FSxIdabcde123456::> vserver cifs create -vserver vserver_name -cifs-server cifs_server_name -workgroup workgroup_name [-comment workgroup_description]
   ```

   The following command creates the SMB server `smb_server01` in the workgroup `workgroup01`:

   ```
   FSxIdabcde123456::> vserver cifs create -vserver svm1 -cifs-server SMB_SERVER01 -workgroup workgroup01
   ```

   If you are connected to management port of the SVM, you do not need to specify a `-vserver`.

1. Verify the SMB server configuration by using the `vserver cifs show` command.

   In the following example, the command output shows that a SMB server named `smb_server01` was created on SVM `svm1` in the workgroup `workgroup01`:

   ```
   FSxIdabcde123456::> vserver cifs show -vserver svm1
   
                                                  Vserver: svm1
                                 CIFS Server NetBIOS Name: SMB_SERVER01
                             NetBIOS Domain/Workgroup Name: workgroup01
                              Fully Qualified Domain Name: -
                                      Organizational Unit: -
        Default Site Used by LIFs Without Site Membership: -
                                           Workgroup Name: workgroup01
                                     Authentication Style: workgroup
                        CIFS Server Administrative Status: up
                                  CIFS Server Description:
                                  List of NetBIOS Aliases: -
   ```

# Creating a local user account on the SMB server


You can create a local user account that can be used to authorize access to data contained in the SVM over an SMB connection. You can also use local user accounts for authentication when creating an SMB session. Local user functionality is enabled by default when the SVM is created. When you create a local user account, you must specify a user name and you must specify the SVM with which to associate the account.

**To create local user accounts on the SMB server**

1. Create the local user using the [https://docs.netapp.com/us-en/ontap-cli/vserver-cifs-users-and-groups-local-user-create.html](https://docs.netapp.com/us-en/ontap-cli/vserver-cifs-users-and-groups-local-user-create.html) ONTAP CLI command:

   ```
   vserver cifs users-and-groups local-user create -vserver svm_name -user-name user_name optional_parameters
   ```

   The following optional parameters might be useful:
   + `-full-name` – The user's full name.
   + `-description` – A description for the local user.
   + `-is-account-disabled {true|false}` – Specifies whether the user account is enabled or disabled. If this parameter is not specified, the default is to enable the user account.

   The command prompts for the local user's password.

1. Enter a password for the local user, and then confirm the password.

1. Verify that the user was successfully created:

   ```
   vserver cifs users-and-groups local-user show -vserver svm_name
   ```

The following example creates a local user `SMB_SERVER01\sue`, with a full name `Sue Chang`, associated with SVM `svm1`:

```
FSxIdabcde123456::> vserver cifs users-and-groups local-user create -vserver svm1 ‑user-name SMB_SERVER01\sue -full-name "Sue Chang"

Enter the password:
Confirm the password:
```

```
FSxIdabcde123456::> vserver cifs users-and-groups local-user show
Vserver  User Name                  Full Name  Description
-------- -------------------------- ---------- -------------
svm1     SMB_SERVER01\Administrator            Built-in administrator account
svm1     SMB_SERVER01\sue           Sue Chang
```

# Creating local groups on the SMB server


You can create local groups that can be used for authorizing access to data associated with the SVM over an SMB connection. You can also assign privileges that define what user rights or capabilities a member of the group has.

Local group functionality is enabled by default when the SVM is created. When you create a local group, you must specify a name for the group and you must specify the SVM with which to associate the group. You can specify a group name with or without the local domain name, and you can optionally specify a description for the local group. You cannot add a local group to another local group.

**To create a local group on the SMB server**

1. create the local group using the [https://docs.netapp.com/us-en/ontap-cli/vserver-cifs-users-and-groups-local-group-create.html](https://docs.netapp.com/us-en/ontap-cli/vserver-cifs-users-and-groups-local-group-create.html) ONTAP CLI command.

   ```
   vserver cifs users-and-groups local-group create -vserver svm_name -group-name group_name [-description local_group_description
   ```

   Including a description for the local group is useful.

1. Verify that the group was successfully created:

   ```
   vserver cifs users-and-groups local-group show -vserver svm_name
   ```

The following example creates a local group `SMB_SERVER01\engineering` associated with SVM `svm1`:

```
FSxIdabcde123456::> vserver cifs users-and-groups local-group create -vserver svm1 -group-name SMB_SERVER01\engineering
```

```
FSxIdabcde123456::> vserver cifs users-and-groups local-group show -vserver svm1

Vserver          Group Name                   Description
---------------- ---------------------------- ----------------------------
svm1             BUILTIN\Administrators       Built-in Administrators group
svm1             BUILTIN\Backup Operators     Backup Operators group
svm1             BUILTIN\Guests               Built-in Guests group
svm1             BUILTIN\Power Users          Restricted administrative privileges
svm1             BUILTIN\Users                All users
svm1             SMB_SERVER01\engineering
```

# Adding local users to the local group


You can manage local group membership by adding and removing local or domain users, or adding and removing domain groups. This is useful if you want to control access to data based on access controls placed on the group, or if you want users to have privileges associated with that group. If you no longer want a local user, domain user, or domain group to have access rights or privileges based on membership in a group, you can remove the member from the group.

When adding members to a local group, keep the following in mind:
+ You cannot add users to the special *Everyone* group.
+ You cannot add a local group to another local group.
+ To add a domain user or group to a local group, ONTAP must be able to resolve the name to a SID.

When removing members from a local group, keep the following in mind:
+ You cannot remove members from the special *Everyone* group.
+ To remove a member from a local group, ONTAP must be able to resolve their name to a SID.

You need to have the `fsxadmin` role to run the commands used in this procedure. For more information, see [ONTAP roles and users](roles-and-users.md).

**To manage the local group membership**
+ Add a member to or remove a member from a group using the [https://docs.netapp.com/us-en/ontap-cli/vserver-cifs-users-and-groups-local-group-add-members.html](https://docs.netapp.com/us-en/ontap-cli/vserver-cifs-users-and-groups-local-group-add-members.html) and [vserver cifs users-and-groups local-group remove-members](https://docs.netapp.com/us-en/ontap-cli/vserver-cifs-users-and-groups-local-group-remove-members.html) ONTAP CLI commands.
  + To add members to a workgroup:

    ```
    vserver cifs users-and-groups local-group add-members ‑vserver svm_name -group-name group_name ‑member-names name[,...]
    ```

    You can specify a comma-delimited list of local users, domain users, or domain groups to add to the specified local group.
  + To view members of a workgroup:

    ```
    vserver cifs users-and-groups local-group show-members -vserver svm_name -group-name group_name
    ```
  + To remove members from a workgroup:

    ```
    vserver cifs users-and-groups local-group remove-members ‑vserver svm_name -group-name group_name ‑member-names name[,...]
    ```

    You can specify a comma-delimited list of local users, domain users, or domain groups to remove from the specified local group.

The following example adds a local user `SMB_SERVER01\sue` to the local group `SMB_SERVER01\engineering` on SVM `svm1`:

```
FSxIdabcde123456::> vserver cifs users-and-groups local-group add-members -vserver svm1 -group-name SMB_SERVER01\engineering -member-names SMB_SERVER01\sue
```

The following example removes the local user `SMB_SERVER01\sue` and `SMB_SERVER01\james` from the local group `SMB_SERVER01\engineering` on SVM `svm1`:

```
FSxIdabcde123456::> vserver cifs users-and-groups local-group remove-members -vserver svm1 -group-name SMB_SERVER01\engineering -member-names SMB_SERVER01\sue,SMB_SERVER01\james
```

The following example lists the members of the local group `SMB_SERVER01\engineering`:

```
FsxIdabcdef01234::> vserver cifs users-and-groups local-group show-members -vserver svm_name -group-name group_name 

           Vserver: svm1
       Domain Name: SMB_SERVER01
        Group Name: SMB_SERVER01\engineering
       Member Name: SMB_SERVER01\anita
                    SMB_SERVER01\james
                    SMB_SERVER01\liang
```

# Monitoring storage virtual machine (SVM) configuration details
Monitoring SVM details

You can see the FSx for ONTAP storage virtual machines that are currently on your file system using the Amazon FSx console, the AWS CLI, and the Amazon FSx API.

**To view a storage virtual machine on your file system:**
+ **Using the console** – Choose a file system to view its **File systems** detail page. To list all the storage virtual machines on the file system, choose the **Storage virtual machines** tab, and then choose the storage virtual machine that you want to view.
+ **Using the CLI or API** – Use the [describe-storage-virtual-machines](https://docs.aws.amazon.com/cli/latest/reference/fsx/describe-storage-virtual-machines.html) CLI command or the [DescribeStorageVirtualMachines](https://docs.aws.amazon.com/fsx/latest/APIReference/API_DescribeStorageVirtualMachines.html) API operation.

  The system response is a list of full descriptions of all the SVMs in your account in that AWS Region.

# Deleting storage virtual machines (SVM)
Deleting SVMs

You can only delete an FSx for ONTAP SVM by using the Amazon FSx console, the AWS CLI, and API. Before you can delete an SVM, you must delete all non-root volumes attached to the SVM first.

**Important**  
You cannot delete an SVM by using the NetApp ONTAP CLI or API.

**Note**  
Before you delete a storage virtual machine, make sure that no applications are accessing the data in the SVM, and that you have deleted all non-root volumes attached to the SVM.

**To delete a storage virtual machine (console)**

1. Open the Amazon FSx console at [https://console.aws.amazon.com/fsx/](https://console.aws.amazon.com/fsx/).

1. Choose the SVM that you want to delete as follows:
   + In the left navigation pane, choose **File systems**, and then choose the ONTAP file system for which you want to delete an SVM.
   + Choose the **Storage virtual machines** tab.

     –Or–
   + To display a list of all the SVMs available, expand **ONTAP** and choose **Storage virtual machines**.

   Select the SVM that you want to delete from the list.

1. In the **Volumes** tab, view the list of volumes attached to the SVM. If there are any non-root volumes attached to the SVM, you must delete them before you can delete the SVM. See [Deleting volumes](deleting-volumes.md) for more information.

1. Choose **Delete storage virtual machine** from the **Actions** menu.

1. In the delete confirmation dialog box, choose **Delete storage virtual machine**.

**To delete a storage virtual machine (CLI)**
+ To delete an FSx for ONTAP storage virtual machine, use the [delete-storage-virtual-machine](https://docs.aws.amazon.com/cli/latest/reference/fsx/delete-storage-virtual-machine.html) CLI command (or the equivalent [DeleteStorageVirtualMachine](https://docs.aws.amazon.com/fsx/latest/APIReference/API_DeleteStorageVirtualMachine.html) API operation), as shown in the following example.

  ```
  aws fsx delete-storage-virtual-machine --storage-virtual-machine-id svm-abcdef0123456789d
  ```

# Managing FSx for ONTAP volumes
Managing volumes

Each storage virtual machine (SVM) on an FSx for ONTAP file system can have one or more *volumes*. A volume is an isolated data container for files, directories, or iSCSI logical units of storage (LUNs). Volumes are *thin provisioned*, meaning that they consume storage capacity only for the data stored in them.

You can access a volume from Linux, Windows, or macOS clients over the Network File System (NFS) protocol, the Server Message Block (SMB) protocol, or over the Internet Small Computer Systems Interface (iSCSI) protocol by creating an iSCSI LUN (shared block storage). FSx for ONTAP also supports multi-protocol access (concurrent NFS and SMB access) to the same volume.

You can create volumes by using the AWS Management Console, AWS CLI, the Amazon FSx API, or NetApp Console. You can also use your file system’s or SVM’s administrative endpoint to create, update, and delete volumes by using the NetApp ONTAP CLI or REST API.

**Note**  
You can create 500 volumes per HA pair, up to 1,000 volumes across all HA pairs. FlexGroup constituent volumes count toward this limit. By default, there are eight constituent volumes per aggregate, per FlexGroup.

When you create a volume, you define the following properties:
+ Volume style – The [volume style](#volume-styles) can be either FlexVol or FlexGroup.
+ Volume name – The name of the volume.
+ Volume type – The [volume type](#volume-types) can be either Read-Write (RW) or Data protection (DP). DP volumes are read-only and used as the destination in a NetApp SnapMirror or SnapVault relationship.
+ Volume size – This is the maximum amount of data that the volume can store, regardless of the storage tier.
+ Junction path – This is the location in the SVM's namespace where the volume gets mounted.
+ Storage efficiency – [Storage efficiency](managing-storage-capacity.md#storage-efficiency) features, including data compaction, compression, and deduplication provide typical storage savings of 65% for general-purpose file sharing workloads.
+ Volume [security style](#volume-security-style) (Unix or NTFS) – Determines what type of permissions are used for data access on the volume when authorizing users.
+ Data tiering – The [tiering policy](volume-storage-capacity.md#volume-data-tiering) defines which data is stored in the cost-effective capacity pool tier.
+ [Tiering policy cooling period](volume-storage-capacity.md#tiering-cooling-period) – Defines when data is marked cold and moved to capacity pool storage.
+ Snapshot policy – [Snapshot policies](snapshots-ontap.md#snapshot-policies) define how the system creates snapshots for a volume. You can choose from three predefined policies or use a custom policy. that you have created using the ONTAP CLI or REST API.
+ [Copy tags to backups](tag-resources.md#copying-tags-to-backups) – Amazon FSx will automatically copy any tags from your volumes to backups using this option. You can set this option using the AWS CLI or Amazon FSx API.

**Topics**
+ [

## Volume styles
](#volume-styles)
+ [

## Volume types
](#volume-types)
+ [

## Volume security style
](#volume-security-style)
+ [

# Creating volumes
](creating-volumes.md)
+ [

# Updating volumes
](updating-volumes.md)
+ [

# Moving volumes between aggregates
](moving-fg-volumes.md)
+ [

# Monitoring volumes
](viewing-volumes.md)
+ [

# Deleting volumes
](deleting-volumes.md)

## Volume styles


FSx for ONTAP offers two styles of volumes that you can use for different purposes. You can create either FlexVol or FlexGroup volumes using the Amazon FSx console, the AWS CLI, and the Amazon FSx API.
+ FlexVol volumes offer the simplest experience for file systems with one high-availability (HA) pair, so they are the default volume style for first-generation file systems and second-generation file systems with one HA pair. The minimum size of a FlexVol volume is 20 mebibytes (MiB), and the maximum size is 314,572,800 MiB. 
+ FlexGroup volumes are comprised of multiple constituent FlexVol volumes, which allows them to deliver higher performance and storage scalability than FlexVol volumes for file systems with multiple HA pairs. FlexGroup volumes are the default volume style for second-generation file systems with more than one HA pair. The minimum size of a FlexGroup volume is 100 gibibytes (GiB) per constituent, and the maximum size is 20 pebibytes (PiB). 

You can convert a volume with the FlexVol style to the FlexGroup style with the ONTAP CLI, which creates a FlexGroup with a single constituent. However, we recommend that you use AWS DataSync to move data between a FlexVol volume and a new FlexGroup volume to ensure that the data is evenly distributed across the FlexGroup's constituents. For more information, see [FlexGroup constituents](#constituents). 

**Note**  
If you want to use the ONTAP CLI to convert a FlexVol volume to a FlexGroup volume, make sure that you delete any backups of the FlexVol volume before converting it. ONTAP doesn't automatically rebalance data as part of the conversion, so the data might be imbalanced across the FlexGroup constituents.

### FlexGroup constituents


A FlexGroup volume is made up of constituents, which are FlexVol volumes. By default, FSx for ONTAP assigns eight constituents to a FlexGroup volume per HA pair. 

 When you create your FlexGroup volume, the size of it is divided evenly among its constituents. For example, if you create an 800 gigabyte (GB) FlexGroup volume with eight constituents, each constituent is 100 GB in size. A FlexGroup volume can be between 100 GB and 20 PiB in size, but the total size depends on the size of the constituents. Each constituent has a minimum size of 100 GB and a maximum size of 300 TiB. For example, a FlexGroup volume with eight constituents has a minimum size of 800 GB and a maximum size of 20 PiB. 

ONTAP distributes data at the file-level across the constituents. You can store up to two billion files in each constituent on your FlexGroup volume. 

When you update the size of your FlexGroup volume, the new size is evenly distributed among its existing constituents. 

You can also add more constituents to your FlexGroup volume using the ONTAP CLI or REST API. However, we recommend that you only do so if you need additional storage capacity and all of your constituents are already at their maximum size (300 TiB per constituent). Adding constituents can lead to an imbalance of data and I/O across the constituents. Until the constituents are balanced, it's possible that the write throughput might be 5–10% lower than a balanced FlexGroup volume. When new data is written to the FlexGroup volume, ONTAP prioritizes distributing it among the new constituents until the constituents are balanced. If you do add new constituents, we recommend choosing an even number and not exceeding eight per aggregate. 

**Note**  
If you add new constituents, your existing snapshots become partial snapshots; therefore, they can't be used to fully restore your FlexGroup volume to a prior state. The previous snapshots can't offer a complete point-in-time image of your FlexGroup volume because the new constituents didn't exist yet. However, the partial snapshots can be used to restore individual files and directories, to create a new volume, or to replicate with SnapMirror. 

## Volume types


FSx for ONTAP offers two types of volumes that you can create using the Amazon FSx console, the AWS CLI, and the Amazon FSx API.
+ Read-write (RW) volumes are used in most cases. As their name indicates, they are read-writable. 
+ Data protection (DP) volumes are read-only volumes that you use as the destination of a NetApp SnapMirror or SnapVault relationship. You should use DP volumes when you want to [migrate](migrating-fsx-ontap-snapmirror.md) or [protect](scheduled-replication.md) a single volume’s data. 

FlexVol and FlexGroup volumes can be either RW or DP. 

**Note**  
You can't update a volume's type after the volume is created.

## Volume security style


When creating an FSx for ONTAP volume, you can choose from two security styles: Unix and NTFS. Each security style has a different effect on how permissions are handled for data. You must understand the different effects to ensure that you select the appropriate security style for your purposes.

It is important to understand that security styles do not determine what client types can or cannot access data. Security styles only determine the type of permissions FSx for ONTAP uses to control data access and what client type can modify these permissions.

The two factors that you use to determine the security style for a volume are the type of administrators that manage the file system and the type of users or services that access the data on the volume.

When creating a volume in the Amazon FSx console, CLI, and API, the security style is automatically set to the root volume's security style. You can modify a volume's security style using the AWS CLI or API. You can modify this setting after the volume is created. See [Updating volumes](updating-volumes.md) for more information.

When you configure the security style on a volume, consider the needs of your environment to ensure that you select the best security style in order to avoid issues with managing permissions. Keep in mind that security style doesn't determine which client types can access data. Security style determines the permissions that are used to allow data access and the client types that can modify those permissions. Following are considerations that can help you decide which security style to choose for a volume:
+ **Unix (Linux)** – Choose this security style if the file system is managed by a Unix administrator, the majority of users are NFS clients, and an application accessing the data uses a Unix user as the service account. Only Linux clients can modify permissions with the Unix security style, and the type of permissions used on files and directories are mode-bits or NFS v4.x ACLs.
+ **NTFS** – Choose this security style if the file system is managed by a Windows administrator, the majority of users are SMB clients, and an application accessing the data uses a Windows user as the service account. If any Windows access is required to a volume, we recommend that you use the NTFS security style. Only Windows clients can modify permissions with NTFS security style, and the types of permissions used on file and directories is NTFS ACLs.

# Creating volumes


You can create an FSx for ONTAP FlexVol or FlexGroup volume using the Amazon FSx console, the AWS CLI, and the Amazon FSx API, in addition to the NetApp ONTAP command line interface (CLI) and REST API.

## To create a FlexVol volume (console)


**Note**  
The volume's security style is automatically set to the root volume's security style.

1. Open the Amazon FSx console at [https://console.aws.amazon.com/fsx/](https://console.aws.amazon.com/fsx/).

1. In the left navigation pane, choose **Volumes**.

1. Choose **Create volume**.

1. For **File system type**, choose **Amazon FSx for NetApp ONTAP**. 

1. In the **File system details** section, provide the following information: 
   + For **File system**, choose the file system to create the volume on. 
   + For **Storage virtual machine**, choose the storage virtual machine (SVM) to create the volume on. 

1. In the **Volume style** section, choose **FlexVol**. 

1. In the **Volume details** section, provide the following information: 
   + In the **Volume name** field, provide a name for the volume. You can use up to 203 alphanumeric or underscore (\$1) characters.
   + For **Volume size**, enter any whole number in the range of 20–314572800 to specify the size in mebibytes (MiB).
   + For **Volume type**, choose **Read-Write (RW)** to create a volume that is readable and writable or **Data Protection (DP)** to create a volume that is read-only and can be used as the destination of a NetApp SnapMirror or SnapVault relationship. For more information, see [Volume types](managing-volumes.md#volume-types).
   + For **Junction path**, enter a location within the file system to mount the volume. The name must have a leading forward slash, for example `/vol3`.
   + For **Storage efficiency**, choose **Enabled** to enable the ONTAP storage-efficiency features (deduplication, compression, and compaction) on this volume. For more information, see [Storage efficiency](managing-storage-capacity.md#storage-efficiency). 
   + For **Volume security style**, choose between **Unix (Linux)** and **NTFS** for the volume. For more information, see [Volume security style](managing-volumes.md#volume-security-style).
   + For **Snapshot policy**, choose a snapshot policy for the volume. For more information about snapshot policies, see [Snapshot policies](snapshots-ontap.md#snapshot-policies).

     If you choose **Custom policy**, you must specify the policy's name in the **custom-policy** field. The custom policy must already exist on the SVM or in the file system. You can create a custom snapshot policy with the ONTAP CLI or REST API. For more information, see [Create a Snapshot Policy](https://docs.netapp.com/us-en/ontap/data-protection/create-snapshot-policy-task.html) in the NetApp ONTAP Product Documentation.

1. In the **Storage tiering** section, provide the following information:
   + For **Capacity pool tiering policy**, choose the storage pool tiering policy for the volume, which can be **Auto** (the default), **Snapshot Only**, **All**, or **None**. For more information, see [Volume tiering policies](volume-storage-capacity.md#data-tiering-policy). 
   + If you choose either **Auto** or **Snapshot Only**, you can set the **Tiering policy cooling period** to define the number of days before data that has not been accessed is marked cold and moved to capacity pool storage. You can provide a value between 2 and 183 days. The default setting is 31 days. 

1. In the **Advanced** section, for **SnapLock Configuration**, choose between **Enabled** and **Disabled**. For more information about configuring a SnapLock Compliance volume or a SnapLock Enterprise volume, see [Understanding SnapLock Compliance](snaplock-compliance.md) and [Understanding SnapLock Enterprise](snaplock-enterprise.md). For more information about SnapLock, see [Protecting your data with SnapLock](snaplock.md). 

1. Choose **Confirm** to create the volume.

You can monitor the update progress on the **File systems** detail page, in the **Status** column of the **Volumes** pane. The volume is ready for use when its status is **Created**.

## To create a FlexGroup volume (console)


**Note**  
You can only create FlexGroup volumes for file systems with multiple HA pairs using the Amazon FSx console. To create FlexVol volumes for file systems with multiple HA pairs, use the AWS CLI, Amazon FSx API, or NetApp management tools. 

1. Open the Amazon FSx console at [https://console.aws.amazon.com/fsx/](https://console.aws.amazon.com/fsx/).

1. In the left navigation pane, choose **Volumes**.

1. Choose **Create volume**.

1. For **File system type**, choose **Amazon FSx for NetApp ONTAP**. 

1. In the **File system details** section, provide the following information: 
   + For **File system**, choose the file system to create the volume on. 
   + For **Storage virtual machine**, choose the storage virtual machine (SVM) to create the volume on. 

1. In the **Volume style** section, choose **FlexGroup**. 

1. In the **Volume details** section, provide the following information: 
   + In the **Volume name** field, provide a name for the volume. You can use up to 203 alphanumeric or underscore (\$1) characters. 
   + For **Volume size**, enter any whole number in the range of 800 gibibytes (GiB)–2,400 tebibytes (TiB) per HA pair. For example, a file system with 12 high-availability (HA) pairs would have a minimum volume size of 9,600 GiB and a maximum size of 20,480 TiB. 
   + For **Volume type**, choose **Read-Write (RW)** to create a volume that is readable and writable or **Data Protection (DP)** to create a volume that is read-only and can be used as the destination of a NetApp SnapMirror or SnapVault relationship. For more information, see [Volume types](managing-volumes.md#volume-types).
   + For **Junction path**, enter a location within the file system to mount the volume. The name must have a leading forward slash, for example `/vol3`. 
   + For **Storage efficiency**, choose **Enabled** to enable the ONTAP storage-efficiency features (deduplication, compression, and compaction). For more information, see [Storage efficiency](managing-storage-capacity.md#storage-efficiency). 
   + For **Volume security style**, choose between **Unix (Linux)** and **NTFS** for the volume. For more information, see [Volume security style](managing-volumes.md#volume-security-style). 
**Note**  
The volume's security style is automatically set to the root volume's security style.
   + For **Snapshot policy**, choose a snapshot policy for the volume. For more information about snapshot policies, see [Snapshot policies](snapshots-ontap.md#snapshot-policies).

     If you choose **Custom policy**, you must specify the policy's name in the **custom-policy** field. The custom policy must already exist on the SVM or in the file system. You can create a custom snapshot policy with the ONTAP CLI or REST API. For more information, see [Create a Snapshot Policy](https://docs.netapp.com/us-en/ontap/data-protection/create-snapshot-policy-task.html) in the NetApp ONTAP Product Documentation. 

1. In the **Storage tiering** section, provide the following information: 
   + For **Capacity pool tiering policy**, choose the storage pool tiering policy for the volume, which can be **Auto** (the default), **Snapshot Only**, **All**, or **None**. For more information, see [Volume tiering policies](volume-storage-capacity.md#data-tiering-policy). 
   + If you choose either **Auto** or **Snapshot Only**, you can set the **Tiering policy cooling period** to define the number of days before data that has not been accessed is marked cold and moved to capacity pool storage. You can provide a value between 2–183 days. The default setting is 31 days. 

1. In the **Advanced** section, for **SnapLock Configuration**, choose between **Enabled** and **Disabled**. For more information about configuring a SnapLock Compliance volume or a SnapLock Enterprise volume, see [Understanding SnapLock Compliance](snaplock-compliance.md) and [Understanding SnapLock Enterprise](snaplock-enterprise.md). For more information about SnapLock, see [Protecting your data with SnapLock](snaplock.md).

1. Choose **Confirm** to create the volume.

You can monitor the update progress on the **File systems** detail page, in the **Status** column of the **Volumes** pane. The volume is ready for use when its status is **Created**.

## To create a volume (CLI)

+ To create an FSx for ONTAP volume, use the [create-volume](https://docs.aws.amazon.com/cli/latest/reference/fsx/create-volume.html) CLI command (or the equivalent [CreateVolume](https://docs.aws.amazon.com/fsx/latest/APIReference/API_CreateVolume.html) API operation), as shown in the following example.

  ```
  aws fsx create-volume \
      --volume-type ONTAP \
      --name vol1 \
      --ontap-configuration CopyTagsToBackups=true,JunctionPath=/vol1,SecurityStyle=NTFS, \
            SizeInMegabytes=1024,SnapshotPolicy=default, \
            StorageVirtualMachineId=svm-abcdef0123456789a,OntapVolumeType=RW, \
            StorageEfficiencyEnabled=true
  ```

After successfully creating the volume, Amazon FSx returns its description in JSON format, as shown in the following example.

```
{
    "Volume": {
        "CreationTime": "2022-08-12T13:03:37.625000-04:00",
        "FileSystemId": "fs-abcdef0123456789c",
        "Lifecycle": "CREATING",
        "Name": "vol1",
        "OntapConfiguration": {
            "CopyTagsToBackups": true,
            "FlexCacheEndpointType": "NONE",
            "JunctionPath": "/vol1",
            "SecurityStyle": "NTFS",
            "SizeInMegabytes": 1024,
            "SnapshotPolicy": "default",
            "StorageEfficiencyEnabled": true,
            "StorageVirtualMachineId": "svm-abcdef0123456789a",
            "StorageVirtualMachineRoot": false,
            "TieringPolicy": {
                "Name": "NONE"
            },
            "OntapVolumeType": "RW"
        },
        "ResourceARN": "arn:aws:fsx:us-east-2:111122223333:volume/fs-abcdef0123456789c/fsvol-abcdef0123456789b",
        "VolumeId": "fsvol-abcdef0123456789b",
        "VolumeType": "ONTAP"

                        
    }
}
```

You can also create a new volume by restoring a backup of a volume to a new volume. For more information, see [Restoring backups to a new volume](using-backups.md#restoring-backups).

# Updating volumes


You can update the configuration of an FSx for ONTAP volume using the Amazon FSx console, the AWS CLI, and the Amazon FSx API, in addition to the NetApp ONTAP command line interface (CLI) and REST API. You can modify the following properties of an existing FSx for ONTAP volume: 
+ Volume name
+ Junction path
+ Volume size
+ Storage efficiency
+ Capacity pool tiering policy
+ Volume security style
+ Snapshot policy
+ Tiering policy cooling period
+ Copy tags to backups (using the AWS CLI and Amazon FSx API)

For more information, see [Managing FSx for ONTAP volumes](managing-volumes.md).

## To update a volume configuration (console)


1. Open the Amazon FSx console at [https://console.aws.amazon.com/fsx/](https://console.aws.amazon.com/fsx/).

1. Navigate to **File systems** and choose the ONTAP file system that you want to update a volume for.

1. Choose the **Volumes** tab.

1. Choose the volume that you want to update.

1. For **Actions**, choose **Update volume**.

   The **Update volume** dialog box displays with the volume's current settings.

1. For **Junction path**, enter an existing location within the file system to mount the volume. The name must have a leading forward slash, such as `/vol5`.

1. For **Volume size**, you can increase or decrease the size of the volume within the range specified in the Amazon FSx console. For FlexVol volumes, the maximum size is 300 TiB. For FlexGroup volumes, the maximum size is 300 TiB multiplied by the total number of constituent volumes that your FlexGroup has, up to a maximum of 20 PiB. 

1. For **[Storage efficiency](managing-storage-capacity.md#storage-efficiency)**, choose **Enabled** to enable the ONTAP storage efficiency features (deduplication, compression, and compaction) on the volume, or choose **Disabled** to disable them.

1. For **Capacity pool tiering policy**, choose a new storage pool tiering policy for the volume, which can be **Auto** (the default), **Snapshot-only**, **All**, or **None**. For more information about capacity pool tiering policies, see [Volume tiering policies](volume-storage-capacity.md#data-tiering-policy).

1. For **[Volume security style](managing-volumes.md#volume-security-style)**, choose either **Unix (Linux)**, **NTFS**, or **Mixed**. A volume's security style determines whether preference is given to NTFS or UNIX ACLs for multi-protocol access. The MIXED mode is not required for multi-protocol access and is only recommended for advanced users.

1. For **Snapshot policy**, choose a snapshot policy for the volume. For more information about snapshot policies, see [Snapshot policies](snapshots-ontap.md#snapshot-policies).

   If you choose **Custom policy**, you must specify the policy's name in the **custom-policy** field. The custom policy must already exist on the SVM or in the file system. You can create a custom snapshot policy with the ONTAP CLI or REST API. For more information, see [Create a Snapshot Policy](https://docs.netapp.com/us-en/ontap/data-protection/create-snapshot-policy-task.html) in the NetApp ONTAP Product Documentation. 

1. For **Tiering policy cooling period**, valid values are 2-183 days. A volume's tiering policy cooling period defines the number of days before data that has not been accessed is marked cold and moved to capacity pool storage. This setting only affects the `Auto` and `Snapshot-only` policies.

1. Choose **Update** to update the volume.

## To update a volume's configuration (CLI)

+ To update the configuration of an FSx for ONTAP volume, use the [update-volume](https://docs.aws.amazon.com/cli/latest/reference/fsx/update-volume.html) CLI command (or the equivalent [UpdateVolume](https://docs.aws.amazon.com/fsx/latest/APIReference/API_UpdateVolume.html) API operation), as shown in the following example.

  ```
  aws fsx update-volume \
      --volume-id fsvol-1234567890abcdefa \
      --name new_vol \
      --ontap-configuration CopyTagsToBackups=true,JunctionPath=/new_vol, \
             SizeInMegabytes=2048,SnapshotPolicy=default-1weekly, \
             StorageEfficiencyEnabled=true, \
             TieringPolicy=all
  ```

# Expanding FlexGroup volumes
Expanding FlexGroup volumes

You can add additional constituent volumes to your FlexGroup volume with the `volume expand` command in the ONTAP CLI. This is a best practice after adding high-availability (HA) pairs to your file system because it ensures that your FlexGroup volume stays balanced.

Before expanding your FlexGroup volume, consider the following points:
+ All of a FlexGroup's constituent volumes have the same storage capacity. When you expand your FlexGroup volume with additional constituents, each constituent is the same size as the existing constituents. Therefore, ensure that each aggregate has sufficient space available before adding constituents.
+ AWS recommends maintaining eight constituent volumes per aggregate for each FlexGroup volume. Eight constituent volumes per aggregate maximizes the parallelism of FlexGroup volumes and offers the most optimal performance for your workload. Generally, we only recommend expanding your FlexGroup volume with additional constituents if you add HA pairs. This is the only scenario in which you would need to add constituents to maintain eight constituents per aggregate.
+ If your FlexGroup volume is in a SnapMirror relationship, then both the source and destination FlexGroup volumes need to have the same number of constituents. Otherwise, SnapMirror transfers will fail. SnapMirror operates at the constituent level and transfers data between each individual constituent. Therefore, if you expand a FlexGroup volume with additional constituent volumes, you must also manually expand any volume that is in a SnapMirror relationship with it.
+ When you expand a FlexGroup volume with additional constituents, all of its existing snapshot copies become "partial" copies. Partial copies can't be restored, but they can be browsed and the individual files can be restored. Additionally, this results in the loss of any incrementality for Amazon FSx backups, AWS backups, or SnapMirror relationships.
+ You can't remove constituent volumes once you add them. 

## Adding FlexGroup volume constituents


You can use the ONTAP CLI to add constituent volumes to your FlexGroup volume.

**To add FlexGroup volume constituents**

1. To access the NetApp ONTAP CLI, establish an SSH session on the management port of the Amazon FSx for NetApp ONTAP file system by running the following command. Replace `management_endpoint_ip` with the IP address of the file system's management port.

   ```
   [~]$ ssh fsxadmin@management_endpoint_ip
   ```

   For more information, see [Managing file systems with the ONTAP CLI](managing-resources-ontap-apps.md#fsxadmin-ontap-cli). 

1. Use the [volume expand](https://docs.netapp.com/us-en/ontap-cli-9141/volume-expand.html) ONTAP CLI command to expand your FlexGroup volume with additional constituents. Replace the following values:
   + `svm_name` with the name of the storage virtual machine (SVM) that hosts your FlexGroup volume (for example, `svm1`).
   + `vol_name` with the name of the FlexGroup volume that you want to expand (for example, `vol1`).
   + `aggregates` with a comma-separated list of aggregates that you want to add FlexGroup constituent volumes into. For example, `aggr1` for a single aggregate or `aggr1,aggr2` for multiple aggregates.
   + `constituent_per_aggregate` with the number of additional constituents that you want to add to each of the specified `aggregates`. You should only add enough constituents to ensure that your FlexGroup volume has a balanced number of constituents across the aggregates it resides on.

   ```
   ::> volume expand -vserver svm_name -volume vol_name -aggr-list aggregates -aggr-list-multiplier constituents_per_aggregate
   ```

**Important**  
You can't remove FlexGroup constituents after you add them, so check your inputs before running the previous command.

# Moving volumes between aggregates
Moving volumes

When you add high-availability (HA) pairs to your file system, you need to rebalance the existing data by moving volumes to the new aggregates. To move a volume between aggregates, you can use the `volume move` command in the ONTAP CLI. 

Before using the `volume move` command, consider the following points:
+ Using the `volume move` command can impact performance because it consumes network and disk resources on your file system. Therefore, we recommend moving volumes between aggregates during periods of low activity. Alternatively, you can reduce the network throughput utilization and disk throughput utilization on your file system to no more than 50% while moving volumes.
+ To reduce the performance impact on your file system, we recommend moving a single volume between two HA pairs and aggregates at a time. For example, if your file system has four HA pairs, we recommend moving two volumes at a time (assuming the volume moves are not from or toward the same HA pairs). ONTAP supports moving up to eight volumes on each HA pair at a time, but more simultaneous volume moves will reduce the performance of both client I/O and any in-progress volume moves.
+ Any data stored on the SSD tier on the impacted volume is physically moved to a different set of disks on a different file server. This operation occurs in the background and takes time. The rate of time that the transfer takes depends on your file system's throughput capacity and the amount of activity on your file system. However, the volume move can be throttled. For more information, see [Throttling volume moves](#throttle-volume-moves).
+ Data stored in capacity pool is not physically moved because the HA pairs share the same capacity pool storage. Instead, ONTAP moves metadata that fully describes each block in capacity pool (a logical move). Keep in mind that file metadata is always stored on the SSD tier. For more information, see [Volume data tiering](volume-storage-capacity.md#volume-data-tiering).

## Phases of moving a volume


There are two phases in a volume move operation: the replication phase and the cutover phase. During the replication phase, existing data is replicated to the volume's new aggregate. During the cutover phase, ONTAP attempts a final rapid transfer to the volume's new aggregate. This includes transferring any data that has been written during the transfer phase and redirecting new traffic to the volume's new aggregate. By default, the cutover window is 30 seconds and halts all I/O to your volume. If ONTAP can't perform all of these steps during the cutover window, it will fail. By default, ONTAP will try to cut over three times consecutively. If all three consecutive attempts fail, then ONTAP will retry once an hour until it succeeds. You can reduce the load on your file system to ensure that the cutover phase is successful by reducing or pausing I/O traffic to the volume before the cutover phase begins. 

## Starting volume moves


**To start a volume move**

1. To access the NetApp ONTAP CLI, establish an SSH session on the management port of the Amazon FSx for NetApp ONTAP file system by running the following command. Replace `management_endpoint_ip` with the IP address of the file system's management port.

   ```
   [~]$ ssh fsxadmin@management_endpoint_ip
   ```

   For more information, see [Managing file systems with the ONTAP CLI](managing-resources-ontap-apps.md#fsxadmin-ontap-cli). 

1. Run the [volume move start](https://docs.netapp.com/us-en/ontap-cli-9131/volume-move-start.html#description) ONTAP CLI command. Replace the following values:
   + `vserver_name` with the name of the SVM hosting the volume that you're moving.
   + `volume_name` with the name of the volume's constituent (for example, `vol1__0001`).
   + `aggregate_name` with the name of the destination aggregate for the volume.
   + `-enforce-network-throttling` to throttle the volume move's total throughput. This is optional. 

   ```
   ::> volume move start -vserver svm_name -volume volume_name --destination-aggregate aggregate_name -foreground false
   [Job 1] Job is queued: Move "vol1__0001" in Vserver "svm01" to aggregate "aggr1". Use the "volume move show -vserver svm01 -volume vol1__0001" command to view the status of this operation.
   ```

**Important**  
Moving volumes consumes network and disk resources for the source and destination file servers. Therefore, your workload's performance can be impacted by any volume moves that are in progress. Additionally, your I/O traffic to the volume will be temporarily paused during the cutover phase of the volume move.

## Monitoring volume moves


**To monitor a volume move**
+ To check the status of the volume move operation, use the `volume move show` ONTAP CLI command.

  ```
  ::> volume move show -vserver svm_name -volume volume_name 
  
  Vserver Name: svm01
  Volume Name: vol1__0001
  Actual Completion Time: -
  Bytes Remaining: 1.00TB
  Specified Action For Cutover: retry_on_failure
  Specified Cutover Time Window: 30
  Destination Aggregate: aggr2
  Destination Node: FsxId01234567890abcdef-03
  Detailed Status: Transferring data: 12.23GB sent.
  Percentage Complete: 1%
  Move Phase: replicating
  Prior Issues Encountered: -
  Estimated Remaining Duration: 00:40:25
  Replication Throughput: 434.3MB/s
  Duration of Move: 00:00:27
  Source Aggregate: aggr1
  Source Node: FsxId01234567890abcdef-01
  Move State: healthy
  ```

  The command output shows the estimated time to complete the move. When it's finished, the `Move phase` will show the `completed` status.

## Maintaining balanced FlexGroup volumes


In order for your workload to perform optimally, your FlexGroup volumes should span all aggregates and have an even number of constituent volumes per aggregate. We recommend having eight constituents per aggregate. Consider the following scenarios when rebalancing FlexGroup volumes:
+ **Moving FlexGroup constituents among existing aggregates:** If you move a FlexGroup's constituent volume to another aggregate of an otherwise balanced FlexGroup, you should then move another constituent that's less utilized to the original aggregate. This ensures that your FlexGroup has an even number of constituents per aggregate. 

  **Moving FlexGroup constituents into new aggregates after adding HA pairs:** If you move a FlexGroup's constituent volumes to new aggregates after adding HA pairs, then you should expand the FlexGroup with additional constituents on the aggregates that lost constituents. This ensures that your FlexGroup has an even number of constituents per aggregate. For more information, see [Expanding FlexGroup volumes](expanding-fg-volumes.md).

## Throttling volume moves


If you want to limit the bandwidth of a volume move on your file system, you can add the `-enforce-network-throttling` option at the beginning of the operation. 

**Note**  
Using this option affects incoming SnapMirror replication data transfers for the file system. Keep track of how you configure your file system's replication options because you can't view them after setting them.

**To throttle a volume move**

1. The throttle uses the global replication throttle. To set the global replication throttle, use the following command in the ONTAP CLI.

   ```
   ::> options -option-name replication.throttle.enable on
   ```

1. Specify the maximum total bandwidth that can be used by replication, replacing the following option:
   + `kbs_throttle` with the maximum desired throughput to use for any replication (including SnapMirror and volume moves), in Kilobytes per second.

   ```
   ::> options -option-name replication.throttle.incoming.max_kbs kbs_throttle 
   ::> options -option-name replication.throttle.outgoing.max_kbs kbs_throttle
   ```

# Monitoring volumes


You can see the volumes that are currently on your file system using the Amazon FSx console, the AWS CLI, and the Amazon FSx API and SDKs.

**To monitor the volumes on your file system:**
+ **Using the console** – Choose a file system to view the **File systems** detail page. Choose the **Volumes** tab to list all the volumes on the file system, and then choose the volume you want to view.
+ **Using the CLI or API** – Use the [describe-volumes](https://docs.aws.amazon.com/cli/latest/reference/fsx/describe-volumes.html) CLI command or the [DescribeVolumes](https://docs.aws.amazon.com/fsx/latest/APIReference/API_DescribeVolumes.html) API operation.

  ```
  $ aws fsx describe-volumes 
  {
      "Volumes": [
          {
              "CreationTime": "2024-03-04T20:17:44+00:00",
              "FileSystemId": "fs-abcdef0123a0bb087",
              "Lifecycle": "CREATED",
              "Name": "SVM8_ext_root",
              "OntapConfiguration": {
                  "FlexCacheEndpointType": "NONE",
                  "JunctionPath": "/",
                  "SecurityStyle": "NTFS",
                  "SizeInMegabytes": 1024,
                  "StorageEfficiencyEnabled": false,
                  "StorageVirtualMachineId": "svm-01234567890abcdef",
                  "StorageVirtualMachineRoot": true,
                  "TieringPolicy": {
                      "Name": "NONE"
                  },
                  "UUID": "42ce3de0-da64-11ee-a22d-7f7cdfb8d381",
                  "OntapVolumeType": "RW",
                  "SnapshotPolicy": "default",
                  "CopyTagsToBackups": false,
                  "VolumeStyle": "FLEXVOL",
                  "AggregateConfiguration": {
                      "Aggregates": [
                          "aggr1"
                      ]
                  },
                  "SizeInBytes": 1073741824
              },
              "ResourceARN": "arn:aws:fsx:us-east-2:111122223333:volume/fs-abcdef0123a0bb087/fsvol-abcdef0123456789a",
              "VolumeId": "fsvol-abcdef0123456789a",
              "VolumeType": "ONTAP"
          }
      ]
  }
  ```

# Viewing offline volumes


You can't create or delete volume backups when the source volume is offline. You can use the [https://docs.netapp.com/us-en/ontap-cli-9131/volume-show.html](https://docs.netapp.com/us-en/ontap-cli-9131/volume-show.html) ONTAP CLI command to determine a volume's current status.

```
volume show -vserver svm-name
```

For information about accessing the ONTAP CLI on your file system, see [Using the NetApp ONTAP CLI](managing-resources-ontap-apps.md#netapp-ontap-cli).

```
FsxIdabc12345::> volume show -vserver vs1
Vserver   Volume       Aggregate    State      Type       Size  Available Used%
--------- ------------ ------------ ---------- ---- ---------- ---------- -----
vs1       vol1         aggr1        online     RW          2GB      1.9GB    5%
vs1       vol1_dr      aggr0_dp     online     DP        200GB    160.0GB   20%
vs1       vol2         aggr0        online     RW        150GB    110.3GB   26%
vs1       vol2_dr      aggr0_dp     online     DP        150GB    110.3GB   26%
vs1       vol3         aggr1        online     RW        150GB    120.0GB   20%
vs1       vol3_dr      aggr1_dp     online     DP        150GB    120.0GB   20%
vs1       vol4         aggr1        online     RW        200GB    159.8GB   20%
7 entries were displayed.
```

To bring an offline volume back online, use the [https://docs.netapp.com/us-en/ontap-cli-9131/volume-online.html](https://docs.netapp.com/us-en/ontap-cli-9131/volume-online.html) ONTAP CLI command, as shown in the following example. If only one SVM (Vserver) exists, you do not need to specify the `-vserver` parameter.

```
FsxID-abcdef123456::> volume online -volume volume_name -vserver svm_name
   
Volume 'vs1:vol1' is now online.
```

# Deleting volumes


You can delete an FSx for ONTAP volume using the Amazon FSx console, the AWS CLI, and the Amazon FSx API, in addition to the NetApp ONTAP command line interface (CLI) and REST API.

Before you delete a volume, make sure that no applications are accessing the data in the volume that you want to delete.

**Important**  
You can only delete volumes using the Amazon FSx console, API, or CLI if the volume has Amazon FSx backups enabled.

## Taking a final volume backup


When you delete a volume using the Amazon FSx console, you have the option to take a final backup of the volume. As a best practice, we recommend that you choose to take a final backup. If you find you don't need it after a certain period of time, you can delete this and other manually created volume backups. When you delete a volume by using the `delete-volume` CLI command, Amazon FSx takes a final backup by default.

For more information about volume backups, see [Protecting your data with volume backups](using-backups.md).

## To delete a volume (console)


1. Open the Amazon FSx console at [https://console.aws.amazon.com/fsx/](https://console.aws.amazon.com/fsx/).

1. In the left navigation pane, choose **File systems**, and then choose the ONTAP file system that you want to delete a volume from.

1. Choose the **Volumes** tab.

1. Choose the volume that you want to delete.

1. For **Actions**, choose **Delete volume**.

1. (SnapLock Enterprise volumes only) For **Bypass SnapLock Enterprise Retention**, choose **Yes**. 

1. In the confirmation dialog box, for **Create final backup**, you have two options:
   + Choose **Yes** to take a final backup of the volume. The name of the final backup is displayed.
   + Choose **No** if you don't want a final backup of the volume. You are asked to acknowledge that once the volume is deleted, automatic backups are no longer available.

1. Confirm the volume deletion by entering **delete** in the **Confirm delete** field.

1. Choose **Delete volume(s)**.

## To delete a volume (CLI)

+ To delete an FSx for ONTAP volume, use the [delete-volume](https://docs.aws.amazon.com/cli/latest/reference/fsx/delete-volume.html) CLI command (or the equivalent [DeleteVolume](https://docs.aws.amazon.com/fsx/latest/APIReference/API_DeleteVolume.html) API operation), as shown in the following example.

  ```
  aws fsx delete-volume --volume-id fsvol-1234567890abcde
  ```

# Deleting SnapLock volumes


This section explains how to delete a SnapLock volume.

 You can delete a SnapLock Compliance volume if the retention periods of all the write once, read many (WORM) files on it are expired.

**Note**  
When you close an AWS account that contains SnapLock Enterprise or Compliance volumes, AWS and FSx for ONTAP suspend your account for 90 days leaving your data intact. If you don't reopen your account during those 90 days, AWS deletes your data including data in SnapLock volumes regardless of your retention settings. 

You can delete a SnapLock Enterprise volume at any time if you have the required permissions. To delete a SnapLock Enterprise volume using the ONTAP CLI, you must have the `fsxadmin` role. For more information, see [File system administrator roles and users](roles-and-users.md#file-system-admin-roles).

To delete a SnapLock Enterprise volume that contains WORM data with an active retention policy using the Amazon FSx console, CLI, or Amazon FSx API, you must have the `fsx:BypassSnapLockEnterpriseRetention` IAM permission.

**Warning**  
The minimum retention period for a SnapLock audit log volume is six months. Until this retention period expires you can't delete the SnapLock audit log volume, the storage virtual machine (SVM), or the file system that's associated with the SVM—even if the volume was created in SnapLock Enterprise mode. For more information, see [SnapLock audit log volumes](how-snaplock-works.md#snaplock-audit-log-volume). 

# Creating an iSCSI LUN


This process describes how to create an iSCSI LUN on an Amazon FSx for NetApp ONTAP file system using the NetApp ONTAP CLI **lun create** command. For more information, see [https://docs.netapp.com/us-en/ontap-cli-9111/lun-create.html](https://docs.netapp.com/us-en/ontap-cli-9111/lun-create.html) in the NetApp ONTAP Documentation Center.

**Note**  
The iSCSI protocol isn't supported for file systems with more than six HA pairs.

This process assumes you already have a volume created on your file system. For more information, see [Creating volumes](creating-volumes.md).

1. To access the ONTAP CLI, establish an SSH session on the management port of the Amazon FSx for NetApp ONTAP file system or SVM by running the following command. Replace `management_endpoint_ip` with the IP address of the file system's management port.

   ```
   [~]$ ssh fsxadmin@management_endpoint_ip
   ```

   For more information, see [Managing file systems with the ONTAP CLI](managing-resources-ontap-apps.md#fsxadmin-ontap-cli). 

1. Create a LUN using the **lun create** NetApp CLI command, replacing the following values:
   + **`svm_name`** - The name of the storage virtual machine (SVM) providing the iSCSI target. The host uses this value to reach the LUN.
   + **`vol_name`** - The name of the volume hosting the LUN.
   + **`lun_name`** - The name you want to assign to the LUN.
   + **`size`** - The size, in bytes, of the LUN. The maximum size LUN you can create is 128 TB.
**Note**  
We recommend that you use a volume at least 5% larger than your LUN size. This margin leaves space for volume snapshots.
   + **`ostype`** - The operating system of the host, either `windows_2008` or `linux`. Use `windows_2008` for all versions of Windows; this ensures the LUN has proper block offset for the operating system and optimizes performance.
**Note**  
We recommend enabling space allocation on your LUN. With space allocation enabled, ONTAP can inform your host when the LUN is out of capacity and can reclaim space as you delete data from the LUN. 

   For more information, see [https://docs.netapp.com/us-en/ontap-cli-9121/lun-create.html](https://docs.netapp.com/us-en/ontap-cli-9121/lun-create.html) in the NetApp ONTAP CLI documentation.

   ```
   > lun create -vserver svm_name -path /vol/vol_name/lun_name -size size -ostype ostype -space-allocation enabled
   ```

   ```
   Created a LUN of size 10g (10737418240)
   ```

1. Confirm the LUN is created, online, and mapped.

   ```
   > lun show
   ```

   The system responds with the following output:

   ```
   Vserver   Path                            State   Mapped   Type         Size
   --------- ------------------------------- ------- -------- ------------ --------
   svm_name 
             /vol/vol_name/lun_name          online  unmapped windows_2008 10GB
   ```

## Next steps


Now that you have created an iSCSI LUN, the next step in the process of using an iSCSI LUN as block storage is to map the LUN to an `igroup`. For more information, see [Provisioning iSCSI for Linux](mount-iscsi-luns-linux.md) or [Provisioning iSCSI for Windows](mount-iscsi-windows.md).

# Optimizing performance with Amazon FSx maintenance windows
Updating maintenance windows

As a fully-managed service, FSx for ONTAP regularly performs maintenance on and updates to your file system. This maintenance has no impact for most workloads. For workloads that are performance-sensitive, on rare occasions you may notice a brief (<60 seconds) impact on performance when maintenance is occurring; Amazon FSx enables you to use the maintenance window to control when any such potential maintenance activity occurs.

Patching occurs infrequently, typically once every several weeks. When patching occurs, each of your file system's file servers is patched one at a time, and each file server typically takes up to an hour to be patched. Before any file server is patched within an HA pair, your file system automatically fails over to the file servers' HA partner, which may result in a brief (less than 60 seconds) I/O pause for any I/O directed toward that HA pair. Your file system will then fail back, which may result in another brief (less than 60 seconds) I/O pause. You choose the maintenance window start time during file system creation. If you don't choose a window, one is automatically assigned.

**Important**  
To ensure that your file system can be patched successfully, FSx for ONTAP will bring online any offline volumes for the duration of the patching process. Any volumes that Amazon FSx brings back online will not be accessible to clients.

FSx for ONTAP allows you to adjust your maintenance window as needed to accommodate your workload and operational requirements. You can move your maintenance window as frequently as required, provided that a maintenance window occurs at least once every 14 days. If a patch is released and a maintenance window does not occur within 14 days, FSx for ONTAP will proceed with maintenance on the file system to ensure its security and reliability.

**Note**  
To ensure data integrity during maintenance activity, FSx for ONTAP closes all opportunistic locks and completes any pending write operations to the underlying storage volumes that are hosting your file system before maintenance begins.

You can use the Amazon FSx Management Console, AWS CLI, AWS API, or one of the AWS SDKs to change the maintenance window for your file systems.

**To change the weekly maintenance window (console)**

1. Open the Amazon FSx console at [https://console.aws.amazon.com/fsx/](https://console.aws.amazon.com/fsx/).

1. Choose **File systems** in the left hand navigation column.

1. Choose the file system that you want to change the weekly maintenance window for. The **Summary** file system details page appears.

1. Choose **Administration** to display the file system administration **Settings** panel.

1. Choose **Update** to display the **Change maintenance window** window.

1.  Enter the new day and time that you want the weekly maintenance window to start.

1. Choose **Save** to save your changes. The new maintenance start time is displayed in the file system administration **Settings** panel.

To change the weekly maintenance window using the [update-file-system](https://docs.aws.amazon.com/cli/latest/reference/fsx/update-file-system.html) CLI command, see [To update a file system (CLI)](updating-file-system.md#update-file-system-cli).

# Managing throughput capacity
Managing throughput capacity

FSx for ONTAP configures throughput capacity when you create the file system. You can modify your file system's throughput capacity at any time. Keep in mind that your file system requires a specific configuration to achieve the maximum amount of throughput capacity. For example, to provision 4 GBps of throughput capacity for a first-generation file system, your file system requires a configuration with a minimum of 5,120 GiB of SSD storage capacity and 160,000 SSD IOPS. For more information, see [Impact of throughput capacity on performance](performance.md#impact-throughput-cap-performance).

Throughput capacity is one factor that determines the speed at which the file server that's hosting the file system can serve the file data. Higher levels of throughput capacity come with higher levels of network, disk read I/O operations per second (IOPS), and data caching capacity on the file server. For more information, see [Amazon FSx for NetApp ONTAP performance](performance.md).

When you modify your file system's throughput capacity, Amazon FSx switches out the file server that's powering your file system. Both Single-AZ and Multi-AZ file systems experience an automatic failover and failback during this process, which typically takes a few minutes to complete. The failover and failback processes are transparent to NFS (Network File Sharing), SMB (Server Message Block), and iSCSI (Internet Small Computer Systems Interface) clients, allowing your workloads to continue running without interruption or manual intervention. You are billed for the new amount of throughput capacity once it's available to your file system.

**Note**  
To ensure data integrity during maintenance activity, FSx for ONTAP closes all opportunistic locks and completes any pending write operations to the underlying storage volumes that are hosting your file system before maintenance begins. During a scheduled file system maintenance window, system modifications (such as modifications to your throughput capacity) may be delayed. System maintenance can cause these changes to queue up until they are processed. For more information, see [Optimizing performance with Amazon FSx maintenance windows](maintenance-windows.md).

**Topics**
+ [

## When to modify throughput capacity
](#when-to-modify-throughput-capacity)
+ [

## How concurrent requests are handled
](#concurrent-throughput-and-storage-requests)
+ [

# Updating throughput capacity
](increase-throughput-capacity.md)
+ [

# Monitoring throughput capacity changes
](monitoring-throughput-capacity-changes.md)

## When to modify throughput capacity


Amazon FSx integrates with Amazon CloudWatch, which helps you to monitor your file system's ongoing throughput usage levels. The throughput and IOPS performance that you can drive through your file system depends on your specific workload’s characteristics, in addition to your file system’s throughput capacity. As a rule, you should provision enough throughput capacity to support your workload's read throughput plus twice your workload's write throughput. You can use CloudWatch metrics to determine which of these dimensions to change to improve performance. For more information, see [Monitoring in the Amazon FSx console](monitor-throughput-cloudwatch.md).



## How concurrent requests are handled


For first-generation file systems, you can request a throughput capacity update just before an SSD storage capacity and provisioned IOPS update workflow begins or while it is in progress. The sequence of how Amazon FSx handles the two requests is as follows:
+ If you submit an SSD/IOPS update and throughput capacity update at the same time, both requests are accepted. The SSD/IOPS update is prioritized before the throughput capacity update.
+ If you submit a throughput capacity update while an SSD/IOPS update is in progress, the throughput capacity update request is accepted and queued to occur after the SSD/IOPS update. The throughput capacity update starts after SSD/IOPS is updated (new values are available) and during the optimization step. This typically takes less than 10 minutes.
+ If you submit a SSD/IOPS update while a throughput capacity update is in progress, the SSD/IOPS storage update request is accepted and queued to start after the throughput capacity update has completed (new throughput capacity is available). This typically takes 20 minutes.

Consider the following points when requesting a throughput capacity update for second-generation file systems:
+ You must wait a minimum of six hours between updating the throughput capacity for second-generation file systems.
+ The throughput capacity cooldown period is shared with SSD/IOPS scaling.
+ Throughput capacity scaling and SSD/IOPS scaling can't be done simulatenously or queued while either is in progress.
+ You can't add high-availability (HA) pairs in conjunction with or while throughput capacity scaling or SSD/IOPS scaling are in progress. However, adding HA pairs doesn't share a cooldown with SSD/IOPS scaling and throughput capacity scaling. For more information, see [Adding high-availability (HA) pairs](adding-HA-pairs.md).

For more information on SSD storage and provisioned IOPS updates, see [Managing storage capacity](managing-storage-capacity.md).

# Updating throughput capacity


You can modify a file system's throughput capacity using the Amazon FSx console, the AWS Command Line Interface (AWS CLI), or the Amazon FSx API.

**Note**  
You must wait a minimum of six hours between updating the throughput capacity for second-generation file systems.

## To modify a file system's throughput capacity (console)


1. Open the Amazon FSx console at [https://console.aws.amazon.com/fsx/](https://console.aws.amazon.com/fsx/).

1. Navigate to **File systems**, and choose the ONTAP file system that you want to increase the throughput capacity for.

1. For **Actions**, choose **Update throughput capacity**. Or, in the **Summary** panel, choose **Update** next to the file system's **Throughput capacity**. 

   

1. Choose the new value for **Throughput capacity** from the list.

1. Choose **Update** to initiate the throughput capacity update.

1. You can monitor the update progress on the **File systems** detail page, on the **Updates** tab.

   You can monitor the progress of the update by using the Amazon FSx console, the AWS CLI, and the API. For more information, see [Monitoring throughput capacity changes](monitoring-throughput-capacity-changes.md).

## To modify a file system's throughput capacity (CLI)


To modify a file system's throughput capacity, use the AWS CLI command [update-file-system](https://docs.aws.amazon.com/cli/latest/reference/fsx/update-file-system.html). Set the following parameters:
+ `--file-system-id` to the ID of the file system that you are updating.
+ `ThroughputCapacity` to the desired value to update the file system to. 

You can monitor the progress of the update by using the Amazon FSx console, the AWS CLI, and the API. For more information, see [Monitoring throughput capacity changes](monitoring-throughput-capacity-changes.md).

# Monitoring throughput capacity changes


You can monitor the progress of a throughput capacity modification using the Amazon FSx console, the API, and the AWS CLI.

## Monitoring throughput capacity changes in the console


On the **Updates** tab in the **File system details** window, you can view the 10 most recent update actions for each update action type.

For throughput capacity update actions, you can view the following information.

****Update type****  
Supported types are **Throughput capacity**, **Storage capacity**, and **Storage optimization**.

****Target value****  
The desired value to change the file system's throughput capacity to.

****Status****  
The current status of the update. For throughput capacity updates, the possible values are as follows:  
+ **Pending** – Amazon FSx has received the update request, but has not started processing it.
+ **In progress** – Amazon FSx is processing the update request.
+ **Completed** – The throughput capacity update completed successfully.
+ **Failed** – The throughput capacity update failed. Choose the question mark (**?**) to see details on why the throughput update failed.

****Request time****  
The time when Amazon FSx received the update request.

## Monitoring changes with the AWS CLI and API


You can view and monitor file system throughput capacity modification requests using the [describe-file-systems](https://docs.aws.amazon.com/cli/latest/reference/fsx/describe-file-systems.html) CLI command and the [DescribeFileSystems](https://docs.aws.amazon.com/fsx/latest/APIReference/API_DescribeFileSystems.html) API action. The `AdministrativeActions` array lists the 10 most recent update actions for each administrative action type. When you modify a file system's throughput capacity, a `FILE_SYSTEM_UPDATE` administrative action is generated. 

The following example shows the response excerpt of a `describe-file-systems` CLI command. The file system has a throughput capacity of 128 MBps, and a target throughput capacity of 256 MBps.

```
.
.
.
    "ThroughputCapacity": 128,
"AdministrativeActions": [
    {
        "AdministrativeActionType": "FILE_SYSTEM_UPDATE",
        "RequestTime": 1581694764.757,
        "Status": "PENDING",
        "TargetFileSystemValues": {
          "OntapConfiguration": {
            "ThroughputCapacity": 256
          }
        }
    }
]
```

When Amazon FSx processes the action successfully, the status changes to `COMPLETED`. The new throughput capacity is then available to the file system, and shows in the `ThroughputCapacity` property. This is shown in the following response excerpt of a **describe-file-systems** CLI command.

```
.
.
.
    "ThroughputCapacity": 256,
"AdministrativeActions": [
    {
        "AdministrativeActionType": "FILE_SYSTEM_UPDATE",
        "RequestTime": 1581694764.757,
        "Status": "COMPLETED",
        "TargetFileSystemValues": {
          "OntapConfiguration": {
            "ThroughputCapacity": 256
          }
        }
    }
]
```

If the throughput capacity modification fails, the status changes to `FAILED`, and the `FailureDetails` property provides information about the failure.

# Managing SMB shares


To manage SMB file shares on your Amazon FSx file system, you can use the Microsoft Windows Shared Folders GUI. The Shared Folders GUI provides a central location for managing all shared folders in your storage virtual machine (SVM). The following procedures detail how to create, update, and remove your file shares.

**Note**  
You can also manage SMB file shares by using the NetApp System Manager. For more information, see [Using NetApp System Manager with NetApp Console](managing-resources-ontap-apps.md#netapp-sysmgr-bluexp).

**To connect shared folders to your Amazon FSx file system**

1. Launch your Amazon EC2 instance and connect it to the Microsoft Active Directory that your Amazon FSx file system is joined to. To do this, choose one of the following procedures from the *AWS Directory Service Administration Guide*:
   + [Seamlessly join a Windows EC2 instance](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/launching_instance.html)
   + [Manually join a Windows instance](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/join_windows_instance.html)

1. Connect to your instance as a user that is a member of the file system administrators group. For more information, see [Connecting to Your Windows Instance](https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/connecting_to_windows_instance.html) in the *Amazon EC2 User Guide*.

1. Open the **Start** menu and run **fsmgmt.msc** using **Run As Administrator**. Doing this opens the Shared Folders GUI tool.

1. For **Action**, choose **Connect to another computer**.

1. For **Another computer**, enter the DNS name for your storage virtual machine (SVM), for example **netbios\$1name.corp.example.com**. 

   To find your SVM's DNS name on the Amazon FSx console, choose **Storage virtual machines**, choose your SVM, and then scroll down to **Endpoints** until you find **SMB DNS name**. You can also get the DNS name in the response of the [DescribeStorageVirtualMachines](https://docs.aws.amazon.com/fsx/latest/APIReference/API_DescribeStorageVirtualMachines.html) API operation.

1. Choose **OK**. An entry for your Amazon FSx file system then appears in the list for the Shared Folders tool.

Now that Shared Folders is connected to your Amazon FSx file system, you can manage the Windows file shares on the file system with the following actions:

**Note**  
We recommend that you locate your SMB shares on a volume other than your root volume.
+ **Create a new file share** – In the Shared Folders tool, choose **Shares** in the left pane to see the active shares for your Amazon FSx file system. Volumes are shown mounted on the path chosen during volume creation. Choose **New Share** and complete the Create a Shared Folder wizard.

  You have to create the local folder prior to creating the new file share. You can do so as follows: 
  + Using the Shared Folders tool: choose **Browse** when specifying a local folder path, choose **Make new folder** to create the local folder.
  + Using command line:

    ```
    New-Item -Type Directory -Path \\netbios_name.corp.example.com\C$volume_path\MyNewFolder
    ```
+ **Modify a file share** – In the Shared Folders tool, open the context (right-click) menu for the file share that you want to modify in the right pane, and choose **Properties**. Modify the properties and choose **OK**.
+ **Remove a file share** – In the Shared Folders tool, open the context (right-click) menu for the file share that you want to remove in the right pane, and then choose **Stop Sharing**.
**Note**  
Removing file shares from the GUI is possible only if you connected to **fsmgmt.msc** using the DNS name of the Amazon FSx file system. If you connected using the IP address or DNS alias name of the file system, the **Stop Sharing** option won't work and the file share isn't removed.

# Managing FSx for ONTAP resources using NetApp applications
Managing with NetApp applications

In addition to the AWS Management Console, AWS CLI, and AWS API and SDKs, you can also use these NetApp management tools and applications to manage your FSx for ONTAP resources:

**Topics**
+ [

## Signing up for a NetApp account
](#signing-up-for-netapp)
+ [

## Using NetApp Console
](#netapp-bluexp)
+ [

## Using the NetApp ONTAP CLI
](#netapp-ontap-cli)
+ [

## Using the ONTAP REST API
](#netapp-ontap-api)

**Important**  
Amazon FSx periodically syncs with ONTAP to ensure consistency. If you create or modify volumes using NetApp applications, it may take up to several minutes for these changes to be reflected in the AWS Management Console, AWS CLI, API and SDKs.

## Signing up for a NetApp account


In order to download some NetApp software, such as NetApp Console, SnapCenter, and the ONTAP Antivirus connector, you need to have a NetApp account. To sign up for a NetApp account, perform the following steps:

1. Go to the [NetApp User Registration](https://mysupport.netapp.com/site/user/registration) page and register for a new NetApp user account.

1. Complete the form(s) with your information. Be sure to select the **NetApp Customer/End User** access level. In the **SERIAL NUMBER** field, copy and paste the File System ID for your FSx for ONTAP file system. See the following example:  
![\[Select user access level when signing up for a NetApp account.\]](http://docs.aws.amazon.com/fsx/latest/ONTAPGuide/images/signupfornetapp3.png)

### What to expect after you register


Customers with existing NetApp products will have their NSS account leveled-up to **Customer Level** access within one business day. Customers new to NetApp will be onboarded using standard business practices, in addition to having their NSS account leveled-up to Customer Level access. Providing the File System ID helps expedite this process. You can check the status of your NSS account by logging into [mysupport.netapp.com](https://mysupport.netapp.com/site/) and navigating to the **Welcome** page. The access level of your account should be **Customer Access**.

## Using NetApp Console


NetApp Console (formerly NetApp BlueXP) is a unified control plane that simplifies management experiences for storage and data services across on-premises and cloud environments. NetApp Console provides a centralized user interface to manage, monitor, and automate ONTAP deployments in AWS and on premises. For more information, see the [NetApp Console documentation](https://docs.netapp.com/us-en/console-family/index.html) and the [Amazon FSx for NetApp ONTAP management](https://docs.netapp.com/us-en/storage-management-fsx-ontap/index.html) documentation.

**Note**  
NetApp Console isn't supported for second-generation file systems with more than one high-availability (HA) pair. 

### Using NetApp System Manager with NetApp Console


You can manage your Amazon FSx for NetApp ONTAP file systems using System Manager directly from NetApp Console. NetApp Console lets you use the same System Manager interface that you’re accustomed to using, so you can manage your hybrid multi-cloud infrastructure from a single control plane. You also have access to NetApp Console's other functionality. For more information, see the [Integrate ONTAP System Manager with NetApp Console](https://docs.netapp.com/us-en/ontap/concepts/sysmgr-integration-console-concept.html) topic in the NetApp ONTAP documentation. 

**Note**  
NetApp System Manager isn't supported for second-generation file systems with more than one HA pair.

## Using the NetApp ONTAP CLI


You can manage your Amazon FSx for NetApp ONTAP resources using the NetApp ONTAP CLI. You can manage resources at the file system (analogous to NetApp ONTAP cluster) level, and at the SVM level.

### Managing file systems with the ONTAP CLI


You can run ONTAP CLI commands on your FSx for ONTAP file system, similar to running them on a NetApp ONTAP cluster. You access the ONTAP CLI on your file system by establishing a secure shell (SSH) connection to the file system's management endpoint, and logging in with the `fsxadmin` username and password. You have the option to set the `fsxadmin` password when you create a file system using the [custom create flow](creating-file-systems.md) or using the AWS CLI. If you created the file system using the Quick create option, the `fsxadmin` password was not set, so you'll need to set one in order to log in to the ONTAP CLI. For more information about setting the file system's `fsxadmin`, password, see [Updating file systems](updating-file-system.md). You can find the **DNS name** and **IP address** of your file system's management endpoint in the Amazon FSx console, in the **Administration** tab of the FSx for ONTAP file system details page.

To connect to the file system's management endpoint with SSH, first log in to an EC2 instance in the same VPC as the FSx for ONTAP file system. Once you're logged into the EC2 instance, use the `fsxadmin` user and password to SSH into the file system's management endpoint IP address or DNS name, as in the following examples.

```
ssh fsxadmin@file-system-management-endpoint-ip-address
```

The SSH command with sample values:

```
ec2user $ ssh fsxadmin@198.51.100.0
```

The SSH command using the management endpoint DNS name:

```
ec2user $ ssh fsxadmin@file-system-management-endpoint-dns-name
```

The SSH command using a sample DNS name:

```
ec2user $ ssh fsxadmin@management.fs-0abcdef123456789.fsx.us-east-2.aws.com
  Password: fsxadmin_password

This is your first recorded login.
FsxId0abcdef123456789::>
```

#### Scope of ONTAP CLI commands available to `fsxadmin`


The `fsxadmin`'s administrative view is at the file system level, which includes all SVMs and volumes in the file system. The `fsxadmin` role performs the role of the ONTAP cluster administrator. Because Amazon FSx for NetApp ONTAP file systems are fully managed, the `fsxadmin` role can run a subset of the available ONTAP CLI commands.

To see a list of the commands that `fsxadmin` can run, use the following [https://docs.netapp.com/us-en/ontap-cli/security-login-role-show.html](https://docs.netapp.com/us-en/ontap-cli/security-login-role-show.html) ONTAP CLI command:

```
FsxId0abc123def456::> security login role show -role fsxadmin -access !none
           Role          Command/                                      Access
Vserver    Name          Directory                               Query Level
---------- ------------- --------- ----------------------------------- --------
FsxId0abcdef123456789 
           fsxadmin      application                                   all
                         cluster application-record                    all
                         cluster date show                             readonly
                         cluster ha modify                             readonly
                         cluster ha show                               readonly
                         cluster identity modify                       readonly
                         cluster identity show                         readonly
                         cluster log-forwarding           -port !55555 all
                         cluster modify                                readonly
                         cluster peer                                  all
                         cluster show                                  readonly
                         cluster statistics show                       readonly
                         cluster time-service ntp server create        readonly
                         cluster time-service ntp server delete        readonly
                         cluster time-service ntp server modify        readonly
                         cluster time-service ntp server show          readonly
                         debug network tcpdump       -ipspace !Cluster all
                         debug san lun                                 all
                         df         -vserver !FsxId* -vserver !Cluster readonly
                         echo                                          all
                         event catalog show                            readonly
                         event config                                  all
.
.
.
378 entries were displayed.
```

### Managing SVMs with the ONTAP CLI


You can access the ONTAP CLI on your SVM by establishing a secure shell (SSH) connection to the SVM's management endpoint using the `vsadmin` user name and password. You can find the SVM's management endpoint **DNS name** and **IP address** in the Amazon FSx console, in the **Endpoints** panel of the **Storage virtual machines** details page, shown in the following graphic.

![\[The Endpoints panel of the Storage virtual machines details page with arrows pointing to Management DNS name and Management IP address.\]](http://docs.aws.amazon.com/fsx/latest/ONTAPGuide/images/fsx-ontap-svm-endpoints.png)


To connect to the SVM's management endpoint with SSH, you can use the `vsadmin` username and password. If you did not set a password for the `vsadmin` user when the SVM was created, you can set the `vsadmin` password at anytime. For more information, see [Updating storage virtual machines (SVM)](updating-svms.md). You can SSH into the SVM from a client that is in the same VPC as the file system, using the management endpoint IP address or DNS name.

```
ssh vsadmin@svm-management-endpoint-ip-address
```

The command with sample values:

```
ssh vsadmin@198.51.100.10
```

The SSH command using the management endpoint DNS name:

```
ssh vsadmin@svm-management-endpoint-dns-name
```

The SSH command using a sample DNS name:

```
ssh vsadmin@management.svm-abcdef01234567892fs-0abcdef123456789.fsx.us-east-2.aws.com
```

```
Password: vsadmin-password

This is your first recorded login.
FsxId0abcdef123456789::>
```

Amazon FSx for NetApp ONTAP supports the NetApp ONTAP CLI commands.

For a complete reference of NetApp ONTAP CLI commands, see the [ONTAP Commands: Manual Page Reference](https://docs.netapp.com/us-en/ontap-cli-9131/).

## Using the ONTAP REST API


When accessing your FSx for ONTAP file system using the ONTAP REST API using the `fsxadmin` credentials, do one of the following:
+ Disable TLS validation.

  Or
+ Trust the AWS certificate authorities (CAs) – The certificate bundle for the CAs in each region can be found at the follow URLs:
  + https://fsx-aws-certificates.s3.amazonaws.com/bundle-*aws-region*.pem for Public AWS Regions
  + https://fsx-aws-us-gov-certificates.s3.us-gov-west-1.amazonaws.com/bundle-*aws-region*.pem for AWSGovCloud Regions
  + https://fsx-aws-cn-certificates---s3---cn-north-1.amazonaws.com.rproxy.govskope.ca.cn/bundle-*aws-region*.pem for AWS China Regions

For a complete reference of NetApp ONTAP REST API commands, see the [NetApp ONTAP REST API Online Reference](https://library.netapp.com/ecmdocs/ECMLP2882307/html/index.html).

# Tagging Amazon FSx resources
Tagging resources

To help you manage your file systems and other Amazon FSx resources, you can assign your own metadata to each resource in the form of *tags*. With tags, you can categorize your AWS resources in different ways, for example, by purpose, owner, or environment. This categorization is useful when you have many resources of the same type—you can quickly identify a specific resource based on the tags that you've assigned to it. This topic describes tags and shows you how to create them.

**Topics**
+ [

## Tag basics
](#tag-basics)
+ [

## Tagging your resources
](#tagging-your-resources)
+ [

## Copying tags to backups
](#copying-tags-to-backups)
+ [

## Tag restrictions
](#tag-restrictions)
+ [

## Permissions and tagging
](#tags-iam)

## Tag basics


A *tag* is a label that you assign to an AWS resource. Each tag consists of two parts that you define:
+ A *tag key* (for example, `CostCenter`, `Environment`, or `Project`). Tag keys are case sensitive.
+ A *tag value* (for example, `111122223333` or `Production`). Like tag keys, tag values are case sensitive. Tag values are optional.



You can use tags to categorize your AWS resources in different ways, such as, by purpose, owner, or environment. For example, you could define a set of tags for your account's Amazon FSx file systems that helps you track each instance's owner and stack level.

We recommend that you devise a set of tag keys that meets your needs for each resource type. Using a consistent set of tag keys makes it easier for you to manage your resources. You can search and filter the resources based on the tags that you add. For more information about how to implement an effective resource tagging strategy, see [Tagging AWS resources](https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html) in the *AWS General Reference*.





Some tagging behaviors to keep in mind: 
+ Tags don't have any semantic meaning to Amazon FSx and are interpreted strictly as a string of characters.
+ Tags are not automatically assigned to your resources.
+ You can edit tag keys and values, and you can remove tags from a resource at any time.
+ You can set the value of a tag to an empty string, but you can't set the value of a tag to `null`.
+ If you add a tag that has the same key as an existing tag on that resource, the new value overwrites the old value.
+ If you delete a resource, any tags for the resource are also deleted.
+ If you're using the Amazon FSx API, the AWS Command Line Interface (AWS CLI), or an AWS SDK, you can do the following: 
  + You can use the `TagResource` API action to apply tags to existing resources. 
  + For some resource-creating actions, you can specify tags for a resource when the resource is created. By tagging resources at the time of creation, you can eliminate the need to run custom tagging scripts after resource creation.

    If tags cannot be applied during resource creation, Amazon FSx rolls back the resource creation process. This behavior helps ensure that resources are either created with tags or not created at all, and that no resources are left untagged at any time.
**Note**  
Certain AWS Identity and Access Management (IAM) permissions are required for users to tag resources on creation. For more information, see [Grant permission to tag resources during creation](using-tags-fsx.md#supported-iam-actions-tagging).

## Tagging your resources


You can tag Amazon FSx resources that exist in your account. If you're using the Amazon FSx console, you can apply tags to resources by using the **Tags** tab on the relevant resource screen. When you create resources, you can apply the **Name** key with a value, and you can apply tags of your choice when creating a new file system. However, even though the console organizes resources according to the **Name** key, this key doesn't have any semantic meaning to the Amazon FSx service.



To implement granular control over the users and groups that can tag resources on creation, you can apply tag-based resource-level permissions in your IAM policies to the Amazon FSx API actions that support tagging on creation. By using such permissions in your policies, you get the following benefits: 
+ Your resources are properly secured from creation. 
+ Because tags are applied immediately to your resources, any tag-based resource-level permissions controlling the use of resources are immediately effective. 
+ Your resources can be tracked and reported on more accurately. 
+ You can enforce the use of tagging on new resources, and control which tag keys and values are set on your resources.

To control which tag keys and values are set on your existing resources, you can apply resource-level permissions to the `TagResource` and `UntagResource` Amazon FSx API actions in your IAM policies.

For more information about the permissions required to tag Amazon FSx resources at creation, see [Grant permission to tag resources during creation](using-tags-fsx.md#supported-iam-actions-tagging).

For more information about using tags to restrict access to Amazon FSx resources in IAM policies, see [Using tags to control access to your Amazon FSx resources](using-tags-fsx.md#restrict-fsx-access-tags).

For information about tagging your resources for billing, see [Using cost allocation tags](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/cost-alloc-tags.html) in the *AWS Billing User Guide*.

## Copying tags to backups


When you create or update a volume in the Amazon FSx API or AWS CLI, you can enable `CopyTagsToBackups` to automatically copy any tags from your volumes to backups. 

**Note**  
If you specify tags while creating a user-initiated backup (including the name tag when you create a backup using the Amazon FSx console), tags are *not* copied from the volume even if you've enabled `CopyTagsToBackups`. 

For more information about backups, see [Protecting your data with volume backups](using-backups.md). For more information about enabling `CopyTagsToBackups`, see [To create a volume (CLI)](creating-volumes.md#create-volume-cli) and [To update a volume's configuration (CLI)](updating-volumes.md#update-volume-cli) in the *Amazon FSx for NetApp ONTAP User Guide* or [CreateVolume](https://docs.aws.amazon.com/fsx/latest/APIReference/API_CreateVolume.html) and [UpdateVolume](https://docs.aws.amazon.com/fsx/latest/APIReference/API_UpdateVolume.html) in the *Amazon FSx for NetApp ONTAP API Reference*. 

## Tag restrictions


The following basic restrictions apply to tags:
+ The maximum number of tags per resource is 50.
+ The maximum key length is 128 Unicode characters in UTF-8.
+ The maximum value length is 256 Unicode characters in UTF-8.
+ The allowed characters are letters, numbers, and spaces representable in UTF-8, and the following characters: `+` `-` (hyphen) `=` `.` `_` (underscore) `:` `/` `@`.
+ For each resource, each tag key must be unique, and each tag key can have only one value.
+ Tag keys and values are case sensitive.
+ The `aws:` prefix is reserved for AWS use. If a tag has a tag key with this prefix, you can't edit or delete the tag's key or value. Tags with the `aws:` prefix do not count against your tags per resource limit.

You can't delete a resource based solely on its tags; you must specify the resource identifier. For example, to delete a file system that you tagged with a tag key called `DeleteMe`, you must use the `DeleteFileSystem` action with the file system resource identifier, such as `fs-1234567890abcdef0`.

When you tag public or shared resources, the tags that you assign are available only to your AWS account; no other AWS account has access to those tags. For tag-based access control to shared resources, each AWS account must assign its own set of tags to control access to the resource.

## Permissions and tagging


For more information about the permissions required to tag Amazon FSx resources at creation, see [Grant permission to tag resources during creation](using-tags-fsx.md#supported-iam-actions-tagging).

For more information about using tags to restrict access to Amazon FSx resources in IAM policies, see [Using tags to control access to your Amazon FSx resources](using-tags-fsx.md#restrict-fsx-access-tags).