Using Amazon FSx with Amazon Managed Microsoft AD in a different VPC or account - Amazon FSx for Windows File Server
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Using Amazon FSx with Amazon Managed Microsoft AD in a different VPC or account

You can join your FSx for Windows File Server file system to an Amazon Managed Microsoft AD directory that's in a different VPC within the same account by using VPC peering. You can also join your file system to an Amazon Managed Microsoft AD directory that's in a different Amazon account by using directory sharing.

Note

You can only select an Amazon Managed Microsoft AD within the same Amazon Web Services Region as your file system. If you want to use a cross-Region VPC peering setup, you should use a self-managed Microsoft Active Directory. For more information, see Using Amazon FSx with your self-managed Microsoft Active Directory.

The workflow for joining your file system to an Amazon Managed Microsoft AD that's in a different VPC involves the following steps:

  1. Set up your networking environment.

  2. Share your directory.

  3. Join your file system to the shared directory.

For more information, see Share your directory in the Amazon Directory Service Administration Guide.

To set up your networking environment you can use Amazon Transit Gateway or Amazon VPC and create a VPC peering connection. In addition, make sure that network traffic is allowed between the two VPCs.

A transit gateway is a network transit hub that you can use to interconnect your VPCs and on-premises networks. For more information about using VPC transit gateways, see Getting Started with Transit Gateways in the Amazon VPC Transit Gateways Guide.

A VPC peering connection is a networking connection between two VPCs. This connection enables you to route traffic between them using private Internet Protocol version 4 (IPv4) or Internet Protocol version 6 (IPv6) addresses. You can use VPC peering to connect VPCs within the same Amazon Region or between Amazon Regions. For more information on VPC peering, see What is VPC Peering? in the Amazon VPC Peering Guide.

There is another prerequisite when you join your file system to an Amazon Managed Microsoft AD directory in a different account than that of your file system. You also need to share your Microsoft Active Directory with the other account. To do this, you can use Amazon Managed Microsoft Active Directory's directory sharing feature. To learn more, see Share your directory in the Amazon Directory Service Administration Guide.