How to set up Amazon S3 Access Points for FSx for ONTAP using NetApp Workload Factory

DannyTz

Amazon S3 Access Points for FSx for ONTAP: Concepts, use cases, and architecture

Enterprise data environments increasingly need to support multiple access models. File-based workloads rely on Network File System (NFS) and Server Message Block (SMB), while many AWS services and third-party platforms expect data to be available through Amazon S3 APIs.

When these access models coexist, teams often introduce additional data copies to satisfy object-based consumers. This pattern increases storage consumption and operational overhead, requires synchronization pipelines to keep copies aligned, and complicates governance as permissions, lifecycle policies, and audit controls diverge across file systems and object stores. Over time, these factors fragment data ownership and complicate access management.

Amazon S3 Access Points for FSx for ONTAP address these challenges by reducing duplication and simplifying data access across file and object workloads. For additional context, see various use cases for Amazon S3 Access Points for FSx for ONTAP.

Amazon S3 Access Points for FSx for ONTAP makes Amazon S3-compatible access possible directly on top of FSx for ONTAP file volumes. Under the hood, it does this by mapping object requests to the underlying file system without data copies or directory restructuring. Data remains managed by ONTAP—whether the volume is cloud-native or replicated from an on-premises ONTAP system—while supporting simultaneous multiprotocol NFS, SMB, and Amazon S3 access.

Here you can see the unified file and object access using Amazon S3 Access Points for FSx for ONTAP:

Each access point maps to a specific volume and is exposed via a unique alias, with support for multiple access points per volume. AWS Identity and Access Management (AWS IAM) policies control S3 access in line with AWS-native security practices. At the same time, native FSx for ONTAP file permissions and ownership are inherited and enforced, which maintains consistent access controls across files and objects without introducing or duplicating governance models.

For a deeper technical walkthrough of the architecture and request flow, see how teams accelerate innovation using Amazon S3 Access Points for FSx for ONTAP.

The key takeaway is simplicity at both ends through a unified data access model: From the consumer’s perspective, the endpoint behaves like Amazon S3; from the storage perspective, your data’s layout, efficiency features, and lifecycle management remain unchanged in your FSx for ONTAP volume. FSx for ONTAP becomes a shared data layer that reduces duplication, simplifies governance, and supports multiple consumption patterns.

Tutorial 1: How to configure Amazon S3 Access Points for FSx for ONTAP using Workload Factory

This section walks through configuring Amazon S3 Access Points for FSx for ONTAP using Workload Factory. In this use case, Workload Factory provides a centralized management experience for discovering FSx for ONTAP resources, configuring data access, and operating storage environments on AWS.

For a live demonstration of this workflow, including an example integration with Amazon Bedrock, watch the Provide On-Premises File Data with Access to All AWS Cloud Services with Amazon FSx for NetApp ONTAP video. The same approach applies to any AWS service or third-party platform that supports S3-compatible access.

Prerequisites

Before configuring Amazon S3 Access Points for FSx for ONTAP, the following components must be in place:

An FSx for ONTAP file system in your target AWS Region with at least one volume containing the data to be exposed through Amazon S3-compatible access.
AWS IAM permissions to create and manage Amazon S3 Access Points for FSx for ONTAP.
Workload Factory access to discover and manage FSx for ONTAP resources.

Walkthrough

In this tutorial, you create an S3 access point that exposes an existing FSx for ONTAP volume through an S3-compatible endpoint.

On the Workload Factory home page, select the menu icon in the upper left corner (three-line icon) and then go to the Storage workload in the drop-down menu.
From the menu to the left, select the FSx for ONTAP, then go to the list of available FSx for ONTAP file systems, and choose the file system that contains the volume for which you want to configure Amazon S3 Access Points for FSx for ONTAP.
Go to the Volumes tab, then open the menu options (three-dot icon) for the volume you want to enable Amazon S3 Access Points for FSx for ONTAP.

In the drop-down menu, select Advanced actions and then select Manage S3 access points.
In the S3 access points section, select Create a new access point. This opens the access point configuration dialog.
1. Choose Internet in the Network configuration menu. This means that the S3 access point will be accessible over the internet.
  
  Specify a S3 access point name. This name becomes part of the Amazon S3 access point alias and should follow AWS naming conventions.
  
  Then specify the User associated with the access point. FSx for ONTAP uses this user to authorize ONTAP access to the underlying files and directories. Find more information in the File system user identity and authorization documentation.
  
  Next, choose the User type for Amazon S3 access. This determines how Amazon S3 requests are authenticated and mapped to ONTAP permissions.
  
  You can enable or disable the Inventory table option. The inventory table generates an inventory of all objects accessible by the S3 access point.
2. For an S3 access point available to a specific Amazon Virtual Private Cloud (VPC), choose Virtual private cloud (VPC) in the Network configuration menu and select the VPC ID. Requests will be made only over the specified VPC ID.

As soon as the Amazon S3 Access Point for FSx for ONTAP is created, it becomes available for S3-compatible access.

What just happened

The FSx for ONTAP volume is now accessible through an Amazon S3 Access Points for FSx for ONTAP alias. Every file in the volume can be addressed using an Amazon S3-style path, for example:

s3://<access-point-alias>/folder/file.pdf

The data remains stored and managed by FSx for ONTAP, but it can now be consumed by AWS services and third-party platforms that use Amazon S3 APIs.

In the Amazon S3 console, Amazon S3 Access Points for FSx for ONTAP appear alongside standard S3 access points:

Tutorial 2: How to extend on-premises ONTAP data to FSx for ONTAP for AWS service access

Amazon S3 Access Points for FSx for ONTAP can be used to access data from on-premises ONTAP systems by replicating it to FSx for ONTAP. Here’s how to do it.

Prerequisites

In addition to the prerequisites listed in the previous section, you will also need:

An on-premises ONTAP system reachable from Workload Factory.

Network connectivity between the on-premises environment and AWS.

Walkthrough

In the Workload Factory home page, go to the Storage workload.
From the menu to the left, go to On-premises ONTAP to view your discovered ONTAP systems. If your ONTAP system has not been discovered yet, follow the Discover flow to connect your existing cluster to Workload Factory.
In the On-premises list, select your chosen system to browse its available volumes.
In the Volumes list, Workload Factory displays each volume with details including size, protocol, and current usage.

Select the volume you want to replicate to AWS, then choose the Replicate option at the end of the volume row.
In the Replicate data workflow, start by selecting the destination. Choose the target AWS Region and the FSx for ONTAP file system where the data will be replicated.

Workload Factory automatically displays all file systems available in the selected Region.
Next, select the replication use case. This choice helps preconfigure replication behavior based on the intended outcome.

For this walkthrough, we are selecting Migration. However, if you would also like to rely on the copy of the data in FSx for ONTAP for disaster recovery (DR), the Hot disaster recovery or Cold disaster recovery options are valid as well, depending on your DR requirements.

You can then review and adjust replication settings, including the replication interval. This determines how frequently updates are synchronized from the on-premises volume to FSx for ONTAP.

After reviewing the configuration, select Create to start the initial data transfer from the on-premises ONTAP system to FSx for ONTAP.
Once replication starts, you can monitor the data transfer status directly from Workload Factory. Progress indicators show the initial sync and subsequent updates.
After the initial transfer completes, the replicated volume appears in the FSx for ONTAP file system.

You can now attach an existing Amazon S3 Access Point for FSx for ONTAP to the replicated volume, or create a new one, to provide Amazon S3-compatible access to the data while preserving existing ONTAP permissions and governance.

What just happened

Data from the on-premises ONTAP system is now replicated to FSx for ONTAP using NetApp SnapMirror® replication. After the initial sync, only changed blocks are transferred, reducing data movement and avoiding duplication. This makes replication efficient and well-suited for near real-time or scheduled synchronization.

Replicated data can be accessed via file protocols or via the same Amazon S3 Access Points for FSx for ONTAP endpoint, providing unified access across environments.

Take the next step with Amazon S3 Access Points for FSx for ONTAP

Amazon S3 Access Points for FSx for ONTAP unify file and object access, enabling enterprise data to be used seamlessly across analytics, machine learning, and generative AI workloads while preserving ONTAP data protection, efficiency, and management.

This pattern can be applied consistently across your data estate to accelerate innovation without duplicating data or introducing new governance silos.

Ready to unlock more value from your data? Watch our video on how to provide on-premises file data with access to AWS cloud services using Amazon FSx for NetApp ONTAP, or get started with NetApp Workload Factory today.