Skip to content
Ask AI about this
Help improve this page

FSx for NetApp ONTAP file systems should be configured for Multi-AZ deployment

A Single-AZ FSx for NetApp ONTAP file system goes down if its Availability Zone goes down. Multi-AZ deployments keep a standby file server in a separate AZ with automatic failover, so NFS, SMB, and iSCSI workloads stay accessible through infrastructure failures. The cost premium over Single-AZ is real, but for production data stores backing enterprise applications, a single AZ outage taking down the entire file system is not an acceptable tradeoff.

Retrofit consideration

Changing deployment_type on an existing aws_fsx_ontap_file_system forces resource replacement, which deletes all volumes and data on that file system. Back up your data, recreate the file system as Multi-AZ, restore from backup, then remove the old resource from state. Do not run terraform apply on this without a tested restore procedure in place.

Implementation

Choose the approach that matches how you manage Terraform.

If you use terraform-aws-modules/fsx/aws//modules/ontap, set the right module inputs for this control. You can later migrate to the compliance.tf module with minimal changes because it is compatible by design.

module "fsx" {
  source  = "terraform-aws-modules/fsx/aws//modules/ontap"
  version = "~>1.3"

  name                = "abc123"
  preferred_subnet_id = "subnet-abc123"
  storage_capacity    = 1024
  subnet_ids          = ["subnet-abc123", "subnet-def456"]
  throughput_capacity = 128

  deployment_type = "MULTI_AZ_1"
}

Use AWS provider resources directly. See docs for the resources involved: aws_fsx_ontap_file_system.

resource "aws_fsx_ontap_file_system" "this" {
  preferred_subnet_id = element(["subnet-abc123", "subnet-def456"], 0)
  storage_capacity    = 1024
  subnet_ids          = ["subnet-abc123", "subnet-def456"]
  throughput_capacity = 128

  deployment_type = "MULTI_AZ_1"
}

What this control checks

In aws_fsx_ontap_file_system, deployment_type must be "MULTI_AZ_1" or "MULTI_AZ_2". Values of "SINGLE_AZ_1" or "SINGLE_AZ_2" fail the control. Multi-AZ configurations also require preferred_subnet_id for the active file server and at least two entries in subnet_ids spanning different Availability Zones. The route_table_ids argument is required so FSx can update route tables during failover.

Common pitfalls

  • Deployment type change forces replacement

    deployment_type is a ForceNew attribute. When Terraform sees a change here, it plans a destroy-and-recreate, which deletes all volumes and data on the file system. Always run terraform plan first and do not apply without a tested migration path.

  • Missing route_table_ids for Multi-AZ

    Omit route_table_ids on a Multi-AZ ONTAP file system and the aws_fsx_ontap_file_system create call fails immediately with an API error. FSx needs those route table IDs to manage floating IP failover routes. Include the IDs for every VPC route table that needs to reach the file system.

  • Subnet count mismatch

    subnet_ids needs at least two entries in different AZs for Multi-AZ deployments. One subnet, or two subnets in the same AZ, both result in a creation failure. When migrating from Single-AZ, identify or create a suitable subnet in a second AZ before changing the deployment type.

  • MULTI_AZ_2 availability

    MULTI_AZ_2 offers improved failover performance over MULTI_AZ_1 but is not available in every region. If your apply fails with an unsupported deployment type error, check regional availability and fall back to MULTI_AZ_1 if needed.

Audit evidence

An auditor expects Config rule evaluation results showing all AWS::FSx::FileSystem resources of type ONTAP as COMPLIANT with a Multi-AZ deployment type. The FSx console displays deployment type directly on the file system details page. For programmatic evidence, aws fsx describe-file-systems filtered to OntapConfiguration.DeploymentType should return MULTI_AZ_1 or MULTI_AZ_2 for every ONTAP file system in scope.

CloudTrail CreateFileSystem events record the requested DeploymentType at provisioning time, giving a point-in-time record of the original configuration.

Tool mappings

Use these identifiers to cross-reference this control across tools, reports, and evidence.

  • Compliance.tf Control: fsx_netapp_ontap_file_system_multi_az_deployment_enabled

  • AWS Config Managed Rule: FSX_ONTAP_DEPLOYMENT_TYPE_CHECK

  • Powerpipe Control: aws_compliance.control.fsx_netapp_ontap_file_system_multi_az_deployment_enabled

  • AWS Security Hub Control: FSx.4

Last reviewed: 2026-03-09