FSx.4: FSx for NetApp ONTAP should be Multi-AZ

What does AWS Security Hub FSx.4 check?

FSx.4 evaluates each FSx for NetApp ONTAP file system and fails any using a Single-AZ deployment type (Single-AZ 1 or Single-AZ 2). ONTAP serves NFS, SMB, and iSCSI to fleets of compute, often hosting application data, home directories, or a database's shared volumes.

Why does FSx.4 matter?

A Single-AZ file system places its entire HA pair in one Availability Zone, so a power, network, or facility event in that zone takes the whole file system offline. Multi-AZ fails over automatically to a synchronous standby in seconds with endpoints unchanged, turning an AZ incident into a brief reconnection rather than an outage that lasts until the zone recovers.

How do I fix FSx.4?

1. Select Multi-AZ 1 or Multi-AZ 2 when creating new ONTAP file systems.
2. Migrate an existing Single-AZ system using NetApp SnapMirror or backup/restore into a Multi-AZ one.
3. Account for the cost of the standby HA pair and cross-AZ replication.
4. Make Multi-AZ the default for production shared storage.

# Fix the highest-impact data stores first: enable Multi-AZ on production databases.
for db in $(aws rds describe-db-instances \
    --query 'DBInstances[?MultiAZ==`false` && DBClusterIdentifier==null].DBInstanceIdentifier' --output text); do
  aws rds modify-db-instance --db-instance-identifier "$db" \
    --multi-az --apply-immediately
  echo "$db: standby being provisioned in a second AZ"
done

# Span a stateless compute fleet across three AZs, then mirror the set on its load balancer.
aws autoscaling update-auto-scaling-group --auto-scaling-group-name web-tier-asg \
  --vpc-zone-identifier "subnet-0aaa1,subnet-0bbb2,subnet-0ccc3"
aws elbv2 set-subnets --load-balancer-arn "$ALB_ARN" \
  --subnets subnet-0aaa1 subnet-0bbb2 subnet-0ccc3