Large Windows Fileshare Transfers to AWS: Snowball vs DataSync

For multi-terabyte Windows file shares where NTFS metadata (ownership, timestamps, DACL/SACL) must be preserved, prefer AWS DataSync over Direct Connect (or VPN) to Amazon FSx for Windows File Server.

Why Snowball Isn’t Recommended (for NTFS fidelity)

  • Snowball ingestion via the S3 interface does not maintain full NTFS ACLs/metadata.
  • Objects written into S3 lose Windows permissions context; reapplying at scale is error-prone.
  • Good for bulk bytes when metadata can be regenerated—not for exact Windows permissions preservation.

Why DataSync Is Preferred

  • SMB-aware: can copy NTFS ownership, DACLs, SACLs, timestamps from Windows → FSx for Windows.
  • Online transfer over Direct Connect or VPN with built-in checksums and incremental syncs.
  • Policy-driven filters, throttling, scheduling, and verifiable end-to-end integrity.

Recommended Pattern (Windows → FSx for Windows)

  1. Prepare FSx for Windows: Configure delegated admin. Ensure rights such as SeRestorePrivilege and SeSecurityPrivilege if copying SACLs.
  2. Deploy DataSync agent: Network reachability to source Windows server (SMB) and FSx.
  3. Create DataSync task: Source = SMB share (Windows), Destination = FSx for Windows; enable
    copy ownership/ACLs/timestamps.
  4. Run baseline sync (throttle as needed), then incremental cutover with a short freeze window.

Bandwidth a Constraint?

If network capacity is limited, some teams consider a Snowball Edge first hop with a DataSync
agent on the device. This can accelerate bulk ingestion, but exact end-to-end NTFS fidelity is most reliable
with a pure SMB → FSx DataSync flow over the network. Use offline only if you can validate or
re-establish permissions as needed.

Quick Decision Guide

  • Need exact NTFS ACLs/ownership preserved? Use DataSync → FSx for Windows over DX/VPN.
  • Just moving raw data, metadata can be rebuilt? Snowball may be acceptable.
  • Hybrid (seed offline, then incremental online)? Consider Snowball Edge + later DataSync network syncs—validate metadata thoroughly.

Bottom line: For large Windows shares where metadata integrity matters, choose
DataSync over Direct Connect/VPN to FSx for Windows. Reserve Snowball for cases where metadata fidelity isn’t required or will be re-applied programmatically after ingest.