vSAN Witness Appliance Deployment
One of the powerful deployments of VMware vSAN is the vSAN stretched cluster configuration. With vSAN stretched cluster, the vSAN data nodes have a vSAN stretched cluster datastore between them, making your data highly available at both locations or fault domains. This post will cover the topic of the vSAN witness appliance deployment process and how you deploy the witness appliance in your VMware vSAN environment.
What is the vSAN witness appliance?
The vSAN Witness appliance is a specialized witness host that runs as a nested ESXi host. While you can run the vSAN witness appliance as a physical host, it is not practical to configure it this way, especially from a licensing perspective, which we will consider below.
The VMware vSAN witness appliance is a special OVA file or OVF template you use to deploy the witness appliance. It deploys the nested ESXi hosts used as a witness host in your VMware vSphere environment. So, this is not a general-purpose ESXi host that houses ordinary virtual machines.
The OVA virtual appliance is a relatively small appliance you download directly from VMware. The vSAN witness virtual appliance pre-configured virtual machine must be managed by the same vCenter Server that also manages the data nodes of the vSAN stretched cluster. Below is a look at the download option from the VMware website. In the VMware portal, you will see the option to download the VMware Virtual SAN Witness appliance.
vSAN witness appliance witness components
What does the vSAN witness appliance house in the vSAN cluster? The vSAN witness appliance houses the witness components as part of vSAN stretched clusters.
In VMware vSAN, the vSAN objects are compromised of virtual machine components distributed across hosts in the vSAN cluster. The virtual machine resources are stored in combinations of disk groups within the distributed datastore and are transparently allocated cache devices for caching and buffering capacity.
The vSAN witness components are special components that are part of every storage object. The vSAN witness components contain metadata, not virtual machine files, that serve as tiebreakers during a failure event for making availability decisions, such as which host has virtual machine object ownership to avoid the split-brain behavior. In traditional server clusters, this is referred to as quorum.
The vSAN witness component objects are defined and deployed in three ways:
- Primary witness component
- Secondary witness component
- Tiebreaker witness component
The primary witness formula is (2 * FTT) + 1 nodes to tolerate FTT number of node and disk failures. After you place all data components, and the required number of nodes in the configuration is short, the primary witnesses are on exclusive nodes until there are the required number of components dictated by the formula.
The secondary witness is created to ensure every node has an equal vote for quorum purposes. Every node failure should affect quorum equally. With the secondary witnesses added, every node gets an equal number of componets, including nodes that hold the primary witnesses.
The tie breaker witness is used if after adding the primary and secondary witnesses there is still an even number of components in the configuration, then you add one tiebreaker witness to make the total components count odd.
The vSAN witness host provides this tie breaker component, ensuring the stretched cluster is maintaining quorum with the number of components and votes for each vSAN host.
vSAN witness appliance configuration and purpose
The vSAN witness appliance is configured similarly to the vSAN ESXi host data nodes in the data sites. It also has two network adapters, one for the management network and another for the vSAN network to carry vSAN traffic.
The only purpose of the vSAN witness appliance is to create the majority vote to prevent a split-brain scenario. In a split-brain scenario in a compute cluster, multiple nodes may think they own the data in a failure event. Split-brain is never a good thing to happen as it can lead to data corruption and unexpected data oddities.
When configuring vSAN stretched clusters, you point the vSAN configuration to the vSAN witness appliance that will be used as part of the stretched cluster configuration.
vSAN witness appliance licensing
How is the vSAN witness appliance licensed? One of the major benefits of running the vSAN witness appliance as a nested ESXi virtual appliance is that the license is built into the host deployment. In other words, you don’t have to install an ESXi host license when you deploy the witness host.
However, if you deploy the vSAN witness appliance as a dedicated physical ESXi host, you must provide a license for the deployment process. There may be a few edge cases where a physical ESXi host would be desirable, but I can’t think of many use cases for this.
What is a vSAN stretched cluster?
When working with a vSAN witness host, you are by default configuring a vSAN stretched cluster configuration. What is a vSAN stretched cluster? A vSAN stretched cluster is a special type of vSAN cluster configuration where organizations want to build out their vSAN cluster for resiliency and downtime avoidance purposes. This is a key requirement for their configuration.
The vSAN stretched cluster was introduced in vSAN 6.1 as a configuration option. The technical definition of a vSAN stretched cluster is a cluster where a user sets up a vSAN cluster with 2 active/active sites. Each site is configured with identical numbers of physical ESXi hosts distributed between the two sites.
Each vSAN stretched cluster is configured as a vSAN Fault Domain. The vSAN stretched cluster configuration formula for the architecture is X+Y+Z. X represents the number of ESXi hosts at data site A, Y is the number of ESXi hosts at site B, and Z is the number of witness hosts at site C. The minimum number of nodes is 3, which places 1 ESXi host in each fault domain.
The smallest vSAN stretched cluster is the special vSAN 2 node cluster. In the 2 node cluster, you have (2) data sites with (1) host each and then (1) witness site with a witness host.
vSAN Witness Appliance Deployment
What is involved in deploying the vSAN Witness virtual appliance? After downloading the OVA appliance from the VMware portal, you can easily deploy the witness host using the normal OVA deployment process in the vSphere Client, connected to vCenter Server.
First browse to the downloaded OVA file for the vSAN Witness host appliance.
Name the vSAN Witness host appliance.
Select the compute resource that will house the witness host appliance.
Review the details of the initial deployment configuration.
Accept the EULA.
Choose the configuration of the vSAN Witness appliance. Here you need to configure the sizing based on the number of VMs you will be housing in the stretched cluster. Note the following:
- Tiny (10 VMs or fewer)
- Medium (up to 500 VMs)
- Large (more than 500 VMs)
You can view the virtual hardware configured for the appliance under the Description displayed to the right.
Select your vSphere storage where you want to house the vSAN Witness appliance.
Configure the networks assigned to both the Management network and the Secondary network. You will want to configure the virtual port groups to back the virtual networks for the vSAN witness host appliance accordingly to plumb this into your vSAN network with your data server hosts.
On the Customize Template page, you configure the root password and network configuration for the management network and the vSAN network.
On the ready to complete screen, you will see the summary of the configuration displayed. Look over the page to make sure there isn’t any misconfiguration. Click Finish to begin the deployment.
Wrapping Up
The vSAN Witness appliance is an integral and required component for the vSAN Stretched cluster. The vSAN stretched cluster is a specialized vSAN cluster that places equal numbers of ESXi hosts in two different fault domains, typically different sites connected with high-speed links. Then you have the third site with the witness host. The vSAN witness appliance houses the specialized witness components that help to establish quorum in the event of a failure event.
Learn more about the vSAN Witness appliance using the following links: