vSAN Witness appliance partitioned from stretch cluster

Virtual SAN (vSAN) Witness appliance is a critical component in a stretch cluster deployment. It is a virtual machine that is used to monitor the health of the vSAN infrastructure and maintain quorum in the event of a network partition. In a stretch cluster deployment, the vSAN Witness appliance is partitioned from the rest of the infrastructure to ensure that it remains highly available and can continue to function even if the primary and secondary sites are disconnected from each other.

Partitioning the vSAN Witness appliance involves creating a separate network for it and configuring the network settings on both the primary and secondary sites. The vSAN Witness appliance is then deployed on a separate cluster that is dedicated to running only the Witness VM. This ensures that the Witness VM is not impacted by any workload running on the primary or secondary sites, and that it remains highly available in case of a site failure.

When deploying a partitioned vSAN Witness appliance, it is important to ensure that the network connection between the Witness VM and the vSAN cluster is highly available and low latency. This can be achieved by using redundant network adapters and configuring them in an active-passive configuration. This ensures that if one network adapter fails, the other will take over automatically, ensuring continuous availability of the Witness VM.

To ensure that the network connection between the vSAN Witness VM and the vSAN cluster is highly available, you can perform the following steps:

Check Network Redundancy:

Verify that the network connection between the vSAN Witness VM and the vSAN cluster has been configured with redundant network adapters. This ensures that if one network adapter fails, the other will take over automatically, ensuring continuous availability of the Witness VM.

Ensure that the “Failover Order” setting is configured to use “Active/Standby” mode. This means that one network adapter is active, while the other is standby. If the active network adapter fails, the standby adapter will take over automatically.

Check the “Teaming and Failover” settings for the vSAN network on the vSphere Distributed Switch (vDS) or Standard Switch (vSS) that the network adapters are connected to. Ensure that the network adapter settings are consistent with the “Failover Order” setting configured for the vSAN Witness VM.

Test the network failover by disconnecting one of the network adapters and verifying that the other takes over automatically.

To check network redundancy for the vSAN Witness VM, you can follow these steps:

1. Log in to the vSphere Client or vCenter Server.
2. Navigate to the vSAN cluster where the vSAN Witness VM is located.
3. Select the vSAN Witness VM from the list of virtual machines.
4. Click on the “Configure” tab for the selected VM
5. Click on “Network Adapter” to view the network adapter settings for the VM.
6. Verify that there are at least two network adapters configured for the VM.

Monitor Network Latency:

Monitor the network latency between the vSAN Witness VM and the vSAN cluster. A high network latency can cause performance issues and impact the availability of the Witness VM. You can use tools like vRealize Operations Manager or vSphere Performance Charts to monitor the network latency.

To monitor network latency between the vSAN Witness VM and the vSAN cluster, you can follow these steps:

1. Log in to the vSphere Client or vCenter Server.
2. Navigate to the vSAN cluster where the vSAN Witness VM is located.
3. Select the vSAN Witness VM from the list of virtual machines.
4. Click on the “Monitor” tab for the selected VM.
5. Click on “Performance” to view the performance metrics for the VM.
6. Click on the “Advanced” button to open the Advanced Performance Chart settings.
7. Select the vSAN network adapter from the list of available metrics.
8. Select the “Latency” metric and set the time range for the desired monitoring period.
9. Click on “Run” to generate the network latency chart.
10. Review the chart to identify any spikes or increases in network latency.

You can also use third-party monitoring tools such as vRealize Operations Manager, SolarWinds, or PRTG to monitor network latency between the vSAN Witness VM and the vSAN cluster.

Test Network Failover:

Test the network failover between the redundant network adapters to ensure that it is functioning as expected. You can do this by disconnecting one of the network adapters and verifying that the other takes over automatically.

To test network failover for the vSAN Witness VM, you can follow these steps:

1. Log in to the vSphere Client or vCenter Server.
2. Navigate to the vSAN cluster where the vSAN Witness VM is located.
3. Select the vSAN Witness VM from the list of virtual machines.
4. Click on the “Configure” tab for the selected VM.
5. Click on “Network Adapter” to view the network adapter settings for the VM.
6. Disconnect one of the network adapters from the vSphere Distributed Switch (vDS) or Standard Switch (vSS) that the network adapters are connected to.
7. Wait a few seconds to allow the failover to occur.
8. Verify that the other network adapter has taken over and that the VM is still accessible.
9. Reconnect the disconnected network adapter.
10. Verify that both network adapters are active again and that the VM is still accessible.

Verify Network Quality of Service (QoS):

Ensure that the network Quality of Service (QoS) has been configured correctly to prioritize the traffic between the vSAN Witness VM and the vSAN cluster. This helps to ensure that the Witness VM receives the necessary network resources to function correctly.

To verify network quality of service (QoS) between the vSAN Witness VM and the vSAN cluster, you can follow these steps:

1. Log in to the vSphere Client or vCenter Server.
2. Navigate to the vSAN cluster where the vSAN Witness VM is located.
3. Select the vSAN network on the vSphere Distributed Switch (vDS) or Standard Switch (vSS) that the network adapters for the vSAN Witness VM are connected to.
4. Click on the “Configure” tab for the selected network.
5. Click on “Traffic Filtering and QoS” to view the QoS settings for the network.
6. Verify that QoS is enabled for the network.

Check that the configured QoS policy meets the necessary performance requirements. This may include minimum and maximum bandwidth, burst size, and priority settings. Test network traffic to validate the QoS policy. This may involve generating network traffic to simulate peak usage and verifying that the QoS policy is being applied.

Check Network Security:

Verify that the network connection between the vSAN Witness VM and the vSAN cluster is secure. This can be done by ensuring that the network traffic is encrypted using SSL/TLS or other secure protocols.

To check network security for the vSAN Witness VM and the vSAN cluster, you can follow these steps:

1. Log in to the vSphere Client or vCenter Server.
2. Navigate to the vSAN cluster where the vSAN Witness VM is located.
3. Select the vSAN network on the vSphere Distributed Switch (vDS) or Standard Switch (vSS) that the network adapters for the vSAN Witness VM are connected to.
4. Click on the “Configure” tab for the selected network.
5. Review the network security settings. This may include firewall rules, VLAN segmentation, and access control lists.

Ensure that the network security settings meet the necessary security requirements. This may involve configuring additional security measures such as encryption or virtual private network (VPN) access. Regularly monitor and test the network security to identify any potential security issues. This may involve running vulnerability scans or penetration testing.

Another important consideration when partitioning a vSAN Witness appliance is storage. The Witness VM requires a small amount of storage to function, but it should not be located on the same storage as the primary or secondary site. This is because in the event of a site failure, both the primary and secondary sites could become unavailable, including their associated storage. To ensure that the Witness VM remains available, it should be located on separate storage that is not associated with either site.

Validate Storage configuration:

To validate that the vSAN Witness appliance is correctly configured as a storage solution, you can follow these steps:

1. Log in to the vSphere Client or vCenter Server.
2. Navigate to the vSAN cluster where the vSAN Witness appliance is located.
3. Select the vSAN Witness appliance from the list of virtual machines.
4. Click on the “Configure” tab for the selected appliance.
5. Click on “Virtual Hardware” to view the hardware settings for the appliance.
6. Check that the appliance has the necessary storage capacity configured, including the number and size of the hard disks and the type of storage (such as solid-state drives or magnetic disks).
7. Ensure that the vSAN Witness appliance has access to the necessary storage resources in the vSAN cluster. This may involve configuring storage policies or ensuring that the necessary datastores are available.
8. Test the vSAN Witness appliance to verify that it is functioning as expected. This may involve running performance tests or verifying that the appliance is able to store and retrieve data.

In conclusion, partitioning a vSAN Witness appliance from a stretch cluster is an important step in ensuring the availability of the infrastructure. By creating a separate network and deploying the Witness VM on a dedicated cluster, the Witness VM remains highly available and can continue to function even in the event of a network partition. Additionally, ensuring that the Witness VM is located on separate storage that is not associated with either site further ensures its availability in the event of a site failure.