]

vSAN Stretched Cluster Guide

Overview

vSAN Stretched Cluster is a specific configuration implemented in environments where disaster/downtime avoidance is a key requirement.

Introduction

The vSAN Stretched Cluster feature was introduced in vSAN 6.1. A vSAN Stretched Cluster is a specific configuration implemented in environments where disaster/downtime avoidance is a key requirement. This guide was developed to provide additional insight and information for installation, configuration and operation of a vSAN Stretched Cluster infrastructure in conjunction with VMware vSphere. This guide will explain how vSphere handles specific failure scenarios and discuss various design considerations and operational procedures for Stretched Clusters using vSAN Releases including 6.5, 6.2, and 6.1

VMware vSAN Stretched Clusters with a Witness Host refers to a deployment where a user sets up a vSAN cluster with 2 active/active sites with an identical number of ESXi hosts distributed evenly between the two sites. The sites are connected via a high bandwidth/low latency link.  

The third site hosting the vSAN Witness Host is connected to both of the active/active data-sites. This connectivity can be via low bandwidth/high latency links.

Each site is configured as a vSAN Fault Domain. The nomenclature used to describe a vSAN Stretched Cluster configuration is X+Y+Z, where X is the number of ESXi hosts at data site A, Y is the number of ESXi hosts at data site B, and Z is the number of witness hosts at site C. Data sites are where virtual machines are deployed. The minimum supported configuration is 1+1+1(3 nodes). The maximum configuration is 15+15+1 (31 nodes). In vSAN Stretched Clusters, there is only one witness host in any configuration.

A virtual machine deployed on a vSAN Stretched Cluster will have one copy of its data on site A, a second copy of its data on site B  and any witness components placed on the witness host in site C. This configuration is achieved through fault domains alongside hosts and VM groups, and affinity rules. In the event of a complete site failure, there will be a full copy of the virtual machine data as well as greater than 50% of the components available. This will allow the virtual machine to remain available on the vSAN datastore. If the virtual machine needs to be restarted on the other site, vSphere HA will handle this task.

Support Statements

vSAN Stretched Cluster configurations require vSphere 6.0 Update 1 (U1) or greater.

vSphere Versions

VMware vSAN Stretched Cluster configurations require vSphere 6.0 Update 1 (U1) or greater. This implies both vCenter Server 6.0 U 1 and ESXi 6.0 U1. This version of vSphere includes vSAN version 6.1. This is the minimum version required for vSAN Stretched Cluster support.

Advanced feature support in vSAN Stretched Clusters requires a combination of vSAN version, On-Disk format version, architecture, and host count.

Feature vSAN 6.1 Requirements vSAN 6.2 Requirements vSAN 6.5 Requirements vSAN 6.6/6.7 Requirements vSAN 7.0 Requirements
Stretched Clusters v2 On-Disk format v2 On-Disk format v2 On-Disk format v2 On-Disk format  
Deduplication & Compression   v3 On-Disk format
All-Flash architecture
v3 On-Disk format
All-Flash architecture
v3 On-Disk format
All-Flash architecture
 
Checksum   v3 On-Disk format v3 On-Disk format v3 On-Disk format  
IOPS Limits   v3 On-Disk format v3 On-Disk format v3 On-Disk format  
iSCSI Service     v3 On-Disk format v3 On-Disk format  
Local Protection - Mirroring       v5 On-Disk format  
Local Protection - Erasure Coding       v5 On-Disk format
All-Flash hardware
 
Site Affinity - Mirroring       v5 On-Disk format  
Site Affinity - Erasure Coding       v5 On-Disk format
All-Flash hardware
 
Encryption       v5 On-Disk format  

The latest On-Disk format is generally recommended per-version of vSAN. 

The exception to this rule is vSAN 6.6 Clusters that are not using Per-Site Policies or Encryption. On-Disk format v3 may be used with vSAN 6.6 or vSAN 6.7 when these are not used.

 

vSphere & vSAN

VMware vSAN 6.1 introduced several features including All-Flash and 2 Node Cluster functionality. There are no limitations on the edition of vSphere used for vSAN. 

vSphere Distributed Resource Scheduler (DRS)

For vSAN, vSphere DRS is very desirable. DRS will provide initial placement assistance, load balance the environment when there's an imbalance, and will also automatically migrate virtual machines to their correct site in accordance with VM/Host affinity rules. It can also help with migrating virtual machines back to a node after recovers after a failure based on overall utilization. Otherwise, the administrator will have to manually carry out these tasks.

vSphere DRS is only available in vSphere Enterprise+ or higher editions. 

vSphere Enterprise for ROBO, introduced in vSphere 6.7 U1 provides a DRS-Lite functionality. While the full capabilities of proactive workload migration are not included in vSphere Enterprise for ROBO, it does include the ability to automatically migrate VMs off of hosts when placing hosts in maintenance mode, such as when performing upgrades.

vSphere Availability (HA)

As in any environment, vSphere HA is very desirable for use with vSAN. HA will restart virtual machines when a host has failed. Additionally, when a vSAN node has failed, vSphere HA will restart virtual machines on an alternate host. When a vSAN node becomes isolated, vSAN will power off virtual machines, but will not restart them. vSphere HA is used to restart these virtual machines on hosts that have not been isolated. 

Some additional settings are required for vSphere HA to work properly when used with vSAN. These settings are covered in detail later in this guide.

Hybrid and All-Flash Support

VMware vSAN Stretched Clusters are supported on both Hybrid configurations (hosts with local storage comprised of both magnetic disks for capacity and flash devices for cache) and All-Flash configurations (hosts with local storage made up of flash devices for capacity and flash devices for cache).

On-disk Formats

VMware supports vSAN Stretched Clusters require a minimum v2 On-Disk format.

The v1 On-Disk format is based on VMFS and is the original On-Disk format used for vSAN. 

The v2 On-Disk format is the version which comes by default with vSAN version 6.x. Customers that upgraded from the original vSAN 5.5 to vSAN 6.0 may not have upgraded the On-dDisk format for v1 to v2, and are thus still using v1. 

In vSAN 6.2 clusters, the v3 On-Disk format allows for additional features, such as Erasure Coding, Checksum, and Deduplication & Compression.

In vSAN 6.6/6.7 clusters, the v3 On-Disk may be used with the exception of when Per-Site Policies or Encryption are used. To use Per-Site Policies or Encryption the v5 On-Disk format is required.

VMware recommends upgrading to the latest On-Disk format for improved performance, scalability, and feature capabilities.

vSAN Witness Host

Both physical ESXi hosts and vSAN Witness Appliances (nested ESXi) are supported as a Stretched Cluster Witness Host.

VMware provides a vSAN Witness Appliance for those customers who do not wish to use a physical host for this role. The vSAN Witness Appliance must run on an ESXi 5.5* or higher host. This can include an ESXi Free licensed host, a vSphere licensed (ESXi) host, or a host residing in OVH (formerly vCloud Air), a vCloud Air Network (VCAN) partner, or any hosted ESXi installation.

Witness host(s) or Appliances cannot be shared between multiple vSAN Stretched Clusters or 2 Node Clusters.

*When vSAN 6.7, the physical host the vSAN Witness Appliance is running on, must also meet the CPU requirements of vSphere 6.7. Supported CPU information can be found in the vSphere 6.7 Release Notes: https://docs.vmware.com/en/VMware-vSphere/6.7/rn/vsphere-esxi-vcenter-server-67-release-notes.html

Feature Support Statements

The following are limitations on a vSAN Stretched Cluster implementation:

  • In a vSAN Stretched Clusters, there are only 3 Fault Domains. These are typically referred to as the Preferred, Secondary, and Witness Fault Domains. Standard vSAN configurations can be comprised of up to 32 Fault Domains.
  • Pre-vSAN 6.6, the maximum value for Number Of Failures To Tolerate in a vSAN Stretched Cluster configuration is 1. This is the limit due to the maximum number of Fault Domains being 3.
  • In vSAN 6.6, Number Of Failures To Tolerate has been renamed Primary Failures To Tolerate. Local Protection has been added with Secondary Failures To Tolerate, providing additional data availability scenarios. More information can be found specific to these rules in the  Per-Site Policies  section.

Support statements specific to using vSAN Stretched Cluster implementations:

  • SMP-FT, the new Fault Tolerant VM mechanism introduced in vSphere 6.0:
    • Is not supported on Stretched Cluster vSAN deployments where the FT  primary VM and secondary VM are not running in the same location.
    • Is supported on Stretched Cluster vSAN deployments where the FT primary and secondary VM are running within the same location. (This can be achieved by creating a VM/Host rule for that particular VM, and setting PFTT=0 and SFTT=1 with affinity to the same location as the VM/Host rule definition.)
    • Is supported when using 2 Node configurations in the same physical location. SMP-FT requires appropriate vSphere licensing.  *The vSAN Witness Appliance managing a 2 Node cluster may not reside on the cluster it is providing quorum for. SMP-FT is not a feature that removes this restriction. 
       
  • The Erasure Coding feature introduced in vSAN 6.2:
    • Is not supported because Stretched Cluster Configurations prior to vSAN 6.6 due to only having 3 Fault Domains.
      Erasure Coding requires 4 Fault Domains for RAID5 type protection and 6 Fault Domains for RAID6 type protection.
    • Is supported for Local Protection within a site when using vSAN 6.6 and  Per-Site Policies  .
  • The vSAN iSCSI Target Service is not supported on vSAN Stretched Clusters.
     
  • SCSI3-PR Support for Windows Server Failover Clustering (WSFC) introduced in vSAN 6.7 Update 3:
    • Is supported on vSAN Stretched Clusters using vSAN 6.7 Update 3 or higher. 
      • This does not take into account the failover mechanism for WSFC
      • WSFC-based applications should be configured to properly failover in the event of a site failure.

New Concepts in vSAN - Stretched Clusters

A common question is how Stretched Clusters differ from Fault Domains, which is a vSAN feature that was introduced with vSAN version 6.0.

vSAN Stretched Clusters vs. Fault Domains

A common question is how stretched cluster differs from fault domains, which is a vSAN feature that was introduced with vSAN version 6.0. Fault domains enable what might be termed “rack awareness” where the components of virtual machines could be distributed across multiple hosts in multiple racks, and should a rack failure event occur, the virtual machine would continue to be available. However, these racks would typically be hosted in the same data center, and if there was a data center-wide event, fault domains would not be able to assist with virtual machines availability.

Stretched clusters essentially build on what fault domains did, and now provide what might be termed “data center awareness”. VMware vSAN Stretched Clusters can now provide availability for virtual machines even if a data center suffers a catastrophic outage.

The vSAN Witness Host

vSAN Witness Purpose  

The witness host is a dedicated ESXi host, or vSAN Witness Appliance, whose purpose is to host the witness component of virtual machines objects.

The witness must have a connection to both the master vSAN node and the backup vSAN node to join the cluster. In steady state operations, the master node resides in the “Preferred site”; the backup node resides in the “Secondary site”. Unless the witness host connects to both the master and the backup nodes, it will not join the vSAN cluster.

vSAN Witness Connectivity  

The vSAN Witness Host must be managed by the same vCenter Server managing the vSAN Cluster.
There must be connectivity between vCenter Server and the vSAN Witness Host in the same fashion as vCenter controlling other vSphere hosts.

The vSAN Witness Host must also have connectivity between the vSAN Witness Host and the vSAN nodes.
This is typically performed through connectivity between the vSAN Witness Host vSAN VMkernel interface and the vSAN data network.

In vSAN 6.7 a separately tagged VMkernel interface may be used instead of providing connectivity between the vSAN Witness Host and the vSAN data network.

These will be covered more thoroughly in a later section.

Updating or Upgrading the vSAN Witness Appliance  

The vSAN Witness Appliance can easily be maintained/patched using vSphere Update Manager in the same fashion as traditional ESXi hosts.
It is not required to deploy a new vSAN Witness Appliance when updating or patching vSAN hosts. Normal upgrade mechanisms are supported on the vSAN Witness Appliance.
Note: When using an OEM provided vSphere ISO for upgrading vSAN hosts it is important to remember that additional OEM specific drivers or software may be included. It is important to use only a VMware provided vSphere ISO to upgrade the vSAN Witness Appliance.

Read Locality in vSAN Stretched Clusters

n traditional vSAN clusters, a virtual machine’s read operations are distributed across all replica copies of the data in the cluster.  In the case of a policy setting of NumberOfFailuresToTolerate =1, which results in two copies of the data, 50% of the reads will come from replica1 and 50% will come from replica2. In the case of a policy setting of NumberOfFailuresToTolerate =2 in non-stretched vSAN clusters, results in three copies of the data, 33% of the reads will come from replica1, 33% of the reads will come from replica2 and 33% will come from replica3.

In a vSAN Stretched Cluster, we wish to avoid increased latency caused by reading across the intersite link. To ensure that 100% of reads occur in the site the VM resides on, the read locality mechanism was introduced. Read locality overrides the NumberOfFailuresToTolerate=1 policy’s behavior to distribute reads across the components.

DOM, the Distributed Object Manager in vSAN, takes care of this. DOM is responsible for the creation of virtual machine storage objects in the vSAN cluster. It is also responsible for providing distributed data access paths to these objects. There is a single DOM owner per object. There are 3 roles within DOM; Client, Owner and Component Manager. The DOM Owner coordinates access to the object, including reads, locking as well as object configuration and reconfiguration. All objects changes and writes also go through the owner. The DOM owner of an object will now take into account which fault domain the owner runs in a vSAN Stretched Cluster configuration, and will read from the replica that is in the same domain.

There is now another consideration with this read locality, one must avoid unnecessary vMotion operations of the virtual machine between sites. Since the read cache blocks are stored on one site, if the VM moves around freely and ends up on the remote site, the cache will be cold on that site after the move. (Note that this only applies to hybrid configurations, as all-flash configurations do not have an explicit read cache.) Now there will be sub-optimal performance until the cache is warm again. To avoid this situation, soft affinity rules are used to keep the VM local to the same site/fault domain where possible. The steps to configure such rules will be shown in detail in the vSphere DRS section of this guide.

VMware vSAN 6.2 introduced Client Cache, a mechanism that allocates 0.4% of host memory, up to 1GB, as an additional read cache tier. Virtual machines leverage the Client Cache of the host they are running on. Client Cache is not associated with Stretched Cluster read locality, and runs independently.

Witness Traffic Separation (WTS)

By default, when using vSAN Stretched Clusters, the Witness VMkernel interface tagged for vSAN traffic must have connectivity with each vSAN data node's VMkernel interface tagged with vSAN traffic.

Witness Traffic Separation is supported on Stretched Cluster configurations as of vSAN 6.7, an alternate VMkernel interface can be designated to carry traffic destined for the Witness rather than the vSAN tagged VMkernel interface. This feature allows for more flexible network configurations by allowing for separate networks for node-to-node and node-to-witness traffic.

Mixed MTU (Jumbo Frames)

In addition to WTS, mixed MTU sizes (e.g. 9000 for vSAN data and 1500 for vSAN Witness traffic) is supported as of vSAN 6.7 U1. 

Per Site Policies

Prior to vSAN 6.6 
Up until vSAN 6.6, protection of objects in a Stretched Cluster configuration was comprised of one copy of data at each site and a witness component residing on the Witness host.

This configuration provided protection from a single failure in any 1 of the 3 sites, due to each site being configured as a Fault Domain. Using existing policies, 3 Fault Domains allow for a maximum number of a single failure.

During normal operation, this was not a significant issue. In the event of a device or node failure, additional traffic could potentially traverse the inter-site link for operations such as servicing VM reads and writes, as well as repairing the absent or degraded replica.

Stretched Cluster bandwidth sizing is sized based on the number of writes a cluster requires. Capacity for resync operations is taken into account with 25% of the available bandwidth allocated. Reads, however, are not taken into account normally in sizing.

Impact during when an object is absent or degraded  
Availability scenarios differ depending on the type of failure or lack of availability.

If a host goes offline, or a capacity device is unmounted, the components will not be replaced until either the 60-minute threshold is reached. This is configurable, but VMware recommends not to adjust this setting. During the timeframe that the object is absent, if the object is present on the alternate site from the virtual machine, reads from the object will cause additional overhead while traversing the inter-site link. Resycs will not occur until after 60 minutes. After the 60-minute threshold occurs, reads and resyncs will traverse the inter-site link until the object is replaced on the site it is absent from.

When a device fails due to a hardware error, data is immediately resynched to repair the object data. Like an absent object after the 60-minute threshold, a degraded event will cause immediate reads and resyncs across the inter-site link.

The impact can be insignificant if there are few items that need to be replaced or if the inter-site link is oversized. The impact can be significant if there are many items to be replaced or the inter-site link is already at full utilization.

Also, consider that an additional failure until the object is repaired will cause the object(s) to become inaccessible. This is because up until vSAN 6.6, Stretched Clusters only protect from a single failure.

New Policy Rules in vSAN 6.6  
In vSAN 6.6 a few rule changes were introduced. Use of these rules provides additional protection or flexibility for Stretched Cluster scenarios.

  • Failures to Tolerate is renamed to Primary Failures To Tolerate, this is the only rule that received a name change. It still behaves the same, and in a Stretched Cluster, the only possible values are 0 or 1.
  • Failure Tolerance Method has not changed, but when used in conjunction with another rule, it could change object placement behavior.
  • Secondary Failures To Tolerate is a new rule that specifically changes the local protection behavior of objects in each site of a vSAN 6.6 Stretched Cluster.
  • The final new rule is Affinity. This rule is only applicable when Primary Failures To Tolerate is 0. When Primary Failures To Tolerate is 0, this rule provides the administrator the ability to choose which site the vSAN object should reside on, either the Preferred or Secondary Fault Domain.

The vSphere Client introduced in vSphere 6.7, presents Storage Policy creation a bit differently than the vSphere Web Client.
The updated Storage Policy Creation wizard is streamlined to present the Availability rules, with the option of enabling Advanced rules.

These new policy rules provide:

  •  Local Protection  for objects on vSAN 6.6 Stretched Clusters
  •  Site Affinity for objects vSAN 6.6 Stretched Clusters when protection across sites is not desired.

The only upgrade requirement for vSAN 6.5 customers to use the new rules in vSAN 6.6 and above, is the requirement to upgrade the On-Disk format from Version 3 to Version 5. Bandwidth requirements do not change.

Upon upgrade from a vSAN 6.5 Stretched Cluster to a vSAN 6.6 Stretched Cluster, an existing Stretched Cluster policy of FTT=1 with FTM=Mirroring will become a PFTT=1, FTM=Mirroring.

To meet the requirements of the addition of Local Protection, there is a minimum host count per site.

*Erasure Coding requires an All-Flash vSAN Configuration

Data access behavior using the new Policy Rules  
vSAN Stretched Clusters have traditionally written a copy of data to each site using a Mirroring Failure Tolerance Method. These were full writes to each site, with reads being handled locally using the Site Affinity feature. Write operations are dependent on VM Storage Policy rules in a vSAN 6.6 Stretched Cluster.

Dual Site Mirroring/Primary Failures To Tolerate behavior 

  • When a Primary Failures to Tolerate rule is equal to 1, writes will continue to be written in a mirrored fashion across sites.
  • When a Primary Failures to Tolerate rule is equal to 0, writes will only occur in the site that is specified in the Affinity rule.
  • Reads continue to occur from the site a VM resides on.

Local Protection/Secondary Failures To Tolerate behavior 

  • When a Secondary Failures to Tolerate rule is in place, the behavior within a site adheres to the Failure Tolerance Method rule.
  • As illustrated in the above table, the number of failures to tolerate, combined with the Failure Tolerance Method, determine how many hosts are required per site to satisfy the rule requirements.
  • Writes and reads occur within each site in the same fashion as they would in a traditional vSAN cluster, but per site.
  • Only when data cannot be repaired locally, such as cases where the only present copies of data reside on the alternate site, will data be fetched from the alternate site.

Affinity 

  • The Affinity rule is only used to specify which site a vSAN object, either Preferred or Secondary, will reside on.
  • It is only honored when a Primary Failures To Tolerate rule is set to 0.
  • VMware recommends that virtual machines are run on the same site that their vSAN objects reside on.
    • Because the Affinity rule is a Storage Policy rule, it only pertains to vSAN objects and not virtual machine placement.
    • This is because read and write operations will be required to traverse the inter-site link when the virtual machine and vSAN objects do not reside in the same site.

vSAN Stretched Cluster Capacity Sizing when using Per-Site Policy Rules  
Prior to Per-Site policy rules, vSAN Stretched Cluster capacity sizing was primarily based on the Mirroring Failure Tolerance Method, assuming a FTT=1.

This is because of only a single copy of data residing in each site.

With Per-Site Policy Rules, capacity requirements can change entirely based on Policy Rule requirements.

The following table illustrates some capacity sizing scenarios based on a default site policy with a vmdk requiring 100GB. For single-site scenarios, assuming Preferred Site.

vSAN Stretched Cluster Component Examples when using Per-Site Policy Rules  
As Per-Site Policy Rules add local protection, objects are distributed into even more components.
Because the bandwidth requirements to the Witness Host are based on the number of components, using these policy rules will increase the overall component count.

The following is an example of the impact of changing a Storage Policy to include Local Protection in a Stretched Cluster scenario.
Consider the following example with a virtual machine that has a single vmdk that is smaller than 255GB.

Consider the following with a virtual machine that has a multiple vmdks with sizes of 100GB, 300GB, and 600GB.

*Total VM's are set to the maximum of 1,500 VM's. This is taking the maximum Stretched Cluster size into account (a 15+15+W configuration with 15 hosts per site and a vSAN Witness Host).
VMware supports a maximum of 100VM's per host on vSAN when using non-Virtual Desktop workloads. 

Not every environment is going to be uniform like these calculations might indicate. A vmdk that is larger than 255GB is going to require at least one component for every 255GB chunk. Specifying a Policy Rule of Stripe Width, or possibly breaking a component into smaller chunks after a rebalance is going to increase the component count as well. 

Additional objects on vSAN, like snapshots, will add to the overall component count.

In the examples, VM Swap placement is inheriting the policy of the Namespace. This behavior was implemented in vSAN 6.7 by default but also appears in the latest releases of vSAN 6.6. VM Swap file behavior, before these most recent releases, was always Mirrored with a Failure to Tolerate of 1.

 vSAN Stretched Cluster Witness Bandwidth considerations when using Per-Site Policy Rules

The witness bandwidth requirement is 2Mbps for every 1000 components.  Using this formula, some additional examples

  • 200 virtual machines with 500GB vmdks (12 components each) using Pre-vSAN 6.6 policies would require 4.8Mbps of bandwidth to the Witness host
    • 3 for swap, 3 for VM home space, 6 for vmdks = 12
    • 12 components X 200 VMs = 2,400 components
    • 2Mbps for every 1000 is 2.4 X 2Mbps = 4.8Mbps
  • The same 200 virtual machines with 500GB vmdks using vSAN 6.6 Policy Rules for Cross Site protection with local Mirroring would require
    • 7 for swap, 7 for VM home space, 18 for vmdks = 32
    • 32 components X 200 VMs = 6,400 components
    • 2Mbps for every 1000 is 6.4 X 2Mbps = 12.8Mbps
  • The same 200 virtual machines with 500GB vmdks using vSAN 6.6 Policy Rules for Cross Site protection with local Erasure Coding would require
    • 9 for swap, 9 for VM home space, 17 for vmdks = 35
    • 35 components X 200 VMs = 7,000 components
    • 2Mbps for every 1000 is 7 X 2Mbps = 12Mbps

These examples show that by adding local protection, component counts increase, as well as witness bandwidth requirements.

  vSAN 6.6+ Per-Site Policy Rules Summary  
With the introduction of Per-Site Policy Rules, vSAN 6.6 adds two important capabilities to vSAN Stretched Clusters.

  1. Local Protection
  2. Site Affinity

As these features provide additional protection and data availability, it is important to consider capacity, bandwidth, and component sizing scenarios.

Also, remember that the vSphere Client in vSphere 6.7 Presents PFTT as Dual Site Mirroring and SFTT as Local Protection

Requirements

List of requirements for implementing vSAN Stretched Cluster.

VMware vCenter Server

A vSAN Stretched Cluster configuration can be created and managed by a single instance of VMware vCenter Server. Both the Windows version and the vCenter Server Appliance are supported for configuration and management of a vSAN Stretched Cluster.

A Witness Host

In a vSAN Stretched Cluster, the witness components are only ever placed on the Witness host. Either a physical ESXi host, or a special vSAN Witness Appliance provided by VMware, can be used as the witness host.

If a vSAN Witness Appliance is used for the Witness host, it will not consume any of the customer’s vSphere licenses. A physical ESXi host that is used as a witness host will need to be licensed accordingly, as this can still be used to provision virtual machines should a customer choose to do so.

It is important that the witness host is not added to the vSAN cluster. The witness host is selected during the creation of a vSAN Stretched Cluster.

The witness appliance will have a unique identifier in the vSphere web client UI to assist with identifying that a host is in fact a witness appliance (ESXi in a VM). It is shown as a “blue” host, as highlighted below:    

Note: This is only visible when the appliance ESXi witness is deployed. If a physical host is used as the witness, then it does not change its appearance in the web client. A dedicated witness host is required for each Stretched Cluster.

 

 

Networking and Latency Requirements

When vSAN is deployed in a Stretched Cluster across multiple sites using Fault Domains, there are certain networking requirements that must be adhered to.

Layer 2 and Layer 3 Support  

When vSAN Stretched Clusters were introduced, vSAN traffic between data nodes was multicast, and traffic to the vSAN Witness Host was unicast.
The release of vSAN 6.6 replaced multicast for vSAN traffic with unicast. Traffic to the vSAN Witness Host continues to be unicast.

When deciding a network topology, it is important to consider vSAN uses the same TCP stack as the Management VMkernel interface (typically vmk0). As a result, vSAN VMkernel interfaces use the same default gateway as the Management VMkernel interface.

  • VMware recommends that vSAN communication between the Data Sites and the Witness Site is routed over Layer 3.
    • If using a traditional Stretched Cluster configuration, the Data Nodes will require a static route from the vSAN VMkernel interfaces to the vSAN Witness Host VMkernel interface tagged for vSAN Traffic.
    • For a vSAN 6.7 or higher Stretched Cluster configuration that is configured to use Witness Traffic Separation
      • If a VMkernel interface other than the Management VMkernel interface (typically vmk0) is tagged with "witness" traffic, static routes will be required to communicate with the vSAN Witness Host VMkernel interface tagged for vSAN Traffic.
      • If the Management VMkernel interface is tagged with "witness" traffic, static routes are not required if the host can already communicate with the vSAN Witness Host VMkernel interface using the default gateway.
        Note: Some would prefer that vSAN metadata traffic uses a dedicated interface rather than the Management VMkernel interface for isolation. It is also a prudent security practice to isolate Management traffic from workload traffic. Choosing the Managment VMkernel interface for vSAN metadata traffic is supported, but should align with desired architecture & risk considerations.
         
  • VMware supports vSAN communication between the Data Sites in either stretched Layer 2 or Layer 3, with the following considerations
    • Stretched Layer 2 does not require static routing
    • Layer 3 requires static routing to communicate properly between sites.
       
  • vSAN Witness Host Networking
    • The Management (vmk0) and WitnessPg (vmk1) VMkernel interfaces on the vSAN Witness Host must not be configured to use addresses on the same subnet.
      This creates a Multi-Homing situation, referenced in KB 2010877.
      If only a single subnet is available for the vSAN Witness Host, it is recommended to untag vSAN traffic on vmk1 and tag vSAN traffic on vmk0 on the vSAN Witness Host.
    • The use of Network Address Translation (NAT) is not supported with the vSAN Witness Host

The configuration of static routing mentioned above is not presented in the vSphere Client.  Static routing can be configured using various methods, including:

  • Using esxcli from the command line of each vSphere host or the vSphere CLI
  • Using a PowerCLI script to configure static routes on one or more hosts
  • Configuring static routing using Host Profiles

When deploying vSAN Stretched Clusters, each of these items are important to consider and will help in deciding which network topology to use with vSAN Stretched Clusters.

Supported Geographical Distances  

For VMware vSAN Stretched Clusters, geographical distances are not a support concern. The key requirement is the actual latency numbers between sites.

Data Site to Data Site Network Latency  

Data site to data site network refers to the communication between non-witness sites, in other words, sites that run virtual machines and hold virtual machine data. Latency or RTT (Round Trip Time) between sites hosting virtual machine objects should not be greater than 5msec (< 2.5msec one-way).

Data Site to Data Site Bandwidth  

Bandwidth between sites hosting virtual machine objects will be workload dependent. For most workloads, VMware recommends a minimum of 10Gbps or greater bandwidth between sites.

Please refer to the  Design Considerations  section of this guide for further details on how to determine bandwidth requirements.

Data Site to Witness Network Latency  

This refers to the communication between non-witness sites and the witness site.

In most vSAN Stretched cluster configurations, latency or RTT (Round Trip Time) between sites hosting VM objects and the witness nodes should not be greater than 200msec (100msec one-way).

The latency to the witness is dependent on the number of objects in the cluster. VMware recommends that on vSAN Stretched Cluster configurations up to 10+10+1, a latency of less than or equal to 200 milliseconds is acceptable, although if possible, a latency of less than or equal to 100 milliseconds is preferred. For configurations that are greater than 10+10+1, VMware requires a latency of less than or equal to 100 milliseconds.

Data Site to Witness Network Bandwidth  

Bandwidth between sites hosting VM objects and the witness nodes are dependent on the number of objects residing on vSAN. It is important to size data site to witness bandwidth appropriately for both availability and growth. A standard rule of thumb is 2Mbps for every 1000 components on vSAN.

Please refer to the  Design Considerations section of this guide for further details on how to determine bandwidth requirements.

Inter-Site MTU Consistency  

 Knowledge Base Article 2141733  details a situation where data nodes have an MTU of 9000 (Jumbo Frames) and the vSAN Witness Host has an MTU of 1500. The vSAN Health Check looks for a uniform MTU size across all VMkernel interfaces that are tagged for traffic related to vSAN and reports any inconsistencies. It is important to maintain a consistent MTU size across all vSAN VMkernel interfaces on data nodes and the vSAN Witness Host in a vSAN Stretched Cluster to prevent traffic fragmentation.

As KB 2141733 indicates, the corrective actions are either to reduce the MTU from 9000 on the data node VMkernel interfaces or increase the MTU value on the vSAN Witness Host's VMkernel interface that is tagged for vSAN Traffic. Either of these are acceptable corrective actions.

The placement of the vSAN Witness Host will likely be the deciding factor in which configuration will be used. Network capability, control, and cost to/from the vSAN Witness Host as well as overall performance characteristics on data nodes are items to consider when making this design decision.

In situations where the vSAN Witness Host VMkernel interface tagged for vSAN traffic is not configured to use Jumbo Frames (or cannot due to underlying infrastructure), VMware recommends that all vSAN VMkernel interfaces use the default MTU of 1500.

As a reminder, there is no requirement to use Jumbo Frames with VMkernel interfaces used for vSAN.

Multiple vSAN Witness Hosts sharing the same VLAN

For customers who have implemented multiple 2 Node vSAN deployments, a common question is whether the Witness traffic from each of the remote sites requires its own VLAN. 

The answer is no. 

Multiple 2 Node vSAN deployments can send their witness traffic on the same shared VLAN.

Configuration Minimums and Maximums

The maximum number of virtual machines per ESXi host is unaffected by the vSAN Stretched Cluster configuration.

Virtual Machines Per Host

The maximum number of virtual machines per ESXi host is unaffected by the vSAN Stretched Cluster configuration. The maximum is the same as normal vSAN deployments.

VMware recommends that customers should run their hosts at 50% of maximum number of virtual machines supported in a standard vSAN cluster to accommodate a full site failure. 

In the event of full site failures, the virtual machines on the failed site can be restarted on the hosts in the surviving site.

Hosts Per Cluster

Minimum Host Count

The minimum number of hosts in a vSAN Stretched Cluster is 2 plus the vSAN Witness Host. Site 1 contains one physical ESXi host; Site 2 contains one physical ESXi host; Site 3 contains the vSAN Witness Host (virtual appliance or physical). The configuration is 1+1+1. This is commonly referred to as a 2 Node configuration. If both nodes in a 2 Node configuration are in the same site, the vSAN Witness Host can be in the same site , or in an alternate site. In configurations where the 2 Nodes are in alternate sites, the vSAN Witness Host must be in a third site.

Maximum Host Count

The maximum number of vSAN hosts in a vSAN Stretched Cluster is 30 plus the vSAN Witness Host. 

Symmetrical Configurations

vSAN 6.1 or higher support symmetrical configurations where Site 1 contains up to 15 ESXi hosts, Site 2 contains the same number of ESXi hosts, and the vSAN Witness Host in a third site. 

Asymmetrical Configurations

vSAN 6.6 or higher support asymmetrical configurations where some workloads may use the Site Affinity rule as part of a Storage Policy.

Example 1: Site 1 contains 20 ESXi hosts, Site 2 contains 10 ESXi hosts, and the Witness Host is in a third site. 

In this use case, some workloads would only be available in Site 1 (Using a PFTT=0/SiteAffinity=Preferred) and others would be available in both Site 1 and Site 2.

Example 2: Site 1 contains 12 ESXi hosts, Site 2 contains 16 ESXi hosts, and the Witness Host is in a third site.

In this use case, some workloads would only be available in Site 2 (Using a PFTT=0/SiteAffinity=Non-Preferred) and others would be available in both Site 1 and Site 2. 

Witness Host

There is a maximum of 1 Witness host per vSAN Stretched Cluster. The Witness host requirements are discussed in the Design Considerations section of this guide. VMware provides a fully supported vSAN Witness Appliance, in Open Virtual Appliance (OVA) format. This is for customers who do not wish to dedicate a physical ESXi host as the witness. This OVA is essentially a pre-licensed ESXi host running in a virtual machine and can be deployed on a physical ESXi host at the third site.

 

vSAN Storage Policies

Number of Failures To Tolerate (FTT) - Pre-vSAN 6.6
Primary Number of Failures To Tolerate (PFTT) - vSAN 6.6

The FTT/PFTT policy setting has a maximum of 1 for objects. In Pre-vSAN 6.6 Stretched Clusters FTT may not be greater than 1. In vSAN 6.6 Stretched Clusters PFTT may not be greater than 1. This is because Stretched Clusters are comprised of 3 Fault Domains.

Secondary Number of Failures To Tolerate (SFTT) - vSAN 6.6

When used, the SFTT rule determines the Failure Tolerance Method for local protection in a Stretched Cluster.

Failure Tolerance Method (FTM)

Failure Tolerance Method rules provide object protection with RAID-1 (Mirroring) for Performance and RAID-5/6 (Erasure Coding) for Capacity.

In Pre-vSAN 6.6 Stretched Clusters, Mirroring is the only FTM rule that can be satisfied, due to the 3 fault domains present. Also, when Primary Failures to Tolerate is 1 in a vSAN 6.6 Stretched Cluster, data is Mirrored across both sites and is placed based on the Secondary Failure to Tolerate policy along with FTM.

In vSAN 6.6 Stretched Clusters, Erasure Coding can be implemented using local protection, provided the host count and capacity are available. All-Flash vSAN is a requirement for supporting Erasure Coding.

Affinity

Affinity rules are used when the PFTT rule value is 0. This rule has 2 values, Preferred or Secondary. This determines which site an Affinity based vmdk would reside on.

Other Policy Rules

Other policy settings are not impacted by deploying vSAN in a Stretched Cluster configuration and can be used as per a non-stretched vSAN cluster.

Additional vSAN 6.6 Policy Rule Changes

Can be found in the Per-Site Policies section

https://storagehub.vmware.com/#!/vmware-vsan/vsan-stretched-cluster-guide/per-site-policies-2/1

Fault Domains

Fault domains play an important role in vSAN Stretched Clusters. Similar to the Number Of Failures To Tolerate (FTT) policy setting discussed previously, the maximum number of fault domains in a vSAN Stretched Cluster is 3. The first fault domain is the “Preferred” data site, the second fault domain is the “Secondary” data site and the third fault domain is the Witness host site.

Design Considerations

The witness host must be capable of running the same version of ESXi as vSAN data nodes.

Witness Host Sizing

The vSAN Witness host can be either a traditional physical ESXi host or the provided and packaged vSAN Witness Appliance (OVA). The purpose of the Witness host is to store witness components for virtual machine objects.

vSAN Witness Appliance (Virtual Machine)

Deploying the vSAN Witness Appliance that is provided by VMware is the recommended deployment choice for a vSAN Witness Host. When choosing this deployment option, there are some requirements to consider.

Licensing

A license is hard coded in the vSAN Witness Appliance and is provided for free from VMware.

vSAN Witness Appliance Version

A vSAN Witness Appliance is provided with each release of vSAN. The underlying vSphere version is the same as the version running vSAN. Upon initial deployment of the vSAN Witness Appliance, it is required to be the same as the version of vSAN.

Example: A new vSAN 6.5 deployment requires a 6.5 version of the vSAN Witness Appliance.

When upgrading the vSAN Cluster, upgrade the vSAN Witness Appliance in the same fashion as upgrading vSphere. This keeps the versions aligned

Example: Upgrade vSAN 6.5 hosts to 6.6 using VMware Update Manager. Upgrade vSAN Witness Appliance (6.5 to 6.6) using VMware Update Manager.

vSAN Witness Appliance Size

When using a vSAN Witness Appliance, the size is dependent on the configurations and this is decided during the deployment process.  vSAN Witness Appliance deployment options are hard coded upon deployment and there is typically no need to modify these.

Compute Requirements

The vSAN Witness Appliance, regardless of configuration, uses at least two vCPUs.

Memory Requirements

Memory requirements are dependent on the number of components.

Storage Requirements

Cache Device Size: Each vSAN Witness Appliance deployment option has a cache device size of 10GB. This is sufficient for each for the maximum of 45,000 components. In a typical vSAN deployment, the cache device must be a Flash/SSD device. Because the vSAN Witness Appliance has virtual disks, the 10GB cache device is configured as a virtual SSD. There is no requirement for this device to reside on a physical flash/SSD device. Traditional spinning drives are sufficient.

Capacity Device Sizing: First consider that a capacity device can support up to 21,000 components. Also consider that a vSAN Stretched Cluster can support a maximum of 45,000 components.  Each Witness Component is 16MB, as a result, the largest capacity device that can be used for storing of Witness Components is approaching 350GB.

vSAN Witness Appliance Deployment Sizes & Requirements Summary

  • Tiny - Supports up to 10 VMs/750 Witness Components
    • Compute - 2 vCPUs
    • Memory - 8GB vRAM
    • ESXi Boot Disk - 12GB Virtual HDD
    • Cache Device - 10GB Virtual SSD
    • Capacity Device - 15GB Virtual HDD
       
  • Normal - Supports up to 500 VMs/21,000 Witness Components
    • Compute - 2 vCPUs
    • Memory - 16GB vRAM
    • ESXi Boot Disk - 12GB Virtual HDD
    • Cache Device - 10GB Virtual SSD
    • Capacity Device - 350GB Virtual HDD
       
  • Large - Supports over 500 VMs/45,000 Witness Components
    • Compute: 2 vCPUs
    • Memory - 32 GB vRAM
    • ESXi Boot Disk - 12GB Virtual HDD
    • Cache Device - 10GB Virtual SSD
    • Capacity Devices - 3x350GB Virtual HDD
      8GB ESXi Boot Disk*, one 10GB SSD, three 350GB HDDs
      Supports a maximum of 45,000 witness components

Where can the vSAN Witness Appliance run?

The vSAN Witness Appliance must run on an ESXi 5.5 or greater host. Several scenarios are supported officially:

It can be run in any of the following infrastructure configurations (provided appropriate networking is in place):

  • On a vSphere environment backed with any supported storage (vmfs datastore, NFS datastore, vSAN Cluster)
  • On vCloud Air/OVH backed by supported storage
  • Any vCloud Air Network partner hosted solution
  • On a vSphere Hypervisor (free) installation using any supported storage (vmfs datastore or NFS datastore)

Support Statements specific to placement of the vSAN Witness Appliance on a vSAN cluster:

  • The vSAN Witness Appliance is supported running on top of another non-Stretched vSAN cluster.
  • The vSAN Witness Appliance is supported on a Stretched Cluster vSAN for another vSAN Stretched Cluster, and vice-versa.

 

Physical Host as a vSAN Witness Host

If using a physical host as the vSAN Witness Host there are some requirements to consider.

Licensing

If using a physical host as a vSAN Witness Host, it must be licensed with a valid vSphere license. This does not require the same licensed edition as the vSAN Cluster it is supporting.

vSphere Build

If using a physical host as a vSAN Witness Host, it must be running the same build of vSphere as the Stretched Cluster that it is participating with.

Compute and Memory Requirements

The minimum specifications required for ESXi meet the minimum requirements for use as a vSAN Witness Host. Minimum requirements for vSphere are dependent on the build of vSphere, and can be found in the documentation section for each edition in VMware Documentation: https://www.vmware.com/support/pubs/

Storage Requirements

Storage requirements do not change for a physical host being used as a vSAN Witness Host in comparison to the vSAN Witness Appliance. An ESXi boot device, a cache device, and one or more capacity devices are still required.

Required

  • 1st device - vSphere Boot Device - Normal vSphere Requirements
  • 2nd device - vSAN Cache Device - No requirement for Flash/SSD, but it must be tagged as Flash/SSD in ESXi to be used as though it were a Flash/SSD device. This must be at least 10GB in size.
  • 3rd device - Can be up to 350GB and will support metadata for up to 21,000 components on a vSAN Cluster

Optional

  • 4th device - Can be up to 350GB and will support metadata for up to 21,000 components on a vSAN Cluster
  • 5th device - Can be up to 350GB and will support metadata for up to 21,000 components on a vSAN Cluster.

Other workloads

If using a physical host as a vSAN Witness Host, it may run other workloads. Because the physical vSAN Witness Host is external to the vSAN Cluster it is contributing to, those workloads will not be part of the vSAN Cluster.  The vSAN Disk Group, and the disks it includes, may not be used for those workloads.

*Important consideration: Multiple vSAN Witness Appliances can run on a single physical host. Using vSAN Witness Appliances is typically more cost-effective than dedicating physical hosts for the purpose of meeting the vSAN Witness Host need.

Cluster Compute Resource Utilization

For full availability, VMware recommends that customers should be running at 50% of resource consumption across the vSAN Stretched Cluster. In the event of a complete site failure, all of the virtual machines could be run on the surviving site.

VMware understands that some customers will want to run levels of resource utilization higher than 50%. While it is possible to run at higher utilization in each site, customers should understand that in the event of failure, not all virtual machines will be restarted on the surviving site.

With the introduction of Per-Site Policies in vSAN 6.6, capacity requirements are dependent on the policies used.

vSAN Version Protection FTT/PFTT FTM SFTT Capacity Required in Preferred Site Capacity Required in Secondary Site Capacity Requirement
Pre-vSAN 6.6 Across Sites Only 1 Mirroring NA 100% 100% 200%
vSAN 6.6 Across Sites Only 1 Mirroring 0 100% 100% 200%
Across Sites with Local Mirroring (RAID1 Single Failure) 1 Mirroring 1 200% 200% 400%
Across Sites with Local Mirroring (RAID1 Double Failure) 1 Mirroring 2 300% 300% 600%
Across Sites with Local Mirroring
(RAID1 Triple Failure)
1 Mirroring 3 400% 400% 800%
Across Sites with Local Erasure Coding (RAID5/Single Failure) 1 Erasure Coding 1 133% 133% 266%
Across Sites with Local Erasure Coding (RAID6/Double Failure) 1 Erasure Coding 2 150% 150% 300%
Single Site with Mirroring
(RAID1 Single Failure)
0 Mirroring 1 200% 0 200%
Single Site with Mirroring
(RAID1 Double Failure)
0 Mirroring 2 300% 0 300%
Single Site with Mirroring
(RAID1 Triple Failure)
0 Mirroring 3 400% 0 400%
Single Site with Erasure Coding
(RAID5/Single Failure)
0 Erasure Coding 1 133% 0 133%
Single Site with Erasure Coding
(RAID6/Single Failure)
0 Erasure Coding 2 150% 0 150%

Network Design Considerations

Stretched Cluster Network Design Considerations 

Sites  

A vSAN Stretched Cluster requires three Fault Domains. Two fault domains are configured as Preferred and Non-Preferred in the vSphere Client, and the vSAN Witness Host resides in a third (implied) Fault Domain.

Configured Fault Domains - Contain vSAN Data nodes

  • Preferred Fault Domain - Specified to be the primary owner of vSAN objects. This is an important designation specifically in cases of connectivity disruptions.
  • Non-Preferred Fault Domain - The alternate Fault Domain
  • These Fault Domains typically reside in geographically separated locations.
    • These Fault Domains could reside 

Witness Site - Contains vSAN Witness host 

  • Maintains Witness Component data from Preferred/Non-Preferred Fault Domains when applicable*
    *When using "Site Affinity" Witness Components will not reside in the Witness site

When using vSAN Stretched Clusters in a single datacenter, different rooms, or different racks could be considered separate sites.

  Connectivity and Network Types  

   Preferred Site   Secondary Site   Witness Site 
 Management Network  Layer 2 or 3 to vCenter/vSAN Hosts Layer 2 or 3 to vCenter/vSAN Hosts Layer 2 or 3 to vCenter
 VM Network  Recommend Layer 2 Recommend Layer 2 No requirement for a VM Network if using the vSAN Witness Appliance
Running VMs on the vSAN Witness Appliance is not supported.
Running VMs on a Physical Witness Host is supported.
 vMotion Network  If vMotion is desired between Data Sites, Layer 2 or Layer 3 are supported
vMotion is not required between this Data site & the Witness Site
If vMotion is desired between Data Sites, Layer 2 or Layer 3 are supported
vMotion is not required between this Data site & the Witness Site
There is no requirement for vMotion networking to the Witness site.
 vSAN Network  To the Secondary Site:
Layer 2 or Layer 3
Recommend L2 for Multicast (6.5 & below)
Layer 2 or Layer 3 for Unicast (6.6 & above)

To the Witness Site: Layer 3

Connectivity to the other sites must be independent.
To the Preferred Site:
Layer 2 or Layer 3
Recommend L2 for Multicast (6.5 & below)
Layer 2 or Layer 3 for Unicast (6.6 & above)

To the Witness Site: Layer 3

Connectivity to the other sites must be independent.
To the Preferred Site: Layer 3
To the Secondary Site: Layer 3

Connectivity to each site must be independent.

 

  Port Requirements  

VMware vSAN requires these ports to be open, both inbound and outbound:

   Port   Protocol   Connectivity To/From 
 vSAN Clustering Service  12345, 23451 UDP vSAN Hosts
 vSAN Transport  2233 TCP vSAN Hosts
 vSAN VASA Vendor Provider  8080 TCP vSAN Hosts and vCenter
 vSAN Unicast Agent (to Witness Host)  12321 UDP vSAN Hosts and vSAN Witness Appliance


  TCPIP Stacks, Gateways, and Routing  

  •   TCPIP Stacks  

At this time, the vSAN traffic does not have its own dedicated TCPIP stack. Custom TCPIP stacks are also not applicable for vSAN traffic.

  •   Default Gateway on ESXi Hosts  

     ESXi hosts come with a default TCPIP stack. As a result, hosts have a single default gateway. This default gateway is associated with the Management VMkernel interface (typically vmk0). It is a best practice to implement storage networking, in this case vSAN networking, on an alternate VMkernel interface, with alternate addressing.

    vSAN networking uses the same TCPIP stack as the Management VMkernel interface, traffic defaults to using the same default gateway as the Management VMkernel interface. With the vSAN network isolated from the Management VMkernel interface, it is not possible to use the default gateway. Because of this, vSAN Data Nodes cannot communicate with the Witness Host by default.

    One solution to this issue is to use static routes. This allows an administrator to define a new routing entry indicating which path should be followed to reach a particular network. In the case of the vSAN network on a vSAN Stretched Cluster.

    Static routes could be added as follows:
     
    1. Hosts on the Preferred Site have a static route added so that requests to reach the witness network on the Witness Site are routed out the vSAN VMkernel interface
    2. Hosts on the Secondary Site have a static route added so that requests to reach the witness network on the Witness Site are routed out the vSAN VMkernel interface
    3. The Witness Host on the Witness Site have static route added so that requests to reach the Preferred Site and Secondary Site are routed out the WitnessPg VMkernel interface
    4. If using Layer 3 between the Preferred Site & Secondary Sites, static routes may be required to properly communicate across the inter-site link.
       *Note, this may result in an alert (which may be disregarded provided connectivity is verified) that the vSAN network does have a matching subnet. 

 Static routes are added via the esxcli network IP route or  esxcfg-route  commands. Refer to the appropriate vSphere Command Line Guide for more information. 

 Caution when implementing Static Routes:  Using static routes requires administrator intervention. Any new ESXi hosts that are added to the cluster at either site 1 or site 2 needed to have static routes manually added before they can successfully communicate to the witness, and the other data site. Any replacement of the witness host will also require the static routes to be updated to facilitate communication to the data sites.

 

 Topology - L2 Design Versus L3 Design 

Consider a design where the vSAN Stretched Cluster is configured in one large L2 design as follows, where the Preferred Site (Site 1) and Secondary Site (Site 2) are where the virtual machines are deployed. The Witness site contains the Witness Host:

n the event of the link between Switch 1 and Switch 2 is broken (the link between the Site 1 and  Site 2). Network traffic will now route from Site 1 to Site 2 via Site 3. Considering there is a much lower bandwidth requirement for connectivity to the Witness Host, customers would see a decrease in performance if network traffic is routed through a lower specification Site 3.

If there are situations where routing traffic between data sites through the witness site does not impact latency of applications, and bandwidth is acceptable, a stretched L2 configuration between sites is supported. However, in most cases, VMware feels that such a configuration is not feasible for the majority of customers.

To avoid the situation outlined, and to ensure that data traffic is not routed through the Witness Site, VMware recommends the following network topology:

  • Between Site 1 and Site 2, implement either a stretched L2 (same subnet) or a L3 (routed) configuration.
     
  • Implement an L3 (routed) configuration between data sites and the Witness site.
    • Ensure that Sites 1 and 2 can only connect to Site 3 directly, and  not  through the alternate site.
       
    •  Static routing will be required from data hosts (Site 1 & Site 2) to the Witness in Site 3. 
      • Hosts in Site 1 should never traverse the inter-site link to reach Site 3.
      • Hosts in Site 2 should never traverse the inter-site link to reach Site 3.
         
    • Static routing will be required from the Witness host (Site 3) to the data hosts (Site 1 & Site 2)
      • The Witness should never route through Site 1, then across the inter-site link to reach Site 2.
      • The Witness should never route through Site 2, then across the inter-site link to reach Site 1.
         
  • In the event of a failure on either of the data sites network, this configuration will also prevent any traffic from Site 1 being routed to Site 2 via Witness Site 3, and thus avoid any performance degradation.

 

*If connectivity between the vSAN Network is configured to use L3:

  • Each host in Site 1 will require a static route for the vSAN VMkernel interface to route across the inter-site link to each vSAN VMkernel interface for hosts in Site 2.
  • Each host in Site 2 will require a static route for the vSAN VMkernel interface to route across the inter-site link to each vSAN VMkernel interface for hosts in Site 1.

Config of Network from Data Sites to Witness

The next question is how to implement such a configuration, especially if the witness host is on a public cloud? How can the interfaces on the hosts in the data sites, which communicate to each other over the vSAN network, communicate to the witness host?

 Option 1: Physical vSAN Witness Host connected over L3 & static routes 

In this first configuration, the data sites are connected over a stretched L2 network. This is also true for the data sites’ management network, vSAN network, vMotion network and virtual machine network. The physical network router in this network infrastructure does not automatically route traffic from the hosts in the data sites (Site 1 and Site 2) to the host in the Site 3. In order for the vSAN Stretched Cluster to be successfully configured, all hosts in the cluster must communicate. How can a stretched cluster be deployed in this environment?

The solution is to use static routes configured on the ESXi hosts so that the vSAN traffic from Site 1 and Site 2 is able to reach the witness host in Site 3, and vice versa. While this is not a preferred configuration option, this setup can be very useful for proof-of-concept design where there may be some issues with getting the required network changes implemented at a customer site.

In the case of the ESXi hosts on the data sites, a static route must be added to the vSAN VMkernel interface which will redirect traffic for the witness host on the witness site via a default gateway for that network. In the case of the witness host, the vSAN interface must have a static route added which redirects vSAN traffic destined for the data sites’ hosts. Adding static routes is achieved using the esxcfg-route –a  command on the ESXi hosts. This will have to be repeated on all ESXi hosts in the stretched cluster.

For this to work, the network switches need to be IP routing enabled between the vSAN network VLANs, in this example VLANs 11 and 21. Once requests arrive for a remote host (either witness -> data or data -> witness), the switch will route the packet appropriately. This communication is essential for vSAN Stretched Cluster to work properly.

Note that we have not mentioned the ESXi management network here. The vCenter server will still be required to manage both the ESXi hosts at the data sites and the ESXi witness. In many cases, this is not an issue for customer. However, in the case of stretched clusters, it might be necessary to add a static route from the vCenter server to reach the management network of the witness ESXi host if it is not routable, and similarly a static route may need to be added to the ESXi witness management network to reach the vCenter server. This is because the vCenter server will route all traffic via the default gateway.

As long as there is direct connectivity from the witness host to vCenter (without NAT’ing), there should be no additional concerns regarding the management network.

Also note that there is no need to configure a vMotion network or a VM network or add any static routes for these network in the context of a vSAN Stretched Cluster. This is because there will never be a migration or deployment of virtual machines to the vSAN Witness host. Its purpose is to maintain witness objects only, and does not require either of these networks for this task.

 Option 2: Virtual vSAN Witness Host connected over L3 & static routes 

Requirements: Since the virtual ESXi witness is a virtual machine that will be deployed on a physical ESXi host when deployed on-premises, the underlying physical ESXi host will need to have a minimum of one VM network preconfigured. This VM network will need to reach both the management network and the vSAN network shared by the ESXi hosts on the data sites. An alternative option that might be simpler to implement is to have two preconfigured VM networks on the underlying physical ESXi host, one for the management network and one for the vSAN network. When the virtual ESXi witness is deployed on this physical ESXi host, the network will need to be attached/configured accordingly.

Once the vSAN Witness Appliance has been successfully deployed, the static route configuration must be configured.

As before, the data sites are connected over a stretched L2 network. This is also true for data sites’ management network, vSAN network, vMotion network and virtual machine network. Once again, the physical network router in this environment does not automatically route traffic from the hosts in the Preferred and Secondary data sites to the host in the witness site. In order for the vSAN Stretched Cluster to be successfully configured, all hosts in the cluster require static routes added so that the vSAN traffic from the Preferred and Secondary sites is able to reach the Witness host in the witness site, and vice versa. As mentioned before, this is not a preferred configuration option, but this setup can be very useful for proof-of-concept design where there may be some issues with getting the required network changes implemented at a customer site.

Once again, the static routes are added using the esxcfg-route–a  command on the ESXi hosts. This will have to be repeated on all ESXi hosts in the cluster, both on the data sites and on the witness host.

The switches should be configured to have IP routing enabled between the vSAN network VLANs on the data sites and the witness site, in this example VLANs 11 and 21. Once requests arrive for the remote host (either witness -> data or data -> witness), the switch will route the packet appropriately. With this setup, the vSAN Stretched Cluster will form.

Note that once again we have not mentioned the management network here. As mentioned before, vCenter needs to manage the remote ESXi witness and the hosts on the data sites. If necessary, a static route should be added to the vCenter server to reach the management network of the witness ESXi host, and similarly, a static route should be added to the ESXi witness to reach the vCenter server.

Also note that, as before, that there is no need to configure a vMotion network or a VM network or add any static routes for these networks in the context of a vSAN Stretched Cluster. This is because there will never be a migration or deployment of virtual machines to the vSAN witness. Its purpose is to maintain witness objects only and does not require either of these networks for this task.

Bandwidth Calculation

s stated in the requirements section, the bandwidth requirement between the two main sites is dependent on workload and in particular the number of write operations per ESXi host. Other factors such as read locality not in operation (where the virtual machine resides on one site but reads data from the other site) and rebuild traffic, may also need to be factored in.

Requirements Between Data Sites

Reads are not included in the calculation as we are assuming read locality, which means that there should be no inter-site read traffic. The required bandwidth between the two data sites (B) is equal to the Write bandwidth (Wb) * data multiplier (md) * resynchronization multiplier (mr):

B = Wb *md * mr

The data multiplier is comprised of overhead for vSAN metadata traffic and miscellaneous related operations. VMware recommends a data multiplier of 1.4. The resynchronization multiplier is included to account for resynchronizing events. It is recommended to allocate bandwidth capacity on top of required bandwidth capacity for resynchronization events. 

Making room for resynchronization traffic, an additional 25% is recommended.

  • Data Site to Data Site Example 1

Take a hypothetical example of a 6 node vSAN Stretched Cluster (3+3+1) with the following:

  • A workload of 35,000 IOPS
  • 10,000 of those being write IOPS
  • A “typical” 4KB size write (This would require 40MB/s, or 320Mbps bandwidth)

Including the vSAN network requirements, the required bandwidth would be 560Mbps.

B = 320 Mbps * 1.4 * 1.25 = 560 Mbps. 
  • Data Site to Data Site Example 2

Take a 20 node vSAN Stretched Cluster (10+10+1) with a VDI (Virtual Desktop Infrastructure) with the following:

  • A workload of 100,000 IOPS
  • With a typical 70%/30% distribution of writes to reads respectively, 70,000 of those are writes. A “typical” 4KB size write(This would require 280 MBps, or 2.24Gbps bandwidth)

Including the vSAN network requirements, the required bandwidth would be approximately 4Gbps.

B = 280 MBps * 1.4 * 1.25 = 490 MBps or 3.92Gbps

Using the above formula, a vSAN Stretched Cluster with a dedicated 10Gbps inter-site link, can accommodate approximately 170,000 4KB write IOPS. Customers will need to evaluate their I/O requirements but VMware feels that 10Gbps will meet most design requirements.

Above this configuration, customers would need to consider multiple 10Gb NICs teamed, or a 40Gb network.

While it might be possible to use 1Gbps connectivity for very small vSAN Stretched Cluster implementations, the majority of implementations will require 10Gbps connectivity between sites. Therefore, VMware recommends a minimum of 10Gbps network connectivity between sites for optimal performance and for possible future expansion of the cluster.

Requirements when Read Locality is not Available

Note that the previous calculations are only for regular Stretched Cluster traffic with read locality. If there is a device failure, read operations also have to traverse the inter-site network. This is because the mirrored copy of data is on the alternate site when using NumberOfFailurestoTolerate=1.

The same equation for every 4K read IO of the objects in a degraded state would be added on top of the above calculations. The expected read IO would be used to calculate the additional bandwidth requirement.

In an example of a single failed disk, with objects from 5 VMs residing on the failed disk, with 10,000 (4KB) read IOPS, an additional 40 Mbps, or 320 mbps would be required, in addition to the above Stretched Cluster requirements, to provide sufficient read IO bandwidth, during peak write IO, and resync operations.

Requirements Between Data Sites and the Witness Site

Witness bandwidth isn’t calculated in the same way as the bandwidth between data sites. Because hosts designated as a witness do not maintain any VM data, but rather only component metadata, the requirements are much smaller.

Virtual Machines on vSAN are comprised of multiple objects, which can potentially be split into multiple components, depending on factors like policy and size. The number of components on vSAN have a direct impact on the bandwidth requirement between the data sites and the witness.

The required bandwidth between the Witness and each site is equal to ~1138 B x Number of Components /5s

1138 B x NumComp / 5 seconds

The 1138 B value comes from operations that occur when the Preferred Site goes offline, and the Secondary Site takes ownership of all of the components.

When the primary site goes offline, the secondary site becomes the master. The Witness sends updates to the new master, followed by the new master replying to the Witness as ownership is updated.

The 1138 B requirement for each component comes from a combination of a payload from the Witness to the backup agent, followed by metadata indicating that the Preferred Site has failed.

In the event of a Preferred Site failure, the link must be large enough to allow for the cluster ownership to change, as well as ownership of all of the components within 5 seconds.

Witness to Site Examples

Workload 1

With a VM being comprised of

  • 3 objects {VM namespace, vmdk (under 255GB), and vmSwap)
  • Failure to Tolerate of 1 (FTT=1)
  • Stripe Width of 1

Approximately 166 VMs with the above configuration would require the Witness to contain 996 components.

To successfully satisfy the Witness bandwidth requirements for a total of 1,000 components on vSAN, the following calculation can be used:

Converting Bytes (B) to Bits (b), multiply by 8
B = 1138 B * 8 * 1,000 / 5s = 1,820,800 Bits per second = 1.82 Mbps 

VMware recommends adding a 10% safety margin and round up.

B + 10% = 1.82 Mbps + 182 Kbps = 2.00 Mbps

With the 10% buffer included, a rule of thumb can be stated that for every 1,000 components, 2 Mbps is appropriate. 

Workload 2

With a VM being comprised of 

  • 3 objects {VM namespace, vmdk (under 255GB), and vmSwap)
  • Failure to Tolerate of 1 (FTT=1)
  • Stripe Width of 2

Approximately 1,500 VMs with the above configuration would require 18,000 components to be stored on the Witness.

To successfully satisfy the Witness bandwidth requirements for 18,000 components on vSAN, the resulting calculation is:

B = 1138 B * 8 * 18,000 / 5s = 32,774,400 Bits per second = 32.78 Mbps
B + 10% = 32.78 Mbps + 3.28 Mbps = 36.05 Mbps

Using the general equation of 2Mbps for every 1,000 components, (NumComp/1000) X 2Mbps, it can be seen that 18,000 components does in fact require 36 Mbps.

 

The Role of vSAN Heartbeats

As mentioned previously, when vSAN is deployed in a Stretched Cluster configuration, the vSAN Master Node is placed on the Preferred Site and the vSAN Backup Node is placed on the Non-Preferred Site. So long as there are nodes (ESXi hosts) available in the Preferred Site, then a master is always selected from one of the nodes on this site. Similarly, for the Non-Preferred Site, so long as there are nodes available on the Non-Preferred Site.

The vSAN Master Node and the vSAN Backup Node send heartbeats every second. If communication is lost for 5 consecutive heartbeats (5 seconds) between the Master and the Backup due to an issue with the Backup node, the Master chooses a different ESXi host as a Backup on the remote site. This is repeated until all hosts on the remote site are checked. If there is a complete site failure, the Master selects a Backup node from the Preferred Site.

A similar scenario arises when the Master has a failure.

When a node rejoins an empty site after a complete site failure, either the Master (in the case of the node joining the Preferred Site) or the Backup (in the case where the node is joining the Non-Preferred Site) will migrate to that site.

If communication is lost for 5 consecutive heartbeats (5 seconds) between the Master and the vSAN Witness Host, the vSAN Witness Host is deemed to have failed. If the vSAN Witness Host has suffered a permanent failure, a new vSAN Witness Host can be configured and added to the cluster.

Cluster Settings – vSphere HA

Certain vSphere HA behaviors have been modified especially for vSAN.

 

Cluster Settings – vSphere HA

Certain vSphere HA behaviors have been modified especially for vSAN. It checks the state of the virtual machines on a per virtual machine basis. vSphere HA can make a decision on whether a virtual machine should be failed over based on the number of components belonging to a virtual machine that can be accessed from a particular partition.

When vSphere HA is configured on a vSAN Stretched Cluster, VMware recommends the following:

 vSphere HA   Turn on 
Host Monitoring Enabled
Host Hardware Monitoring – VM Component Protection: “Protect against Storage Connectivity Loss” Disabled (default)
Virtual Machine Monitoring Customer Preference – Disabled by default
Admission Control Set to 50%
Host Isolation Response Power off and restart VMs
Datastore Heartbeats “Use datastores only from the specified list”, but do not select any datastores from the list. This disables Datastore Heartbeats
Advanced Settings:  
das.usedefaultisolationaddress False
das.isolationaddress0 IP address on vSAN network on site 1
das.isolationaddress1 IP address on vSAN network on site 2
das.ignoreInsufficientHbDatastore True

Always use an isolation address which is in the same network as vSAN. This ensures the isolation is validated using the vSAN VMkernel interface. In a non-routable vSAN network a switch virtual interface could be created on a physical switch in each site. This will give an isolation address IP on the vSAN segment that can be used for the das.isolationaddressX entries.

Turn on vSphere HA

To turn on vSphere HA, select the cluster object in the vCenter inventory, Manage, then vSphere HA. From here, vSphere HA can be turned on and off via a checkbox.

Host Monitoring

Host monitoring should be enabled on vSAN stretch cluster configurations. This feature uses network heartbeat to determine the status of hosts participating in the cluster, and if corrective action is required, such as restarting virtual machines on other nodes in the cluster.

Virtual Machine Response for Host Isolation

This setting determines what happens to the virtual machines on an isolated host, i.e. a host that can no longer communicate to other nodes in the cluster, nor is able to reach the isolation response IP address. VMware recommends that the Response for Host Isolation is to Power off and restart VMs. The reason for this is that a clean shutdown will not be possible as on an isolated host the access to the vSAN Datastore, and as such the ability to write to disk, is lost. 

Admission Control

Admission control ensures that HA has sufficient resources available to restart virtual machines after a failure. As a full site failure is one scenario that needs to be taken into account in a resilient architecture, VMware recommends enabling vSphere HA Admission Control. Availability of workloads is the primary driver for most stretched cluster environments. Sufficient capacity must, therefore, be available for a full site failure. Since ESXi hosts will be equally divided across both sites in a vSAN Stretched Cluster, and to ensure that all workloads can be restarted by vSphere HA, VMware recommends configuring the admission control policy to 50 percent for both memory and CPU.

VMware recommends using the percentage-based policy as it offers the most flexibility and reduces operational overhead. For more details about admission control policies and the associated algorithms, we would like to refer to the vSphere 6.5 Availability Guide.

The following screenshot shows a vSphere HA cluster configured with admission control enabled using the percentage-based admission control policy set to 50%.

It should be noted that vSAN is not admission-control aware. There is no way to inform vSAN to set aside additional storage resources to accommodate fully compliant virtual machines running on a single site. This is an additional operational step for administrators if they wish to achieve such a configuration in the event of a failure.

 

Host Hardware Monitoring – VM Component Protection

vSphere 6.0 introduced a new enhancement to vSphere HA called VM Component Protection (VMCP) to allow for an automated fail-over of virtual machines residing on a datastore that has either an “All Paths Down” (APD) or a “Permanent Device Loss” (PDL) condition.

A PDL, permanent device loss condition, is a condition that is communicated by the storage controller to ESXi host via a SCSI sense code. This condition indicates that a disk device has become unavailable and is likely permanently unavailable. When it is not possible for the storage controller to communicate back the status to the ESXi host, then the condition is treated as an “All Paths Down” (APD) condition.

In traditional datastores, APD/PDL on a datastore affects all the virtual machines using that datastore. However, for vSAN this may not be the case. An APD/PDL may only affect one or few VMs, but not all VMs on the vSAN datastore. Also in the event of an APD/PDL occurring on a subset of hosts, there is no guarantee that the remaining hosts will have access to all the virtual machine objects, and be able to restart the virtual machine. Therefore, a partition may result in such a way that the virtual machine is not accessible on any partition.

Note that the VM Component Protection (VMCP) way of handling a failover is to terminate the running virtual machine and restart it elsewhere in the cluster. VMCP/HA cannot determine the cluster-wide accessibility of a virtual machine on vSAN, and thus cannot guarantee that the virtual machine will be able to restart elsewhere after termination. For example, there may be resources available to restart the virtual machine, but accessibility to the virtual machine by the remaining hosts in the cluster is not known to HA. For traditional datastores, this is not a problem, since we know host-datastore accessibility for the entire cluster, and by using that, we can determine if a virtual machine can be restarted on a host or not.

At the moment, it is not possible for vSphere HA to understand the complete inaccessibility vs. partial inaccessibility on a per virtual machine basis on vSAN; hence the lack of VMCP support by HA for vSAN.

VMware recommends leaving VM Component Protection (VMCP) disabled.

 

Datastore for Heartbeating

vSphere HA provides an additional heartbeating mechanism for determining the state of hosts in the cluster. This is in addition to network heartbeating, and is called datastore heartbeating. In many vSAN environments no additional datastores, outside of vSAN, are available, and as such in general VMware recommends disabling Heartbeat Datastores as the vSAN Datastore cannot be used for heartbeating. However, if additional datastores are available, then using heartbeat datastores is fully supported.

What do Heartbeat Datastores do, and when does it come in to play? The heartbeat datastore is used by a host which is isolated to inform the rest of the cluster what its state is and what the state of the VMs is. When a host is isolated, and the isolation response is configured to "power off" or "shutdown", then the heartbeat datastore will be used to inform the rest of the cluster when VMs are powered off (or shutdown) as a result of the isolation. This allows the vSphere HA master to immediately restart the impacted VMs.

To disable datastore heartbeating, under vSphere HA settings, open the Datastore for Heartbeating section. Select the option “  Use datastore from only the specified list  ”, and ensure that there are no datastore selected in the list, if any exist. Datastore heartbeats are now disabled on the cluster. Note that this may give rise to a notification in the summary tab of the host, stating that the number of vSphere HA heartbeat datastore for this host is 0, which is less than required:2. This message may be removed by following  KB Article 2004739  which details how to add the advanced setting  das.ignoreInsufficientHbDatastore  = true.

Advanced Options

When vSphere HA is enabled on a vSAN Cluster, a heartbeat mechanism is used to validate the state of an ESXi host. Network heart beating is the primary mechanism for HA to validate host availability.

If a host is not receiving any heartbeats, it uses a fail-safe mechanism to detect if it is merely isolated from its HA master node or completely isolated from the network. It does this by pinging the default gateway.

In vSAN environments, vSphere HA uses the vSAN traffic network for communication. This is different from traditional vSphere environments where the management network is used for vSphere HA communication. However, even in vSAN environments, vSphere HA continues to use the default gateway on the management network for isolation detection responses. This should be changed so that the isolation response IP address is on the vSAN network, as this allows HA to react to a vSAN network failure.

In addition to selecting an isolation response address on the vSAN network, additional isolation addresses can be specified manually to enhance the reliability of isolation validation.

Network Isolation Response and Multiple Isolation Response Addresses

In a vSAN Stretched Cluster, one of the isolation addresses should reside in the site 1 data center and the other should reside in the site 2 data center. This would enable vSphere HA to validate host isolation even in the case of a partitioned scenario (network failure between sites).

VMware recommends enabling host isolation response and specifying isolation response addresses that are on the vSAN network rather than the management network.
The vSphere HA advanced setting das.usedefaultisolationaddress  should be set to false.

VMware recommends specifying two additional isolation response addresses, and each of these addresses should be site-specific. In other words, select an isolation response IP address from the Preferred Site and another isolation response IP address from the Non-Preferred Site.

The vSphere HA advanced setting used for setting the first isolation response IP address is das.isolationaddress0  and it should be set to an IP address on the vSAN network which resides on the one site.

The vSphere HA advanced setting used for adding a second isolation response IP address is das.isolationaddress1  and this should be an IP address on the vSAN network that resides on the alternate site.

Cluster Settings - DRS

vSphere DRS is used in many environments to distribute the load within a cluster.

Cluster Settings - DRS

vSphere DRS is used in many environments to distribute load within a cluster. vSphere DRS offers many other features which can be very helpful in vSAN Stretched Cluster environments.

If administrators wish to enable DRS on vSAN Stretched Cluster, there is a requirement to have a vSphere Enterprise Plus license edition or higher. The vSphere Enterprise for ROBO license was introduced in vSphere 6.7 Update 1, and provides DRS features when putting hosts into or taking them out of maintenance mode.

VM/Host Groups & Rules and vSphere DRS

It is recommended to create VM to Host affinity rules mapping VM to Host groups. These specify which virtual machines and hosts reside in the Preferred Site and which reside in the Non-Preferred Site. Using Host/VM groups and rules, it becomes easy for administrators to manage which virtual machines should run on which site, and balance workloads between sites. In the next section, Host/VM groups and rules are discussed.

When used with VM to Host Affinity groups/rules, vSphere DRS addresses:

  • Administrators can easily balance workloads between sites 
  • When virtual machines are powered on, they will only be powered on on hosts that conform to the VM/Host groups and rules settings

VM/Host groups are discussed more thoroughly in the next section.

Full Site Failure/Restoration & vSphere DRS

When a full site failure occurs vSphere HA will restart all virtual machines on the remaining site. 

VM/Host Rules:

  • Should be set to "Should run on hosts in group" for workloads that can be run on the alternate site in the event of a failure. 
  • For workloads that should only ever run on a single site, such as in cases of asymmetrical Stretched Clusters or when using Site Affinity Storage Policies, a "Must run on hosts in group" rule should be used. More information can be found in the Per-Site Policy Considerations section.

The next section addresses "Fully Automated" vs "Partially Automated" considerations.

Partially Automated or Fully Automated DRS

Customers can decide whether to place DRS in partially automated mode or fully automated mode. With partially automated mode, DRS will handle the initial placement of virtual machines. However, any further migration recommendations will be surfaced up to the administrator to decide whether or not to move the virtual machine. The administrator can check the recommendation, and may decide not to migrate the virtual machine. Recommendations should be for hosts on the same site.

With fully automated mode, DRS will take care of the initial placement and on-going load balancing of virtual machines. DRS should still adhere to the Host/VM groups and rules, and should never balance virtual machines across different sites. This is important as virtual machines on vSAN Stretched Cluster will use read locality, which implies that they will cache locally. If the virtual machine is migrated by DRS to the other site, the cache will need to be warmed on the remote site before the virtual machine reaches it previous levels of performance.

One significant consideration with fully automated mode is a site failure. Consider a situation where a site has failed, and all virtual machines are now running on a single site. All virtual machines on the running site have read locality with the running site, and are caching their data on the running site. Perhaps the outage has been a couple of hours, or even a day. Now the issue at the failed site has been addressed (e.g. power, network,etc.). When the hosts on the recovered rejoin the vSAN cluster, there has to be a resync of all components from the running site to the recovered site. This may take some time. However, at the same time, DRS is informed that the hosts are now back in the cluster. If in fully automated mode, the affinity rules are checked, and obviously a lot of them are not compliant. Therefore DRS begins to move virtual machines back to the recovered site, but the components may not yet be active (i.e. still synchronizing). Therefore virtual machines could end up on the recovered site, but since there is no local copy of the data, I/O from these virtual machines will have to traverse the link between sites to the active data copy. This is undesirable due to latency/performance issues. Therefore, for this reason, VMware recommends that DRS is placed in partially automated mode if there is an outage. Customers will continue to be informed about DRS recommendations when the hosts on the recovered site are online, but can now wait until vSAN has fully resynced the virtual machine components. DRS can then be changed back to fully automated mode, which will allow virtual machine migrations to take place to conform to the VM/Host affinity rules.

VM/Host Groups & Rules

VMware recommends enabling vSphere DRS to allow for the creation of Host-VM affinity rules

VM/Host Groups & Rules

VMware recommends creating VM/Host groups & affinity rules, as well as using vSphere DRS to perform initial placement of VMs and to avoid unnecessary vMotion of VMs between sites.

Because a vSAN Stretched Cluster is still a single cluster, DRS is unaware of the fact that it is made up of different sites and it may decide to move virtual machines between them. The use of VM/Host Groups will allow administrators to “pin” virtual machines to sites, preventing unnecessary vMotions/migrations. 

vSAN Stretched Clusters use Read Locality to ensure that reads only occur in the site the virtual machine resides on. In Hybrid vSAN Stretched Cluster configurations, the read cache is only warm on the site the VM resides on. Should the VM be migrated to the alternate site, the read case will have to be warmed. Ensuring that VM's do not freely move between sites will overcome the need for cache to be warmed unnecessarily.

Note that vSAN Stretched Cluster has its own notion of a Preferred site. This is set up during the configuration and refers to which site takes over in the event of a split-brain. It has no bearing on virtual machine placement. It is used for the case where there is a partition between the Preferred and Non-Preferred Site while the vSAN Witness Host can talk to both sites. More detailed failure scenarios are discussed later in this document.

 

Host Groups

When configuring DRS with a vSAN Stretched Cluster, VMware recommends creating Host Affinity Groups and VM Affinity Groups.

Hosts in each site should be group to a site-centric Host Group. When paired with hosts in site-centric groups, VM's assigned to VM groups can easily be configured to determine where VM's are allowed to run.

VM Groups

VM groups should also be created depending on where VMs are desired to be run.

VM Groups should include VMs that have similar placement requirements.

The example above shows a VM Group that includes several VMs. The naming of the VM Group suggests that these VM's will likely run on Site A. 

A VM/Host Rule must be created for this to be the case. VM Groups do not natively perform any function other than the grouping of VMs.

It is important to remember that VM's must be assigned to a VM Group after they have been deployed. This can be accomplished in the vSphere Client or can be accomplished via a script using API calls or through PowerCLI.

VM/Host Rules

When deploying virtual machines on a vSAN Stretched Cluster, for the majority of cases, we wish the virtual machine to reside on the set of hosts in the selected host group. However, in the event of a full site failure, we wish the virtual machines to be restarted on the surviving site.

To achieve this,  VMware recommends implementing “should respect rules” in the VM/Host Rules configuration section. These rules may be violated by vSphere HA in the case of a full site outage. If “must rules” were implemented, vSphere HA does not violate the rule-set, and this could potentially lead to service outages. vSphere HA will not restart the virtual machines in this case, as they will not have the required affinity to start on the hosts in the other site. Thus, the recommendation to implement “should rules” will allow vSphere HA to restart the virtual machines in the other site.

The vSphere HA Rule Settings are found in the VM/Host Rules section. This allows administrators to decide which virtual machines (that are part of a VM Group) are allowed to run on which hosts (that are part of a Host Group). It also allows an administrator to decide on how strictly “VM to Host affinity rules” are enforced.

As stated above, the VM to Host affinity rules should be set to “should respect” to allow the virtual machines on one site to be started on the hosts on the other site in the event of a complete site failure. The “should rules” are implemented by clicking the  Edit button in the vSphere HA Rule Settings at the bottom of the VM/Host Rules view, and setting VM to Host affinity rules to “  vSphere HA should respect rules during failover”. Note that as of vSphere 6.5 the option to configure vSphere HA to respect these rules in the case of a failure is no longer available in the Web Client. By default vSphere HA will respect these rules when possible.

vSphere DRS communicates these rules to vSphere HA, and these are stored in a “compatibility list” governing allowed startup behavior. Note once again that with a full site failure, vSphere HA will be able to restart the virtual machines on hosts that violate the rules. Availability takes preference in this scenario.

 

 

Per-Site Policy Rule Considerations

With the introduction of Per-Site Policy Rules, VM/Hosts Group Rules are more important than ever to consider.

Misconfiguration

It is entirely possible to have a VM Storage Policy using the Affinity rule placing data in the one site, with a VM/Host Group Rule placing the VM in the alternate site.

Here is an illustration of such a configuration:

On a local network, this may not be a significant issue. In a Stretched Cluster configuration, with sites spread across large geographical distances, this is considered a misconfiguration. This is because when the VM does not run in the same site, reads and writes must traverse the inter-site link. 

  • Additional unnecessary bandwidth is consumed to operate the VM running on a site that is opposite to the site the data is stored on. 
  • This bandwidth should stay within the same site to ensure lower bandwidth utilization.
  • In the situation where the alternate site is disconnected, the VM will no longer have access to its vmdk and will essentially become a zombie VM.

Proper Configuration

A proper configuration includes VM/Host Group Rules that properly align with the Affinity Rules assigned to VMs by their corresponding VM Storage Policies.

Setting proper VM/Host Group Rules and VM Storage Policy Affinity Rules are beneficial for several reasons

  • Bandwidth is not unnecessarily sent across the inter-site link
  • Lower inter-site bandwidth utilization
  • In the situation where the alternate site is disconnected, the VM will continue to have access to its vmdk.

Summary

It is important to ensure proper rules are in place to maintain a properly utilized configuration. VMware recommends VM/Host Group rules along with Affinity rules for VM Storage Policies for VMs that are only being stored on one of the two data sites in a vSAN 6.6+ Stretched Cluster.

 

 

 

Installation

The installation of vSAN Stretched Cluster is similar to the configuration of Fault Domains.

Installation

The installation of vSAN Stretched Cluster is almost identical to how Fault Domains were implemented in earlier vSAN versions, with a couple of additional steps. This part of the guide will walk the reader through a stretched cluster configuration.

Before You Start

Before delving into the installation of a vSAN Stretched Cluster, there are a number of important features to highlight that are specific to stretch cluster environments.

What is a Preferred Site?

The Preferred Site is the site that vSAN wishes to remain running when there is a failure and the sites can no longer communicate. One might say that the Preferred Site is the site expected to have the most reliability.

Since virtual machines can run on any of the two sites, if network connectivity is lost between site 1 and site 2, but both still have connectivity to the Witness, the Preferred Site is the one that survives and its components remains active, while the storage on the Non-Preferred Site is marked as down and components on that site are marked as absent. 

What is Read Locality?

Since virtual machines deployed on a vSAN Stretched Cluster will have compute on one site, but a copy of the data on both sites, vSAN will use a read locality algorithm to read 100% from the data copy on the local site, i.e. same site where the virtual machine resides. This is not the regular vSAN algorithm, which reads across all components of the vSAN object.

This algorithm for vSAN Stretched Clusters reduces the latency incurred on read operations.

If latency is less than 5ms and there is enough bandwidth between the sites, read locality could be disabled. However please note that disabling read locality means that the read algorithm reverts to the round-robin mechanism, and for vSAN Stretched Clusters, 50% of the read requests will be sent to the remote site. This is a significant consideration for sizing of the network bandwidth. Please refer to the sizing of the network bandwidth between the two main sites for more details.

Read locality can be disabled/re-enabled in the vSphere Client (6.7 or higher).

The advanced parameter VSAN.DOMOwnerForceWarmCache can be also be set on each host in a cluster from the command line:

esxcfg-advcfg -s 1 /VSAN/DOMOwnerForceWarmCache

Read locality is enabled by default when vSAN Stretched Cluster is configured – it should only be disabled under the guidance of VMware’s Global Support Services organization, and only when extremely low latency is available across all sites. 

Witness Host Must not be part of the vSAN Cluster

When configuring your vSAN Stretched Cluster, only data hosts must be in the cluster object in vCenter. The vSAN Witness Host must remain outside of the cluster, and must not be added to the cluster at any point.

The illustration below shows several vSAN Witness Hosts. Witness3.demo.local is will not function properly because it has been added to a Cluster. 

The other vSAN Witness Hosts will all function properly because they have been added to folders.

vSAN Witness Hosts can reside in the root of a Datacenter object or a folder, but may not reside in a vSphere Cluster.

 

vSAN Health Check Plugin & Stretched Clusters

vSAN Health Checks for Stretched Cluster Configurations

A Select the Cluster object in the vCenter inventory, click on Monitor > vSAN > Health. Ensure the Stretched Cluster Health Checks pass when the cluster is fully configured.  

Note: The Stretched Cluster checks will not be visible until the Stretched Cluster configuration is completed. 

Using a vSAN Witness Appliance

vSAN StretchedCluster supports the use of a vSAN Witness Appliance

Using a vSAN Witness Appliance

VMware vSAN Stretched Cluster supports the use of a vSAN Witness Appliance as the Witness host. This is available as an OVA (Open Virtual Appliance) from VMware. However this vSAN Witness Appliance needs to reside on a physical ESXi host, which requires some special networking configuration.

Networking

The vSAN Witness Appliance contains two network adapters that are connected to separate vSphere Standard Switches (VSS).

The vSAN Witness Appliance Management VMkernel is attached to one VSS, and the WitnessPG is attached to the other VSS. The Management VMkernel (vmk0) is used to communicate with the vCenter Server for appliance management. The WitnessPG VMkernel interface (vmk1) is used to communicate with the vSAN Network. This is the recommended configuration. These network adapters can be connected to different, or the same, networks. As long as they are fully routable to each other, it’s supported, separate subnets or otherwise.

The Management VMkernel interface could be tagged to include vSAN Network traffic as well as Management traffic. In this case, vmk0 would require connectivity to both vCenter Server and the vSAN Network.

In many nested ESXi environments, there is a recommendation to enable promiscuous mode to allow all Ethernet frames to pass to all VMs that are attached to the port group, even if it is not intended for that particular VM. The reason promiscuous mode is enabled in many nested environments is to prevent a virtual switch from dropping packets for (nested) vmnics that it does not know about on nested ESXi hosts.

A Note About Promiscuous Mode

In many nested ESXi environments, there is a recommendation to enable promiscuous mode to allow all Ethernet frames to pass to all VMs that are attached to the port group, even if it is not intended for that particular VM. The reason promiscuous mode is enabled in these environments is to prevent a virtual switch from dropping packets for (nested) vmnics that it does not know about on nested ESXi hosts. Nested ESXi deployments are not supported by VMware other than the vSAN Witness Appliance.

The vSAN Witness Appliance is essentially a nested ESXi installation tailored for use with vSAN Stretched Clusters.

The MAC addresses of the VMkernel interfaces vmk0 & vmk1 are configured to match the MAC addresses of the vSAN Witness Appliance host's NICs, vmnic0 and vmnic1. Because of this, packets destined for either the Management VMkernel interface (vmk0) or the WitnessPG VMkernel interface, are not dropped.

Because of this, promiscuous mode is not required when using a vSAN Witness Appliance.

 

Setup Step 1: Deploy the vSAN Witness Appliance

The vSAN Witness Appliance must be deployed on different infrastructure than the Stretched Cluster itself. This step will cover deploying the vSAN Witness Appliance to a different cluster.

The first step is to download and deploy the vSAN Witness Appliance, or deploy it directly via a URL, as shown below. In this example it has been downloaded:

Select a Datacenter for the vSAN Witness Appliance to be deployed to and provide a name (Witness2 or something similar).

Select a cluster for the vSAN Witness Appliance to reside on. 

Review the details of the deployment and press next to proceed.

The license must be accepted to proceed.

At this point a decision needs to be made regarding the expected size of the Stretched Cluster configuration. There are three options offered. If you expect the number of VMs deployed on the vSAN Stretched Cluster to be 10 or fewer, select the Tiny configuration. If you expect to deploy more than 10 VMs, but less than 500 VMs, then the Normal (default option) should be chosen. For more than 500VMs, choose the Large option. On selecting a particular configuration, the resources consumed by the appliance and displayed in the wizard (CPU, Memory, and Disk):

Select a datastore for the vSAN Witness Appliance. This will be one of the datastore available to the underlying physical host. You should consider when the vSAN Witness Appliance is deployed as thick or thin, as thin VMs may grow over time, so ensure there is enough capacity on the selected datastore. Remember that the vSAN Witness Appliance is not supported on vSAN Stretched Cluster datastores.

Select a network for the Management Network and for the Witness Network. 

Give a root password  for the vSAN Witness Appliance: 

At this point, the vSAN Witness Appliance is ready to be deployed. It will need to be powered on manually via the vSphere web client UI later:

Once the vSAN Witness Appliance is deployed and powered on, select it in the vSphere web client UI and begin the next steps in the configuration process.

 

Setup Step 2: vSAN Witness Appliance Management

Once the vSAN Witness Appliance has been deployed, select it in the vSphere web client UI, open the console.

The console of the vSAN Witness Appliance should be access to add the correct networking information, such as IP address and DNS, for the management network.

On launching the console, unless you have a DHCP server on the management network, it is very likely that the landing page of the DCUI will look something  similar to the following:

Use the <F2> key to customize the system. The root login and password will need to be provided at this point. This is the root password that was added during the OVA deployment earlier.

Select the Network Adapters view. There will be two network adapters, each corresponding to the network adapters on the virtual machine. You should note that the MAC address of the network adapters from the DCUI view match the MAC address of the network adapters from the virtual machine view. Because of this match, there is no need to use promiscuous mode on the network, as discussed earlier.

Select vmnic0, and if you wish to view further information, select the key <D> to see more details.

The next step is to configure DNS. A primary DNS server should be added and an optional alternate DNS server can also be added. The FQDN, fully qualified domain name, of the host should also be added at this point.

One final recommendation is to do a test of the management network. One can also try adding the IP address of the vCenter server at this point just to make sure that it is also reachable.

When all the tests have passed, and the FQDN is resolvable, administrators can move onto the next step of the configuration, which is adding the vSAN Witness Appliance ESXi instance to the vCenter server. 

Setup Step 3: Add Witness to vCenter Server

There is no difference to adding the vSAN Witness Appliance ESXi instance to vCenter server when compared to adding physical ESXi hosts. However, there are some interesting items to highlight during the process. The first step is to provide the name of the Witness. In this example, vCenter server is managing multiple data centers, so we are adding the host to the Witness data center.

Provide appropriate credentials. In this example, the root user and password.

Acknowledge the certificate warning:

There should be no virtual machines on the vSAN Witness Appliance. Note: It can never run VMs in a vSAN Stretched Cluster configuration. Note also the mode: VMware Virtual Platform. Note also that builds number may differ to the one shown here.

The vSAN Witness Appliance also comes with its own license. You do not need to consume vSphere licenses for the witness appliance:

Lockdown mode is disabled by default. Depending on the policies in use at a customer’s site, the administrator may choose a different mode to the default:

Choose the datacenter that the vSAN Witness Host is being added to for VM Location.

Click Finish when ready to complete the addition of the Witness to the vCenter server:

One final item of note is the appearance of the vSAN Witness Appliance ESXi instance in the vCenter inventory. It has a light blue shading, to differentiate it from standard ESXi hosts. It might be a little difficult to see in the screenshot below, but should be clearly visible in your infrastructure. (Note: In vSAN 6.1 and 6. 2 deployments, the “No datastores have been configured” message is because the nested ESXi host has no VMFS datastore. This can be ignored.) 

One final recommendation is to verify that the settings of the vSAN Witness Appliance match the Tiny, Normal or Large configuration selected during deployment. 

Deployments should have: 

  • Boot Device 
    • 12GB HDD in vSAN 6.5 or higher (8GB for vSAN 6.1/6.2) 
  • Cache Device to be configured later
    • 10GB Flash Drive
  • Capacity Device(s) to be configured later
    • Tiny: A 15GB HDD 
    • Normal: A 350GB HDD
    • Large: 3x 350GB HDD

Once confirmed, you can proceed to the next step of configuring the vSAN network for the vSAN Witness Appliance.

 

 

Setup Step 4: Config vSAN Witness Host Networking

The next step is to configure the vSAN network correctly on the vSAN Witness Appliance. When the Witness is selected, navigate to Configure > Networking > Virtual switches as shown below.

The Witness has a port group pre-defined called witnessPg. Here the VMkernel port to be used for vSAN traffic is visible. If there is no DHCP server on the vSAN network (which is likely), then the VMkernel adapter will not have a valid IP address. Select VMkernel adapters > vmk1 to view the properties of the witnessPg. Validate that "vSAN" is an enabled service as depicted below.

 Engineering note:  A few things to consider when configuring vSAN traffic on the vSAN Witness Appliance.

  • The default configuration has vmk0 configured for Management Traffic and vmk1 configured for vSAN Traffic.
  • The vmk1 interface cannot be configured with an IP address on the same range as that of vmk0. This is because Management traffic and vSAN traffic use the default TCP/IP stack. If both vmk0 and vmk1 are configured on the same range, a multihoming condition will occur and vSAN traffic will flow from vmk0, rather than vmk1. Health Check reporting will fail because vmk0 does not have vSAN enabled. The multihoming issue is detailed in KB 2010877 (  https://kb.vmware.com/kb/2010877  ).

 Configure the network address 

Select the witnessPg and edit the properties by selecting the pencil icon.

If vSAN is not an enabled service, select the witnessPg port group (vmk1), and then select the option to edit it. Tag the VMkernel port for vSAN traffic, as shown below:

Ensure the MTU is set to an appropriate value. In vSAN 6.1-6.7, this value must be the same as the vSAN Nodes' vSAN Tagged VMkernel interface MTU value. In vSAN 6.7U1, this value can be different when using Witness Traffic Separation, as long as it matches the Witness Tagged VMkernel interface MTU value.

In the IPV4 settings, a default IP address has been allocated. Modify it for the vSAN traffic network.

Static routes are still required by the witnessPg VMkernel interface (vmk1). This is because vSAN uses the default TCP/IP stack, just as the Management VMkernel interface does, which is typically on a different network than vmk1. 
The "Override default gateway for this adapter" setting is not supported for the witness VMkernel interface (vmk1).

Once the witnessPg VMkernel interface address has been configured, click OK.

Setup Step 5: Validate Networking

The final step before a vSAN Stretched Cluster can be configured, is to ensure there is connectivity among the hosts in each site and the Witness host. It is important to verify connectivity before attempting to configure vSAN Stretched Clusters.

Default Gateways and Static Routes

By default, traffic destined for the vSAN Witness host have no route to the vSAN networks from hosts. As a result, pings to the remote vSAN networks fail.

When using vSAN 6.1, 6.2, or 6.5, administrators must implement static routes for the vSAN VMkernel interfaces to the Witness Appliance vSAN VMkernel interface and vice versa.

Static routes, as highlighted previously, tell the TCPIP stack to use a different path to reach a particular network. Now we can tell the TCPIP stack on the data hosts to use a different network path (instead of the default gateway) to reach the vSAN network on the witness host. Similarly, we can tell the witness host to use an alternate path to reach the vSAN network on the data hosts rather than via the default gateway.

Note once again that the vSAN network is a stretched L2 broadcast domain between the data sites as per VMware recommendations, but L3 is required to reach the vSAN network of the witness appliance. Therefore, static routes are needed between the data hosts and the witness host for the vSAN network, but they are not required for the data hosts on different sites to communicate to each other over the vSAN network.

Hosts in Site A

Looking at host esxi01-sitea.rainpole.com , initially, there is no route from the vSAN VMkernel interface (vmk1) to the vSAN Witness Appliance vSAN VMkernel interface with the address of 147.80.0.15 .

Notice that when attempting to ping the vSAN Witness Appliance from host esxi01-sitea.rainpole.com's vSAN VMkernel interface (vmk1), there is no communication.
The command vmkping -I vmk1 <target IP> uses vmk1, because the -I switch specifies using the vmk1 interface.

Add a static route for each host. The esxcli commands used to add a static route is:

esxcli network ip route ipv4 add –n <remote network> -g <gateway to use>

For the hosts in Site A, the command used above is esxcli network ip route ipv4 add -n 147.80.0.0/24 -g 172.3.0.1 .

This is because the hosts in Site A, have a gateway to the Witness vSAN Appliance vSAN VMkernel interface through 172.3.0.1.

Other useful commands are esxcfg-route –n , which will display the network neighbors on various interfaces, and esxcli network ip route ipv4 list , to display gateways for various networks. Make sure this step is repeated for all hosts.

Hosts in Site B

Looking at esxi02-siteb.rainpole.com , it can also be seen that there is no route to the vSAN VMkernel Interface (vmk1) to the vSAN Witness Appliance VMkernel interface with the address 147.80.0.15 .  The issue is the same as esxi01-sitea.rainpole.com on esxi02-siteb.rainpole.com .

The route from Site B to the vSAN Witness Appliance vSAN VMkernel interface, is different however. The route from Site B (in this example) is through 172.3.0.253 .

For the hosts in Site B, the command used above is esxcli network ip route ipv4 add -n 147.80.0.0/24 -g 172.3.0.253 .

The vSAN Witness Appliance in the 3rd Site

The vSAN Witness Appliance, in the 3rd Site is configured a bit different. The vSAN VMkernel interface (vmk1) must communicate across different gateways to connect to Site A and Site B.

Communication to Site A in this example must use 147.80.0.1 and communication to Site B must use 147.80.0.253 .

Because of this routes must be added for each vSAN VMkernel interface for each of the hosts in Site A and Site B, on the vSAN Witness Appliance.


To do this individually for each host in Site A, the commands would be:

esxcli network ip route ipv4 add -n 172.3.0.11/32 -g 147.80.1
esxcli network ip route ipv4 add -n 172.3.0.12/32 -g 147.80.0.1

To do this individually for each host in Site B, the commands would be:

esxcli network ip route ipv4 add -n 172.3.0.13/32 -g 147.80.0.253
esxcli network ip route ipv4 add -n 172.3.0.14/32 -g 147.80.0.253

With proper routing for each site, connectivity can be verified. Before verifying, let's review the configuration.

Configuration Summary

The following illustration shows the data flow between each of the data sites and the vSAN Witness Appliance in Site 3.


Host VMkernel IP Site Static Route to Witness Static Route to Site A Static Route to Site B Fault Domain
esxi01-sitea.rainpole.com vmk1 172.3.0.11 A 172.3.0.1 NA NA Preferred
esxi02-sitea.rainpole.com vmk1 172.3.0.12 A 172.3.0.1 NA NA Preferred
esxi01-siteb.rainpole.com vmk1 172.3.0.13 B 172.3.0.253 NA NA Secondary
esxi02-siteb.rainpole.com vmk1 172.3.0.14 B 172.3.0.253 NA NA Secondary
witness-01.rainpole.com vmk1 147.80.0.15 3 NA 147.80.0.1 147.80.0.253  

 

Next Steps

Once routing is in place, ping from each host's appropriate interface using vmkping -I vmkX <destination IP> to check connectivity. When connectivity has been verified between the vSAN data node VMkernel interfaces and the vSAN Witness Appliance vSAN VMkernel interface, the Stretched Cluster can be configured.

Configuring vSAN Stretched Cluster

There are several methods to configure a vSAN Stretched Cluster. 

A new cluster can be stretched or an existing cluster can be converted to a Stretched Cluster.

Creating a New vSAN Stretched Cluster

Creating a vSAN stretched cluster from a group of hosts that does not already have vSAN configured is relatively simple. A new vSAN cluster wizard makes the process very easy.

Create a Cluster using the Cluster Quickstart

The following steps should be followed to install a new vSAN Stretched Cluster. This example is a 3+3+1 deployment, meaning three ESXi hosts at SiteA, three ESXi hosts at the SiteB and 1 vSAN Witness Host.

In this example, there are 6 nodes available: esx01-sitea, esx02-site a, esx03-sitea, esx01-siteb, esx02-siteb, and esx03-siteb. All six hosts reside in a vSphere cluster called stretched-vsan. The seventh host witness-01, which is the witness host, is in its own data center and is not added to the cluster.

To setup vSAN and configure stretch cluster navigate to the Manage > vSAN > Cluster Quickstart to begin the vSAN wizard.

1. Cluster basics

Give the cluster a name, select the vSphere DRS, vSphere HA, and vSAN Services.

2. Add Hosts

With the Cluster basics configured, hosts must be added to the cluster.

An Add hosts dialog box is used to add new hosts or existing hosts in vCenter.

If hosts have not been added to vCenter the host certificates must be verified.

A summary of added hosts is displayed.

Select finish to add hosts to the cluster.

3. Configure Cluster

While services have been configured and hosts have been added, the hosts have not been configured for use by the cluster.

Selecting Configure will launch the Configure cluster wizard. This wizard starts with the ability to configure one or more vSphere Distributed Switches for use by vMotion and vSAN. If one or more vSphere Distributed Switches is already created, they may be used instead of creating new vSphere Distributed Switch(es). Choosing "Configure network settings later" will bypass the networking configuration. Use this setting if vMotion and vSAN configurations are already configured.

vMotion traffic is configured next.

Network-specific information such as VLAN tagging, protocol, and network addresses for the vMotion network.
Note: Use the AUTOFILL option to automatically populate network addressing sequentially.

vSAN traffic is configured next.

Network-specific information such as VLAN tagging, protocol, and network addresses for the vSAN network.
Note: Use the AUTOFILL option to automatically populate network addressing sequentially.

Advanced options are where the basics for HA, DRS, vSAN, NTP, EVC, and more can be set.
Note: Advanced HA & DRS settings will have to be configured afterward for a proper configuration.

Be certain to set:

  • HA with 
    • Host Failure Monitoring
    • Admission Control
    • Host failures to tolerate to the number of hosts in a site
  • DRS
    • Partially Automated
  • vSAN Deployment Type
    • Stretched cluster 

Disks can then be claimed for vSAN. 

Proxy settings can be configured to allow vCenter configurations that do not have direct access to the Internet to communicate with VMware for the Online Health check as well as anonymized telemetry data.

Fault Domains are configured to determine which hosts will be in which site. The left site is the initial Preferred site, but this may be swapped to the alternate site at a later time if desired.

A vSAN Witness Host is chosen to prevent split-brain scenarios when each data site is isolated from the other.

Just like a regular vSAN data node, the vSAN Witness Host must have a disk group created.
If using the vSAN Witness Appliance for a vSAN Witness Host, the Cache disk will always be the 10GB Flash Disk.

After the vSAN Witness Host has been selected, the Wizard will complete.

 

Converting a Cluster to a Stretched Cluster

The following steps should be followed to convert an existing vSAN cluster to a stretched cluster. This example is a 3+3+1 deployment, meaning three ESXi hosts at the SiteA, three ESXi hosts at the SiteB and 1 vSAN Witness Host.

Consider that all hosts are properly configured and vSAN is already up and running.

Fault Domains

Configuring the stretched cluster setting is handled through the Fault Domains menu item. Select Configure > Fault Domains

Configure the Fault Domains.

The leftmost Fault Domain is initially the Preferred Fault Domain. The alternate site may be designated as the Preferred later if desired.

Witness Host

A vSAN Witness Host is chosen to prevent split-brain scenarios when each data site is isolated from the other.

Claim disks for witness host

Just like a regular vSAN data node, the vSAN Witness Host must have a disk group created.
If using the vSAN Witness Appliance for a vSAN Witness Host, the Cache disk will always be the 10GB Flash Disk.

Finish

Review the vSAN Stretched Cluster configuration for accuracy and click Finish

 

Set vSphere HA Advanced Settings

Configure HA Advanced Settings

Select Configure > vSphere HA on the vSAN Stretched Cluster to configure the advanced settings for vSphere HA.

Failures and responses

This setting determines what happens to the virtual machines on an isolated host, i.e. a host that can no longer communicate to other nodes in the cluster, nor is able to reach the isolation response IP address.

VMware recommends that the Response for Host Isolation is to Power off and restart VMs. The reason for this is that a clean shutdown will not be possible as on an isolated host the access to the vSAN Datastore, and as such the ability to write to disk, is lost.

Admission Control

Admission control ensures that HA has sufficient resources available to restart virtual machines after a failure. As a full site failure is one scenario that needs to be taken into account in a resilient architecture, VMware recommends enabling vSphere HA Admission Control. Availability of workloads is the primary driver for most stretched cluster environments. Sufficient capacity must, therefore, be available for a full site failure. Since ESXi hosts will be equally divided across both sites in a vSAN Stretched Cluster, and to ensure that all workloads can be restarted by vSphere HA, VMware recommends configuring the admission control policy to 50 percent for both memory and CPU.

VMware recommends using the percentage-based policy as it offers the most flexibility and reduces operational overhead. For more details about admission control policies and the associated algorithms, we would like to refer to the vSphere 6.5 Availability Guide.

The following screenshot shows a vSphere HA cluster configured with admission control enabled using the percentage-based admission control policy set to 50%.

It should be noted that vSAN is not admission-control aware. There is no way to inform vSAN to set aside additional storage resources to accommodate fully compliant virtual machines running on a single site. This is an additional operational step for administrators if they wish to achieve such a configuration in the event of a failure.

Heartbeat Datastores

vSphere HA provides an additional heartbeating mechanism for determining the state of hosts in the cluster. This is in addition to network heartbeating, and is called datastore heartbeating. In many vSAN environment no additional datastores, outside of vSAN, are available, and as such in general VMware recommends disabling Heartbeat Datastores as the vSAN Datastore cannot be used for heartbeating. However, if additional datastores are available, then using heartbeat datastores is fully supported.

What do Heartbeat Datastores do, and when does it come in to play? The heartbeat datastore is used by a host which is isolated to inform the rest of the cluster what its state is and what the state of the VMs is. When a host is isolated, and the isolation response is configured to "power off" or "shutdown", then the heartbeat datastore will be used to inform the rest of the cluster when VMs are powered off (or shutdown) as a result of the isolation. This allows the vSphere HA master to immediately restart the impacted VMs.

To disable datastore heartbeating, under vSphere HA settings, open the Datastore for Heartbeating section. Select the option “  Use datastore from only the specified list  ”, and ensure that there are no datastore selected in the list, if any exist. Datastore heartbeats are now disabled on the cluster. Note that this may give rise to a notification in the summary tab of the host, stating that the number of vSphere HA heartbeat datastore for this host is 0, which is less than required:2. This message may be removed by following  KB Article 2004739  which details how to add the advanced setting das.ignoreInsufficientHbDatastore  = true.

Advanced Options

In a vSAN Stretched Cluster, one of the isolation addresses should reside in the site 1 data center and the other should reside in the site 2 data center. This would enable vSphere HA to validate host isolation even in the case of a partitioned scenario (network failure between sites).

VMware recommends enabling host isolation response and specifying isolation response addresses that are on the vSAN network rather than the management network.
The vSphere HA advanced setting das.usedefaultisolationaddress  should be set to false.

VMware recommends specifying two additional isolation response addresses, and each of these addresses should be site-specific. In other words, select an isolation response IP address from the Preferred Site and another isolation response IP address from the Non-Preferred Site.

The vSphere HA advanced setting used for setting the first isolation response IP address is das.isolationaddress0  and it should be set to an IP address on the vSAN network which resides on the one site.

The vSphere HA advanced setting used for adding a second isolation response IP address is das.isolationaddress1  and this should be an IP address on the vSAN network that resides on the alternate site.

For further details on how to configure this setting, information can be found in  KB Article 1002117. 

Configure Stretched Cluster Site Affinity

Configuring Site Affinity.

This is achieved with VM Groups, Host Groups and VM/Host Rules. 

With these groups and rules, and administrator can specify which set of hosts (i.e. which site) a virtual machine is deployed to. 

The first step is to create two host groups; the first host group will contain the ESXi hosts from the one site and the second host group will contain the ESXi hosts in the alternate site. 

In this setup example, a 3+3+1 environment is being deployed, so there are two hosts in each host group. Select the cluster object from the vSphere Inventory, select Manage, then Settings. This is where the VM/Host Groups are created.

Navigate to  Cluster > Configure > VM/Host Groups  . Select the option to add a group. Give the group a name, and ensure the group type is “Host Group” as opposed to “VM Group”. Next, click  Add to select the hosts should be in the host group. Select the hosts from site A. 

Once the hosts have been added to the Host Group, click  OK . Review the settings of the host group, and click OK  to create it:

This step will need to be repeated for the alternate site. Create a host group for the alternate site and add the ESXi hosts from the alternate site to the host group.

When hosts groups for both data sites have been created, the next step is to create VM groups. However, before you can do this, virtual machines should be created on the cluster.

Create VM Groups

Once the host groups are created, the initial set of virtual machines should now be created.
Do not power on the virtual machines just yet. Once the virtual machines are in the inventory, you can now proceed with the creation of the VM Groups. 

Create the VM Groups for the Preferred site, SiteA in this case. Select the virtual machines that should run in SiteA.

Create a second VM Group for the virtual machines that should reside on the alternate site.

Create VM/Host Rules

Now that the host groups and VM groups are created, it is time to associate VM groups with host groups and ensure that particular VMs run on a particular site. Navigate to the VM/Host rules to associate a VM group with a host group.

In the example shown below, The VMs in the SiteAVMs VM group with the host group called SiteAHosts, which will run the virtual machines in that group on the hosts in SiteA. 

This is a “should” rule. We use a “should” rule as it allows vSphere HA to start the virtual machines on the other side of the stretched cluster in the event of a site failure.

Another VM/Host rule should be created for the SiteB. Again this should be a "should” rule. 

Note: DRS will be required to enforce the VM/Host Rules. Without DRS enabled, the soft “should” rules have no effect on placement behavior in the cluster.

 

 

Verifying vSAN Stretched Cluster Component Layouts

That completes the setup of the vSAN Stretched Cluster.
The final steps are to power up the virtual machines created earlier, and examine the component layout. 

When Site Disaster Tolerance is set to Dual Site Mirroring is chosen a copy of the data should go to both sites, and the Witness Component should be placed on the vSAN Witness Host.
Failures to Tolerate where data resides on each site.

 

In the example below, sitea-esxi01, sitea-esxi02, & sitea-esxi03 reside in SiteA, and siteb-esx01, siteb-esxi02, and siteb-esx03 reside in SiteB. Witness.demo.local is the witness. The layout shows that the VM has been deployed correctly.

The illustration shows: 

  • One mirrored copy of the data and a witness component reside on storage in SiteA
  • A second mirrored copy of the data and a witness component reside on storage in SiteB
  • A Witness component resides on the vSAN Witness Host

Warning: Disabling and re-enabling of vSAN in a stretched cluster environment has the following behaviors:

The witness configuration is not persisted. When recreating a vSAN Stretched Cluster, the vSAN Witness Host will need to be re-configured.
If using the same vSAN Witness as before, the vSAN Witness Host's disk group will need to be deleted before it may be added back.

This can be done by:

  • Using the esxcli vsan storage remove command
    • From an ESXi host console session (local or SSH)
    • Using the vSphere CLI
  • Executing a similar command remotely using PowerCLI.
  • Removing the partition from the vSAN Witness Host cache disk using the vSphere UI.

Fault Domains are persisted, but vSAN does not know which FD is to be designated as Preferred.

 

Upgrading a older vSAN Stretched Cluster

Upgrading a vSAN Stretched Cluster is very easy. It is important though to follow a sequence of steps to ensure the upgrade goes smoothly.

Upgrade vCenter Server

As with any vSphere upgrades, it is typically recommended to upgrade vCenter Server first. 

*Refer to the documentation for vCenter Server for Windows to properly upgrade to a newer release of vCenter Server.

Upgrade Hosts in Each Site

Upgrading hosts at each site is the next task to be completed. There are a few considerations to remember when performing these steps.

As with any upgrade, hosts will be required to be put in maintenance mode, remediated, upgraded, and rebooted. It is important to consider the amount of available capacity at each site. In sites that have sufficient available capacity, it would be desirable to choose the “full data migration” vSAN data migration method. This method is preferred when site locality is important for read operations. When the “ensure accessibility” method is selected, read operations will traverse the inter-site link. Some applications may be more sensitive to the additional time required to read data from the alternate site.

With vSphere DRS in place, as hosts are put in maintenance mode, it is important to ensure the previously described VM/host groups and VM/host rules are in place. These rules will ensure that virtual machines are moved to another host in the same site. If DRS is set to “fully automated” virtual machines will vMotion to other hosts automatically, while “partially automated” or “manual” will require the virtualization admin to vMotion the virtual machines to other hosts manually.

It is recommended to sequentially upgrade hosts at each site first, followed by sequentially upgrading the hosts at the alternate site. This method will introduce the least amount of additional storage traffic. While it is feasible to upgrade multiple hosts simultaneously across sites when there is additional capacity, as data is migrated within each site, this method will require additional resources. 

Upgrade the Witness Appliance

After both data sites have been upgraded, the vSAN Witness Host will also need to be upgraded. The vSAN Witness Host can be upgraded using vSphere Update Manager or any other approved method to update ESXi.

The vSAN Health Check may show an On-Disk Format inconsistency, but it no longer reports that the vSAN Witness Host is different version. Different releases of vSAN often have updated On-Disk Format versions.

Expanding this Disk format version error does show that the vSAN Witness Host needs to be upgraded.

When using a vSAN Witness Appliance as the vSAN Witness Host, it is important to remember to use a VMware provided vSphere ISO to upgrade and not an OEM provided vSphere ISO. OEM provided vSphere ISOs often have additional OEM vendor software specific to their systems. This additional software is not required on the vSAN Witness Appliance.

Upgrading the vSAN Witness Host can easily be accomplished by vSphere Update Manager.

With the vSAN Witness Host upgraded to a newer release, the On-Disk Format can now be upgraded to a format that is consistent with the release of vSAN.

The process of upgrading the On-Disk Format is relatively quick and does not require data to be evacuated from disk groups or a rolling reformat. The only exception to this rule is moving from an On-Disk Format version previous to version 3. 

The On-Disk Format upgrade can be launched from the vSAN Health Check, or it can be launched from the Disk Management menu in the vSAN Cluster Configuration UI. VMware recommends using the PRE-CHECK UPGRADE option before initiating an upgrade.

The final step in the upgrade process will be to upgrade the on-disk format. 

Once the on-disk format is complete, the cluster has been upgraded.

Management and Maintenance

The following section of the guide covers considerations related to management and maintenance of a vSAN Stretched Cluster configuration.

Maintenance Mode Consideration

vSAN Stretched Cluster configurations have two scenarios to consider; maintenance mode on a Site Host and maintenance mode on the vSAN Witness Host.

Maintenance Mode on a Site Host

Maintenance mode in vSAN Stretched Clusters is site-specific. All maintenance modes (Ensure Accessibility, Full data migration and No data migration) are all supported. However, in order to do a Full Data Migration, there should be enough resources in the same site to facilitate the rebuilding of components on remaining nodes on that site.  

Maintenance Mode on the vSAN Witness Host

Maintenance mode on the vSAN Witness Host should be an infrequent event, as it does not run any virtual machines. When maintenance mode is performed on the vSAN Witness Host, the witness components cannot be moved to either site. When the vSAN Witness Host is put in maintenance mode, it behaves as the No data migration option would on site hosts. It is recommended to check that all virtual machines are in compliance and there is no ongoing failure, before doing maintenance on the vSAN Witness Host.

While the vSAN Witness Host is in maintenance mode the cluster will not be able to survive a site failure. Maintenance of the vSAN Witness Host should be kept to the 

Failure Scenarios

In this section, we will discuss the behavior of the vSAN Stretched Cluster when various failures occur.

Failure Scenarios

Failure Scenarios and Component Placement

Understanding component placement is paramount in understanding failure scenarios. The illustration shows the placement of a vSAN Object's components in a Stretched Cluster Scenario.

The virtual machine's virtual disk (vmdk) has one component placed in the Preferred Site, one component placed in the Secondary Site, and a Witness component in the Tertiary Site that houses the vSAN Witness Host.

The illustration shows a storage policy that will protect across sites, but not within a site. This is the default protection policy used with vSAN Stretched Clusters for versions 6.1 through 6.5.

Local protection within a site was added in vSAN 6.6.

Below is a vSAN 6.6 cluster with data protection (mirroring) across sites, as well as local data protection (mirroring in this case) within each of the data sites.

vSAN Stretched Clusters can support up to a single complete site failure and a policy-based maximum of host failures within a site.

If a site has more failures than the local protection policy will allow, then the site is considered failed. It is important to remember that the vSAN Witness Host, residing in the Tertiary site, is only a single host. Because of this, a failure of the vSAN Witness Host is also considered a site failure.

The scenarios in this section will cover different failure behaviors.

Individual Host Failure or Network Isolation

What happens when a host fails or is network isolated?

vSAN will mark the component absent. The VM will continue to run or it will be rebooted by vSphere HA if the VM was running on the host that went offline.

If the policy includes Local Protection (introduced in vSAN 6.6), reads will be serviced by the remaining components within the same site.

  • The component will be rebuilt within the same site after 60 minutes if there is an additional host available and the failed host does not come back online.
  • If there are no additional hosts available within the site, the component will only be rebuilt if the failed/isolated host comes back online.
  • In cases where multiple hosts that contain the components fail or are isolated, reads will be services across the inter-site link.

    This can be a significant amount of traffic on the inter-site link depending on the amount of data on the failed host.


If the policy does not include Local Protection, reads will be serviced across the inter-site link.
This can be a significant amount of traffic on the inter-site link depending on the amount of data on the failed host.

  • The component will be rebuilt within the same site as the failed/isolated hosts after 60 minutes if there is an alternate
  • If there are no additional hosts available, or hosts are at capacity, the component will only be rebuilt if the failed/isolated host comes back online.

 

Individual Drive Failure

What happens when a drive fails?

vSAN will mark the component absent. The VM will continue to run.

If the policy includes Local Protection (introduced in vSAN 6.6), reads will be serviced by the remaining components within the same site.

  • The component will be rebuilt within the same site after 60 minutes if there is an additional host available and the failed host does not come back online.
  • If there are no additional hosts available within the site, the component will only be rebuilt if the failed/isolated host comes back online.
  • In cases where multiple hosts that contain the components fail or are isolated, reads will be services across the inter-site link.

    This can be a significant amount of traffic on the inter-site link depending on the amount of data on the failed host.

If the policy does not include Local Protection, reads will be serviced across the inter-site link.
This can be a significant amount of traffic on the inter-site link depending on the amount of data on the failed host.

  • The component will be rebuilt within the same site as the failed/isolated hosts after 60 minutes if there is an alternate
  • If there are no additional hosts available, or hosts are at capacity, the component will only be rebuilt if the failed/isolated host comes back online.

 

 

Site Failure or Network Partitions

What happens when sites go offline or lose connectivity?

A typical vSAN Stretched Cluster configuration can be seen here:

Preferred Site Failure or Completely Partitioned

In the event the Preferred Site fails or is partitioned, vSAN powers the virtual machines running in that site off. The reason for this, is because the virtual machine's components are not accessible due to the loss of quorum. The vSAN Stretched Cluster has now experienced a single site failure. The loss of either site in addition to the witness is two failures, will take the entire cluster offline.

An HA master node will be elected in the Secondary Site, which will validate which virtual machines are to be powered on. Because quorum has been formed between the vSAN Witness Host and the Secondary Site, virtual machines in the Secondary Site will have access to their data, and can be powered on.

Secondary Site Failure or Partitioned

In the event the Secondary Site fails or is partitioned, vSAN powers the virtual machines running in that site off. The reason for this, is because the virtual machine's components are not accessible due to the loss of quorum. The vSAN Stretched Cluster has now experienced a single site failure. The loss of either site in addition to the witness is two failures, will take the entire cluster offline.

The HA Master on the Preferred Site, will validate which virtual machines are to be powered on. Virtual machines which have been moved to the Preferred Site will now have access to their data, and can be powered on.

vSAN Witness Host Failure or Partitioned

Virtual machines running in both of the main sites of a Stretched Cluster are not impacted by the vSAN Witness Host being partitioned. Virtual machines continue to run at both locations. The vSAN Stretched Cluster has now experienced a single site failure. The loss of either site in addition to the witness is two failures, will take the entire cluster offline.

In the event the vSAN Witness Host has failed, the behavior is the same as if the vSAN Witness Hosts were partitioned from the cluster. Virtual machines continue to run at both locations. Because the vSAN Stretched Cluster has now experienced a single site failure, it is important to either get the vSAN Witness Host back online, or deploy a new one for the cluster.

When the existing vSAN Witness Host comes back online or a new vSAN Witness Host is deployed, metadata changes are resynchronized between the main Stretched Cluster sites and the vSAN Witness Host. The amount of data that needs to be transmitted depends on a few items such as the number of objects and the number of changes that occurred while the vSAN Witness Host was offline. However, this amount of data is relatively small considering it is metadata, not large objects such as virtual disks.

Intelligent site continuity for stretched clusters

In vSAN 6.7 a number of improvements have been made to the failure response logic when tracking the "fitness" of a site for failover/failback in the event that links to the witness and adjacent data site become available at different times, illustrated below.

This enhancement addresses a scenario in which the preferred site is completely isolated (a break in the ISL link, and to the witness site), and vSAN properly fails over to the secondary site.  In the event that the witness site regains connectivity to the preferred site, vSAN 6.7 will properly track the “fitness” of the site and maintain the Secondary Site as the active site until the ISL is recovered.  This helps prevent a false positive of the primary site being back up, and failing back over to it, and attempting to use stale components.

 

Multiple Simultaneous Failures

What happens if there are failures at multiple levels?

The scenarios thus far have only covered situations where a single failure has occurred.

Local Protection in was introduced in vSAN 6.6. Reviewing the vSAN Storage Policy Rule changes, Number of Failures to Tolerate became Primary Number of Failures to Tolerate , and is directly associated with site availability. Secondary Number of Failures to Tolerate was introduced with Local Protection, which works along with Failure Tolerance Method to determine data layout/placement within a Stretched Cluster site.

Votes and their contribution to object accessibility

The vSAN Design and Sizing Guide goes into further detail about how component availability determines access to objects. In short, each component has a vote, and a quorum of votes must be present for an object to be accessible. Each site will have an equal number of votes and there will be an even distribution of votes within a site. If the total number of votes is an even number, a random vote will be added.

In the illustration below, an 8 Node vSAN Stretched Cluster (4+4+1) has an object with PFTT=1 (Mirrored across sites) and SFTT=1/FTM Mirroring (Local Protection). Each site has 3 votes each in this case, with a total of 9 votes.


If the vSAN Witness Host fails, 3 votes are no longer present, leaving only 6 accessible. Only 66% of the components are available, so the vmdk is still accessible.

With the loss of a vSAN Disk, 4 votes are no longer present, leaving only 5 accessible. Because 55.5% of the components are available, the vmdk is still accessible.


If a component in another location, on either site, regardless of having Local Protection enabled, were to fail, the vmdk would be inaccessible.

Below, the illustration shows the vSAN Witness Host offline, 1 failure in the Preferred Site, and 1 failure in the Secondary Site.


In this illustration, the vSAN Witness Host offline and 2 failures in the Preferred Site.


In both cases , only 44.4% of the votes are present (4 of 9), resulting in the virtual machine's vmdk being inaccessible.

It is important to understand that components, the weight of their votes, and their presence/absence determine accessibility of the vSAN object.

 

 

 

In each of the above failure cases, restoring access to the existing vSAN Witness would make the object accessible.
Deploying a new vSAN Witness would not because the components would not be present.

 

 

Recovering from a Complete Site Failure

The descriptions of the host failures previously, although related to a single host failure, are also complete site failures. VMware has modified some of the vSAN behavior when a site failure occurs and subsequently recovers. In the event of a site failure, vSAN will now wait for some additional time for “all” hosts to become ready on the failed site before it starts to sync components. The main reason is that if only some subset of the hosts come up on the recovering site, then vSAN will start the rebuild process. This may result in the transfer of a lot of data that already exists on the nodes that might become available at some point in time later on.

VMware recommends that when recovering from a failure, especially a site failure, all nodes in the site should be brought back online together to avoid costly resync and reconfiguration overheads. The reason behind this is that if vSAN bring nodes back up at approximately the same time, then it will only need to synchronize the data that was written between the time when the failure occurred and the when the site came back. If instead nodes are brought back up in a staggered fashion, objects might to be reconfigured and thus a significant higher amount of data will need to be transferred between sites.

How Read Locality is Established After Failover

How Read Locality is Established After Failover to Other Site?

A common question is how read locality is maintained when there is a failover. This guide has already described read locality, and how in a typical vSAN deployment, a virtual machine reads equally from all of its replicas in a round-robin format. In other words, if a virtual machine has two replicas as a result of being configured to tolerate one failure, 50% of the reads come from each replica.

This algorithm has been enhanced for Stretched Clusters so that 100% of the reads comes from vSAN hosts on the local site, and the virtual machine does not read from the replica on the remote site. This avoids any latency that might be incurred by reading over the link to the remote site. The result of this behavior is that the data blocks for the virtual machine are also cached on the local site.

In the event of a failure or maintenance event, the virtual machine is restarted on the remote site. The 100% rule continues in the event of a failure. This means that the virtual machine will now read from the replica on the site to which it has failed over. One consideration is that there is no cached data on this site, so cache will need to warm  for the virtual machine to  achieve its previous levels of performance. New for vSAN 6.6, when a Site Affinity rule is used in conjunction with a PFTT=0 policy, data is not present on the alternate site.

When the virtual machine starts on the other site, either as part of a vMotion operation or a power on from vSphere HA restarting it, vSAN instantiates the in-memory state for all the objects of said virtual machine on the host where it moved. That includes the “owner” (coordinator) logic for each object. The owner checks if the cluster is setup in a “stretch cluster” mode, and if so, which fault domain it is running in. It then uses the different read protocol — instead of the default round-robin protocol across replicas (at the granularity of 1MB), it sends 100% of the reads to the replica that is on the same site (but not necessarily the same host) as the virtual machine.

Replacing a Failed Witness Host

Should a vSAN Witness Host fail in the vSAN Stretched Cluster, a new vSAN Witness Host can easily be replaced from the UI.

Changing the vSAN Witness Host  

Navigate to Cluster > Configure > Fault Domains.

The illustration shows that witness0.demo.local is not responding.

The CHANGE WITNESS HOST option will launch a wizard to select a new vSAN Witness Host.

The first illustration shows that witness1.demo.local has been deployed. The Change Witness Host wizard confirms that it is not being used by any other cluster.

This wizard will not deploy a vSAN Witness Appliance, so a vSAN Witness Appliance will need to be deployed before invoking this wizard. 

After selecting an available vSAN Witness Host, the disk group will need to be created. 

When claiming disks for the vSAN Witness Host Disk Group, be certain that enough capacity is available for the number of components in the vSAN Stretched Cluster.

Profile Capacities:

  • Tiny - 750 Components - 15GB Capacity Device
  • Normal - 22,000 Components - 350GB Capacity Device
  • Large - 45,000 Components - 3x350GB Capacity Devices

Note: the 10GB Flash Device will always be selected as the Cache Device.

 

On completion, verify that the vSAN Health Check failures have been resolved. 

Note that the vSAN Object health test may continue to fail as the witness component of VM still remains “Absent” if the vSAN Witness Host is replaced before the CLOMD (Cluster Level Object Manager Daemon) timer expires (default of 60 minutes).  

Run the vSAN Heath Check to ensure there are on vSAN Object Health errors. If there are any errors, and the Repair Object Immediately option is available, execute it.

Witness components will be rebuilt on the new vSAN Witness Host. 

Rerun the health check tests and they should all pass at this point.

 

VM Provisioning When a Site is Down

If there is a failure in the cluster, i.e. one of the sites is down; new virtual machines can still be provisioned. The provisioning wizard will however warn the administrator that the virtual machine does not match its policy as follows: 

In this case, when one site is down and there is a need to provision virtual machines, the ForceProvision capability is used to provision the VM. 

If a policy that has the Force Provisioning Rule already exists, that policy may be used. If a policy does not exist with the Force Provisioning Rule, one will have to be created.

Cloning an existing policy, and selecting Force Provisioning in the Advanced Policy Rules will create a similar policy and will allow vSAN Objects to be provisioned when one site is offline.

Virtual Machines provisioned with a Storage Policy with the Force Provisioning Rule enabled will be deployed initially with no redundancy. 

When the cluster connectivity & availability issues have been rectified, vSAN will automatically update the vSAN object configuration to meet the desire Storage Policy Rules. VMware recommends applying the originally desired Storage Policy to the vSAN Object after the it meets the originally desired Storage Policy configuration.

Efficient inter-site resync for stretched clusters

With the introduction of vSAN 6.7 improvements were made to the resync mechanism in stretched clusters that further reduces the time from component failure to object compliance. One particular example is the use of a "proxy owner" host for objects that need to be resynced across sites following a failure.

Take the example of an object with the storage policy: PFTT=1, SFTT=1.

Let us assume that Site B (Secondary) has had a failure and that all components on that site need to be rebuilt, in previous versions of vSAN the resync would read the Primary site's data and synchronise it multiple times across the inter-site link (ISL), so if two components needed to be rebuilt on the Secondary site the data would be transmitted twice across the ISL raising the bandwidth utilisation on the ISL for the duration of the resync.

In 6.7 resyncs made to the remote site with now be copied once to a proxy host and then copied within that site to the other hosts from the proxy host, this lowers the traffic cost for resyncs across sites from one copy per component (could be multiple if using R5/R6) down to a single copy.

The above figure illustrates the flow of how components are rebuilt in vSAN 6.7 with the proxy owner improvement for inter-site resyncs. First, a copy is made to Site B, then the object is re-created within the site and finally, the data is copied from the proxy host to any other hosts within the site.

Failure Scenario Matrices

Failure Scenario Matrices

 Hardware/Physical Failures 

 Scenario   vSAN Behaviour   Impact/Observed VMware HA Behaviour 
 
 Cache disk failure  Disk Group is marked as failed and all components present on it will rebuild on another Disk Group. VM will continue running.
 Capacity disk failure (Dedupe and Compression ON)  Disk Group is marked as failed and all components present on it will rebuild on another Disk Group. VM will continue running.
 Capacity disk failure (Dedupe and Compression OFF)  Disk marked as failed and all components present on it will rebuild on another disk. VM will continue running.
 Disk Group failure/offline  All components present on the Disk Group will rebuild on another Disk Group. VM will continue running.
 RAID/HBA card failure  All Disk Groups backed by the HBA/RAID card will be marked absent and all components present will rebuild on other Disk Groups. VM will continue running.
 Host failure  Component on the host will be marked as absent by vSAN – component rebuild will be kicked off after 60 minutes if the host does not come back up. VM will continue running if on another host. If the VM was running on the same host as the failure an HA restart of the VM will take place.
 Host isolation  Components present on the host will be marked as absent by vSAN – component rebuilds will be kicked off after 60 minutes if the host does not come back online. VM will continue running if on another host. If the VM was running on the same host as the failure an HA restart of the VM will take place when the Host Isolation response is accurately configured.
 Witness loss / failed / isolated from one or both sites  Witness loss counts as a site (PFTT) failure, as such the cluster will be placed in a degraded state until the witness comes back online or is redeployed. VM will continue running.
 Data site failure or partition, ISL failure / connectivity loss  Site is declared lost, quorum is established between the witness and the remaining data site. VMs running on the partitioned/failed site are powered off by vSAN.

If there is an ISL loss, HA will restart the VMs from the secondary site on the preferred site.

If the preferred site has failed, the VMs will be restarted on the secondary site.
 Dual site loss  Cluster offline. VMs stop running. HA cannot restart VMs until quorum is re-established.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Policy Implications 

The below table is built based on the following example policy configuration:

PFTT = 1, SFTT = 2, FTM = R5/6
Scenario   vSAN Behaviour   Impact/Observed VMware HA Behaviour 
Single site failure (PFTT)  Site marked as failed and rebuild of components will begin when the failed site comes online again. This is also triggered in the event that the Witness site is lost as it is viewed as a discrete site. VMs running on the partitioned/failed site are powered off.

HA will restart the VMs from the secondary site on the preferred site.

If the preferred site has failed, they will restart on the secondary site.
Single disk, disk group, host failure on one site (SFTT)  All components present will rebuild on their respective fault domain. Disk and disk group failures will not affect VM running state.

VMs will continue running if on a host other than the one that failed. If the VM was running on the failed host an HA restart of the VM will take place.
Dual disk, disk group, host failure on one site (SFTT)  Site marked as failed by vSAN, component rebuilds will begin when the site comes online again. The site is marked as failed from a vSAN standpoint.  VMs will continue running if on a host other than the one that failed. If the VM was running on the failed host an HA restart of the VM will take place.
Single site failure (PFTT) and single disk, disk group, host failure  across remaining  sites (SFTT)  Site marked as failed, disk/disk group/host also marked as failed.

Components present on the failed site will wait for the site to come online again in order to rebuild.

Components present on the failed disk/disk group/host will rebuild on their respective fault domain within the same site.
Disk and disk group failures will not affect VM running state.

VMs will continue running if they are running on a host/site other than the ones that failed.

If the VM was on the failed host/site an HA restart of the VM will take place.
Single site failure (PFTT) and dual disk, disk group, host failure across remaining sites (SFTT)  Site marked as failed, both disks/disk groups/hosts also marked as failed.

Components present on the failed site will wait for the site to come online again in order to rebuild.

Components present on the failed disks/disk groups/hosts will rebuild on their respective fault domain within the same site.
Disk and disk group failures will not affect VM running state.

VMs will continue running if they are running on a host/site other than the ones that failed.

If the VM was on the failed hosts/site an HA restart of the VM will take place.
Single site failure (PFTT) and triple disk, disk group, host failure across remaining sites (SFTT)  Cluster offline. Both sites marked as failed by vSAN. A site will need to come back online to bring vSAN online.

This is as a result of the single PFTT failure (for example the witness) and the dual SFTT failure. The policy specifies "SFTT=2" which, during a PFTT violation is counted globally across sites due to quorum implications.

The cluster can be brought up again by bringing the failed site back online or replacing the failed SFTT devices on remaining sites.
VMs will stop running and the cluster will be offline until a site is brought back online.

Due to the PFTT and SFTT violations (single site failure and triple SFTT failure) the cluster's objects will have lost quorum and as-such cannot run.
 Dual site failure (PFTT)  Cluster offline. A site will need to come back online to bring vSAN back online. VMs will stop running and the cluster will be offline until a site is brought back online.
Single disk, disk group, host failure on one site (SFTT) and Dual  disk, disk group, host failure on another site (SFTT)  The site with a dual failure will be marked as failed by vSAN, components residing on the site will need to wait for it to come online to rebuild.

The site with the single failure will have its components rebuilt on their respective fault domain within the site.
Disk and disk group failures will not affect VM running state.

VMs will continue running if on a host other than the one that failed. If the VM was on the failed host as the failure an HA restart of the VM will take place.

VMs running on the failed site are powered off, HA will restart the VMs from the secondary site on the preferred site. If the preferred site has failed, they will restart on the secondary site.
Dual disk, disk group, host failure on one site (SFTT) and Dual  disk, disk group, host failure on another site (SFTT)  Cluster offline. A site will need to come back online to bring vSAN online.

This is as a result of the dual SFTT failure and the policy specifying "SFTT=2", after which the site is marked as failed.

This can be achieved by replacing the failed SFTT devices on either site.
VMs will stop running and the cluster will be offline until a site is brought back online.
Component failure of any sort when insufficient fault domains are available for a rebuild  The component out of compliance will not rebuild until adequate failure domains are available. VM will continue to run as long as the policy has not been violated.

A special case should be called out for policies configured with  PFTT=0 and Affinity=Secondary 

Scenario   vSAN Behaviour   Impact/Observed vSAN Behaviour 
 Sites are partitioned due to ISL loss  No component reconfiguration across sites is required due to PFTT=0. In addition, as site affinity is set to secondary the VM will not be HA restarted on the preferred site, rather it will be allowed to run in place on the secondary site. This is because the object is in compliance with its policy and does not need site-quorum to run. VM continues running.

Appendix A: Additional Resources

A list of links to additional vSAN resources.

Location of the vSAN Witness Appliance OVA

The vSAN Witness Appliance OVA is located on the Drivers & Tools tab of vSAN download page. There you will find a section called VMware vSAN tools & plug-ins. This is where the "Stretch Cluster Witness VM OVA" is located. The URL is:

https://my.vmware.com/web/vmware/info/slug/datacenter_cloud_infrastructure/vmware_virtual_san/6_0#drivers_tools

Appendix B: Commands for vSAN Stretched Clusters

ESXCLI

New ESXCLI commands for vSAN Stretched Cluster.

esxcli vsan cluster preferredfaultdomain

Display the preferred fault domain for a host: 

[root@cs-ie-dell04:~] esxcli vsan cluster preferredfaultdomain
 Usage: esxcli vsan cluster preferredfaultdomain {cmd} [cmd options]

 Available Commands:
   get  Get the preferred fault domain for a stretched cluster.
   set  Set the preferred fault domain for a stretched cluster.


 [root@cs-ie-dell04:~] esxcli vsan cluster preferredfaultdomain get
    Preferred Fault Domain Id: a054ccb4-ff68-4c73-cb c2-d272d45e32df
    Preferred Fault Domain Name: Preferred
 [root@cs-ie-dell04:~]

esxcli vsan cluster unicastagent

An ESXi host in a vSAN Stretched Cluster communicated to the witness host via a unicast agent over the vSAN network. This command can add, remove or display  information about the unicast agent, such as network port.

[root@cs-ie-dell02:~] esxcli vsan cluster unicastagent
Usage: esxcli vsan cluster unicastagent {cmd} [cmd options]

Available Commands:
  add   Add a unicast agent to the vSAN cluster configuration.
  list  List all unicast agents in the vSAN cluster configuration.
  remove   Remove a unicast agent from the vSAN cluster configuration.

[root@cs-ie-dell02:~] esxcli vsan cluster unicastagent list
 IP Address    Port
 ---------- ----- 
 172.3.0.16 12321
 [root@cs-ie-dell02:~]

RVC–Ruby vSphere Console

The following are the new stretched cluster RVC commands:
vsan.stretchedcluster.config_witness 
Configure a witness host. The name of the cluster, the witness host and the preferred fault domain must all be provided as arguments.

 /localhost/Site-A/compu ters> vsan.stretchedcluster.config_witness -h
 usage: config_witness  cluster  witness_host  preferred_fault_domain
 Configure witness host to form a vSAN Stretched Cluster
   cluster: A cluster with vSAN enabled
   witness_host: Witness host for the stretched cluster
   preferred_fault_domain: preferred fault domain for witness host
   --help, -h: Show this message
 /localhost/Site-A/computers>

vsan.stretchedcluster.remove_witness
Remove a witness host. The name of the cluster must be provided as an argument to the command.

 /localhost/Site-A/compu ters> vsan.stretchedcluster.remove_witness -h
 usage: remove_witness cluster
 Remove witness host from a vSAN Stretched Cluster
   cluster: A cluster with vSAN stretched cluster enabled
   --help,-h: Show this message

vsan.stretchedcluster.witness_info
Display information about a witness host. Takes a cluster as an argument. 

/localhost/Site-A/compu ter s>  ls 
 0  Site-A (cluster): cpu 100 GHz, memory 241 GB
 1 cs-ie-dell04.ie.local   (standalone): cpu 33 GHz, memory 81 GB
/localhost/Site-A/compu ters> vsan.stretchedcluster.witness_info  0
 Found witness host for vSAN stretched cluster.
 +------------------------+
--------------------------------------+
 | Stretched  Cluster   | Site-A          |
 +------------------------+--------------------------------------+
 | Witness Host Name      | cs-ie-dell04.ie.local                 |
 | Witness Host UUID      | 55684ccd-4ea7-002d-c3a 9-ecf4bbd59370  |
 | Preferred Fault Domain  | Preferred                            |
 | Unicast  Agent Address   | 172.3.0.16                           |
 +------------------------+--------------------------------------+