Shortly after clarifying that VMware Cloud on AWS is a supported hosting environment for the vSAN Witness Appliance, there was a rush of inquiries into what is involved in its’ setup.
Deploying a vSAN Witness Appliance in VMware Cloud on AWS is a straightforward process. Since the Witness Appliance is running as a client workload inside VMC, we need to ensure network connectivity between the Compute Gateway (CGW) and every remote vSphere host.
VMware Cloud on AWS supports a robust collection of connectivity options from IPSec VPN to AWS Direct Connect and everything in between. However you choose to connect the remote site to the VMC SDDC. Once basic network connectivity is established, the CGW Firewall must be configured to allow the Witness traffic through. Before we get into the ports and protocols used, lets briefly review the network architecture of the vSAN Witness Appliance.
vSAN Witness Network configuration
The vSAN Witness Appliance comes preconfigured with two VMkernel Adapters connected to dedicated Virtual Switches making it easier to separate the Management traffic from the vSAN Witness communications.
If using a single subnet, both adapters can be attached to the same network without issue. See the vSAN Stretched Cluster Guide for more information on designing a Stretched Cluster deployment and the networking considerations therein.
Regardless of the number of networks and underlying connectivity, the CGW firewall needs to be configured to allow the Witness Appliance in to and out of the VMC SDDC.
Firewall configuration for the vSAN Witness Appliance
A complete listing of the Ports and Protocols used by VMware vSphere can be found in the vSphere 6.7 Security documentation, as well as the vSAN Specific ports and their uses. Table 1 lists the minimum firewall rules required to enable the vSAN Witness out of the CGW firewall.
Table 1) vSAN Witness Network Ports and traffic flow
|
Source |
Destination | Protocol | Port |
Description |
|
vCenter |
Witness – Mgmt |
UDP |
902 |
vSphere Web Client |
| vCenter | Witness – Mgmt |
TCP |
443 |
vSphere Web Client |
| vCenter |
Witness – Mgmt |
TCP |
902 |
vSphere Web Client |
|
vCenter |
Witness – Mgmt | TCP | 9080 |
I/O Filter Service |
| Witness – Mgmt | vCenter | TCP | 443 |
vSphere Web Client |
| Witness – Mgmt | vCenter | TCP | 902 |
vSphere Web Client |
| Witness – Mgmt | vCenter | TCP | 9080 |
I/O Filter Service |
| Witness – vSAN | vSphere | TCP | 2233 |
vSAN Transport |
|
vSphere |
Witness – vSAN | TCP | 2233 |
vSAN Transport |
|
vSphere |
Witness – vSAN | UDP | 12321 |
vSAN Clustering Service |
|
Witness – vSAN |
vSphere | UDP | 12321 |
vSAN Clustering Service |
| Witness – vSAN | vSphere | ICMP |
vSAN Health Check |
|
|
vSphere |
Witness – vSAN | ICMP |
vSAN Health Check |
Putting it all together
To deploy a vSAN Witness Appliance within VMware Cloud on AWS, start by deploying the witness OVA just as you would on-premises.
Once the ova is finished deploying, Create the relevant rules to allow the witness communications through the Compute Gateway firewall.
Finally, Add the new vSAN Witness Appliance to the destination vCenter and configure the Stretched Cluster appropriately.
I hope this helps accelerate your Witness deployments inside VMware Cloud on AWS. For more information about vSAN Stretched Clusters or the vSAN Witness in general, check out StorageHub.
@glnsize
