March 2, 2024

The vSAN Witness Appliance in vCloud Air: Part 4 (Deployment)

In Part 2, the process of uploading a vSAN Witness Appliance to an organization’s Catalog was detailed. Part 3 covered the process of creating networks for the vSAN Witness Appliance.

What’s Next?

With the vSAN Witness Appliance OVA converted and uploaded to vCloud Air, and connectivity in place to the networks that will be used, the next step is to deploy an appliance.

This can be done from the normal vCloud Air interface, but we won’t be able to power on our Witness Appliance due to a password missing. It will be easier to accomplish this using the vCloud Director interface of vCloud Air.

From the vCloud Air Dashboard, select Manage Catalogs in vCloud Director.

This will open up the vCloud Director interface in the Catalog section and select a catalog. The catalog the Witness Appliance was uploaded to in Part 1 was VSAN_WITNESS.

A catalog can contain multiple vApps, which can have one or more virtual machines in it.


After choosing the vSAN_WITNESS_6.5 that was uploaded in Part 1 and selecting Add to My Cloud wizard will start the process of deploying this vApp.


Now that the Witness Appliance is deployed, let’s see if it is accessible. In the vCloud Director interface, select vApps and open the vApp that was just deployed.



Inside the vApp, there is only a vSAN Witness Appliance.

Right clicking on the VM will present the option to open a console and see the IP address of the VM.


The management VMkernel interface (vmk0) successfully obtained an IP address from the vSAN Witness Management network. If the VPN connection is properly configured, vmk0 should be pingable from the remote site.


In this example, the vCenter Server is running on the remote site. It should be possible to add vSAN Witness Appliance to vCenter.



The Witness Appliance can be seen in the vSphere Web Client. Notice also that vmk1 has an IP address from the DHCP pool configured in Part 2.

When using vSAN 6.1 or 6.2, which are built into corresponding builds of ESXi 6.0, additional routing might be required if vmk1 is on a different segment than vmk0, the management VMkernel. This is because the default gateway used by vmk0 is also used by other VMkernel interfaces.

In ESXi 6.5, different gateways can be configured for different VMkernel interfaces. If using DHCP in vCloud Air, provided the gateway is configured properly, ESXi 6.5 will use the gateway provided by the DHCP service and not the default vmk0 gateway.

Now that the Witness Appliance has been deployed and added to vCenter, it is important to ensure connectivity between the vmk1 and the vSAN ports at the remote site.

In the remote site, vmk0 has been tagged to accommodate vSAN Witness Traffic.

  • Host1 –
  • Host2 –
  • Witness –

From the Witness to Host 1 and Host 2


Going through the vSAN Cluster Wizard, vSAN should be setup properly.


Once configured, select the Monitor tab from the vSAN Cluster to run the vSAN Health Check. It should report a Healthy vSAN Configuration.


Success! Now the remote/lab 2 Node vSAN cluster is using a Witness Appliance in vCloud Air!


This series has given a brief overview of how to run a vSAN witness in vCloud Air. Uploading a Witness Appliance, configuring networking, and deploying the Witness Appliance are not a difficult task, but do have specific requirements.

The Stretched Cluster and 2 Node guide covers the bulk of the requirements specific to the use of a Witness. Using vCloud Air as a tertiary location is a very viable solution when another physical site is either not possible or not cost effective.

This was originally posted on the VMware Virtual Blocks site:

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.