Save to My DOJO
Before talking about vSAN iSCSI, allow me to quickly reiterate what VMware vSAN is all about. In a nutshell, vSAN allows you to pool physical disks from multiple ESXi hosts to create one distributed but shared datastore. The resulting vSAN datastore is accessible from any host that is a member of the cluster where vSAN is enabled. In How to setup vSAN using a nested environment, I cover the process of setting up vSAN in some detail, so give it a read when you can.
VMware’s hyper-converged architecture approach eradicates the requirement for a full-blown SAN such as iSCSI storage vs vSAN while satisfying most networked-storage needs. To a lesser extent, costs are better contained which is more so true when deploying vSAN on commodity hardware, as long as it is certified in the vSAN HCL.
Carving out iSCSI LUNs from whichever storage solution is in use, is one task storage admins routinely carry out. An iSCSI LUN is nothing but a block of storage space accessible over a network via the iSCSI protocol. Similarly, you can publish LUNs if you add iSCSI to vSAN, the vSAN iSCSI limitations being that they can only be mounted on machines extraneous to a vSphere environment. So, the answer is no. It is not possible to have a vSAN iSCSI LUN set up as an ESXi datastore. Nor can it be consumed by vSphere VMs.
Trust me, these are the first two things I tried doing when testing the feature using vSAN 6.6.1. You can read more about the benefits and limitations in this KB article, a portion of which I reproduced as follows. However, you can mount a remote vSAN datastore using vSAN HCI mesh compute cluster in vSphere 7u2.
vSAN iSCSI LUNs benefits and limitations
Despite the vSAN iSCSI limitations, vSAN iSCSI LUNs always come in handy. On that note, I will be showing you how to create a vSAN iSCSI LUN and how to mount it on a Windows 10 machine.
Today’s only requirement is that you have vSAN configured in your environment. In my case, I run a 3-nested hosts vSphere cluster. If you have a physical vSAN, the better. If not, follow the instructions in the aforementioned post to replicate the steps outlined next.
As I’m writing this, I also finished updating my vSphere environment to ESXi 7.0.3 which means, I’m now running vSAN 7.0.3 (Build #: 18644231). If you’re wondering can vSAN and iSCSI be on the same VLAN, it is possible but VMware recommends against it, it is recommended to have vSAN in its own VLAN.
The vSAN version is tied to the vSphere version.
First and foremost, we must enable the vSAN iSCSI Target Service (add iSCSI to vSAN).
- Select your vSAN cluster
- Click on Configure
- Under vSAN, click on Services
- Scroll down to vSAN iSCSI Target Service and click Enable
- Then select the correct VMkernel interface and click Enable.
You can leave Default authentication disabled or else select between CHAP and Mutual Chap if security is a concern. The Default iSCSI network is automatically set using an ESXi host’s VMkernel configured for vSAN. You are also allowed to change the default iSCSI network port and the storage policy if required.
Enabling the vSAN iSCSI target service
You must next decide which machines will be allowed access to the LUN. We refer to anything that can potentially access a LUN as an iSCSI Initiator or client. If you’re planning on giving LUN access to a number of initiators, a cluster comes to mind, it’s always best to create an iSCSI Initiator Group for better security management. With that said, let’s go ahead and create an iSCSI Initiator Group.
First, it’s a good idea to list the initiator names, or IQNs, of the machines that will access the iSCSI LUN. In Windows, this is easy to do. Just run the iSCSI Initiator client and copy the IQN value from the Configuration tab.
Listing the IQN for a Windows iSCSI initiator
Next, using the vSphere Web client:
- Highlight the vSAN cluster.
- Click on the iSCSI Target Service under vSAN
- Select the Initiator Groups tab
- Click the Add button
Creating a vSAN iSCSI initiators group
In the Name field, type a value for the group you are creating which is Windows_Workstations in my case. Paste the IQN in the Member Initiator name field and click on Add. Repeat this for every initiator you want to be included. Press OK when done.
Adding initiators to an iSCSI initiators group
Move up one item and select iSCSI Targets on the Configure page (2). An iSCSI target is just an endpoint an initiator client connects to so it can consume the VMware vSAN iSCSI LUN.
Still using the vSphere Web Client, click on the Add button (4).
Creating a new vSAN iSCSI target in vSphere Web client
In the New iSCSI Target dialog, you’ll find that most of the settings are automatically populated for you. All you need to add is an Alias and the VMware vSAN iSCSI LUN size. This is shown in the next screenshot.
Configuring a vSAN iSCSI target
Also, note the following. The default network port for iSCSI is 3260. Even though you can change this, it’s best to leave the value as it is unless there is some compelling reason to change it. The Network value is picked from the list of VMkernels present on the ESXi host presenting the vSAN iSCSI LUN. The host seems to be chosen at random.
The Network value can be changed as required. The Storage policy also determines the actual amount of disk space consumed by the LUN which, per the default settings, will correspond to twice the amount specified by the Size value.
You then need to create a LUN. To do that, scroll down and click ADD under the vSAN iSCSI LUNs pane.
Specify the settings of the vSAN iSCSI LUN with an ID (avoid using 0, an alias, a storage policy and a size, then click ADD.
The newly created vSAN iSCSI target should be listed in the lower pane. The details for it are displayed along with the allowed initiators. In the upper pane, look at the I/O Owner Host field and take a note of the ESXi host serving the LUN. In my case, it’s lab01.esx3.lab.priv corresponding to 192.168.24.69.
The vSAN iSCSI target and its properties …
We finally need to add the initiators group previously created to the list of Allowed Initiators. By default, any machine is allowed access. We don’t want this for obvious reasons. To add the initiators’ group, click on the Add button. Tick the Initiator Group option and select the Windows_Workstations initiator group created earlier. Press OK to continue.
Adding a custom iSCSI initiators group to the list of allowed initiators
As mentioned in the opening section, I will try to mount the VMware vSAN iSCSI LUN on a Windows 10 machine. This is done as follows.
In Windows, launch the iSCSI Initiator client. Just type iSCSI in the search box and select the iSCSI Initiator desktop app.
Launching the iSCSI initiator client in Windows
Select the Targets tab on the iSCSI Initiator Properties dialog. Type in the IP address noted earlier, i.e. the one used by the vSAN iSCSI target, and click on Quick Connect. On the Quick Connect dialog, make sure the discovered target status is set to Connected and press Done.
Connecting to the vSAN iSCSI target using the Windows iSCSI initiator client
From the Volumes and Devices tab, click on the Auto Configure button. You should see the mount point for the VMware vSAN iSCSI LUN listed in the Volume List window. Press OK to finish setting up the client.
Forcing the client to bind to the mount point
The last step sees us initializing the newly added disk using the Disk Management console. Just type diskman in the search box. On the Initialize Disk dialog, press OK to initialize the disk i.e. the corresponding vSAN iSCSI LUN.
Initializing the new disk in Windows using the Disk Management console
To complete the process, select the new disk and format it, as required, using the New Simple Volume wizard.
Preparing the disk for use in Windows
To complete the test, verify that you can read and write to the volume. You can easily do this by creating, say, a text file containing data and then deleting it.
To properly protect your VMware environment, use Altaro VM Backup to securely backup and replicate your virtual machines. We work hard perpetually to give our customers confidence in their VMware backup strategy.
To keep up to date with the latest VMware best practices, become a member of the VMware DOJO now (it’s free).
Though somewhat having a few vSAN iSCSI limitations, vSAN iSCSI serves a secondary and useful purpose as we have seen in this post. It can host and serve iSCSI LUNs to machines other than ESXi hosts and virtual machines using its iSCSI Target service. The major benefit being that you get to make better use of your vSAN capacity should you have a large chunk of it left unused by your vSAN workloads.
Also, if you’re wondering can vSAN nodes also use shared iSCSI storage, yes they can. vSAN nodes are still vSphere servers that can mount external storage.
Not a DOJO Member yet?
Join thousands of other IT pros and receive a weekly roundup email with the latest content & updates!