What is cloud witness in Windows Server vNext?

Q. What is the Cloud Witness option in Windows Server vNext?
Dept - Failover Clusters

A. Windows Failover Clustering has two types of witness in Windows Server 2012 R2

In Windows Server 2012 R2 the guidance is to always configure a witness as clustering will dynamically assign the witness a vote as needed depending on if there are an odd or even number of nodes in the cluster (the witness gets a vote in the event there are an even number of nodes). In the event a cluster stretches sites the recommendation is to use a file share witness in a 3rd location however often organizations do not have a 3rd location which presents a problem. There are a number of solutions which involved customers placing a file share at a branch office or perhaps in a VM in Azure (Azure Files which provides an SMB service cannot be used as Azure Files is only available within the Azure Region and not to on-premises locations).

Windows Server vNext solves this by introducing the Cloud Witness option as shown below:

When configuring this option your Azure Storage account is used to host a single blob file which is the instance ID of the cluster and is used in the event arbitration is necessary. All that is required is the name of a locally redundant Azure storage account and your storage account key (which is accessed using the Manage Access Keys action in the storage account dashboard pane of the Azure portal). This information is entered into the cloud witness wizard as shown.

You are now using your Azure storage account as your clusters witness resource. If you look at the containers in the Azure storage account you will see a new container, msft-cloud-witness which when opened will show one file per cluster (yes, multiple clusters can share the same Azure storage account).  If you open up the registry editor on a cluster member and navigate to HKEY_LOCAL_MACHINECluster you will see the ClusterInstanceID matches the file name created in the Azure storage account.

Clustering has been optimized to access this file only when absolutely required and when that does happen its minimal data and testing shows Azure rounds down to the nearest cent which has shown this to actually cost zero however there is no guarantee this will be the case for everyone but certainly the cost of using a cloud witness would be pennies at most.

The cloud witness behaves in a way very similar to a file share witness. Both use the same arbitration logic, both do not keep a copy of the cluster data and both prevent partition in time problems (which are very rare, see http://windowsitpro.com/windows-server/why-disk-witness-better-file-share-witness for more information on this). The big difference is when using the Azure cloud witness that access is using the Azure Storage Services REST API instead of SMB protocol and permissions on the blob file are managed automatically by the cluster while when using a file share witness the cluster name object (CNO) has to be manually assigned the required permissions.

Using the cloud witness does require the cluster nodes to have access to Azure storage either via the Internet, site-to-site VPN or ExpressRoute. If your cluster nodes cannot access Azure then use disk witness or file share witness.