Each vSAN stretched cluster requires a witness host deployed in a vSAN witness zone, which must be different from the location of both availability zones.

You deploy the vSAN witness host using an appliance instead of using a dedicated physical ESXi host as a witness host. The witness host does not run virtual machines and must run the same version of ESXi as the ESXi hosts in the stretched cluster. It must also meet latency and Round Trip Time (RTT) requirements.

See the Physical Network Requirements for Multiple Availability Zone table within Stretched Cluster Requirements.