Many organizations adopt a mindset for vCenter Server & Google Cloud VMware Engine Console access that is taken directly from traditional data center practices.
Most organizations do not allow everyone in the organization to stroll into the data center whenever they desire. Only staff that have a business requirement to be in the data center can enter. The same approach, adapted to vCenter Server and the GCVE Console, works well for deciding who needs access. Practically speaking, workloads do not need to be managed from the console of the virtual machine on a day-to-day basis, and those that do can connect to the console of Microsoft Windows with the “/console” switch for the Remote Desktop client.
Administrator access to the workloads should be through the workload virtual machine’s own network interface, via SSH or RDP. That makes their management traffic and access subject to network intrusion detection and other monitoring systems. It also simplifies the access control for both the workload and vSphere by avoiding the need to co-mingle access requirements. This makes auditing access, monitoring access & network traffic, and ongoing management much easier.
Virtual machine remote console access is proxied through vCenter Server for local and public VMware Cloud Infrastructure. Direct access to ESXi is not required.