Some common firewall rule configurations include opening access to the vSphere Client from the internet, allowing access to vCenter Server through the management VPN tunnel, and allowing remote console access.

The following table shows the Service, Source, and Destination settings for commonly-used firewall rules.

Table 1. Commonly-used Firewall Rules

Use Cases

Service

Source

Destination

Provide access to vCenter Server from the internet.

Use for general vSphere Client access as well as for monitoring vCenter Server

HTTPS

public IP address

vCenter

Provide access to vCenter Server over VPN tunnel.

Required for Management Gateway VPN, Hybrid Linked Mode, Content Library.

HTTPS

IP address or CIDR block from on-premises data center

vCenter

Provide access from cloud vCenter Server to on-premises services such as Active Directory, Platform Services Controller, and Content Library.

Any

vCenter

IP address or CIDR block from on-premises data center.

Provisioning operations involving network file copy traffic, such as cold migration, cloning from on-premises VMs, snapshot migration, replication, and so on.

Provisioning

IP address or CIDR block, either public or from an on-premises data center connected by a VPN tunnel

ESXi Management

VMRC remote console access

Required for vRealize Automation

Remote Console

IP address or CIDR block, either public or from an on-premises data center connected by a VPN tunnel

ESXi Management

vMotion traffic over VPN

Any

ESXi Management

IP address or CIDR block from on-premises data center

Ping traffic to vCenter Server for network troubleshooting.

ICMP (All ICMP)

IP address or CIDR block, either public or from an on-premises data center connected by a VPN tunnel

vCenter

Ping traffic to ESXi management network for network troubleshooting

ICMP (All ICMP)

IP address or CIDR block, either public or from an on-premises data center connected by a VPN tunnel

ESXi Management