ESXi includes a firewall between the management interface and the network. The firewall is enabled by default.

At installation time, the ESXi firewall is configured to block incoming and outgoing traffic, except traffic for the default services listed in TCP and UDP Ports.

Note: The firewall also allows Internet Control Message Protocol (ICMP) pings and communication with DHCP and DNS (UDP only) clients.
You can manage ESXi firewall ports as follows:
  • From the security profile for each host.
  • Using ESXCLI commands to modify firewall rules, from the command line or in scripts. See ESXi Firewall Configuration.
  • Using a custom VIB if the port you want to open is not included in the security profile. You create custom VIBs with the vibauthor tool available from VMware Labs. To install the custom VIB, you have to change the acceptance level of the the ESXi host to CommunitySupported. See VMware Knowledge Base Article 2007381.
    Note: If you engage VMware Technical Support to investigate a problem on an ESXi host with a CommunitySupported VIB installed, VMware Support might request that this CommunitySupported VIB be uninstalled as a troubleshooting step to determine if that VIB is related to the problem being investigated.

You can view supported services and management agents that are required to operate the host in the host's Security Profile section in the vSphere Web Client.

Note: The behavior of the NFS Client rule set ( nfsClient) is different from other rule sets. When the NFS Client rule set is enabled, all outbound TCP ports are open for the destination hosts in the list of allowed IP addresses. See NFS Client Rule Set Behavior for more information.