If you access ESXi hosts through vCenter Server, you typically protect vCenter Server using a firewall. This firewall provides basic protection for your network.
A firewall might lie between the clients and vCenter Server. Alternatively, depending on your deployment, vCenter Server and the clients can both be behind the firewall. The main point is to ensure that a firewall is present at what you consider to be an entry point for the system.
For a comprehensive list of TCP and UDP ports, including those for vSphere vMotion™ and vSphere Fault Tolerance, see vCenter Server TCP and UDP Ports.
Networks configured with vCenter Server can receive communications through the vSphere Web Client or third-party network management clients that use the SDK to interface with the host. During normal operation, vCenter Server listens for data from its managed hosts and clients on designated ports. vCenter Server also assumes that its managed hosts listen for data from vCenter Server on designated ports. If a firewall is present between any of these elements, you must ensure that the firewall has open ports to support data transfer.
You might also include firewalls at a variety of other access points in the network, depending on how you plan to use the network and the level of security various devices require. Select the locations for your firewalls based on the security risks that you have identified for your network configuration. The following is a list of firewall locations common to ESXi implementations.
Between the vSphere Web Client or a third-party network-management client and vCenter Server.
If your users access virtual machines through a Web browser, between the Web browser and the ESXi host.
If your users access virtual machines through the vSphere Web Client, between the vSphere Web Client and the ESXi host. This connection is in addition to the connection between the vSphere Web Client and vCenter Server, and it requires a different port.
Between vCenter Server and the ESXi hosts.
Between the ESXi hosts in your network. Although traffic between hosts is usually considered trusted, you can add firewalls between them if you are concerned about security breaches from machine to machine.
If you add firewalls between ESXi hosts and plan to migrate virtual machines between the servers, perform cloning, or use vMotion, you must also open ports in any firewall that divides the source host from the target hosts so that the source and targets can communicate.
Between the ESXi hosts and network storage such as NFS or iSCSI storage. These ports are not specific to VMware, and you configure them according to the specifications for your network.