ESXi includes a firewall that is enabled by default.

At installation time, the ESXi firewall is configured to block incoming and outgoing traffic, except traffic for services that are enabled in the host's security profile.

As you open ports on the firewall, consider that unrestricted access to services running on an ESXi host can expose a host to outside attacks and unauthorized access. Reduce the risk by configuring the ESXi firewall to allow access only from authorized networks.

Note: The firewall also allows Internet Control Message Protocol (ICMP) pings and communication with DHCP and DNS (UDP only) clients.
You can manage ESXi firewall ports as follows:
  • Use the security profile for each host in the vSphere Web Client. See Manage ESXi Firewall Settings
  • Use ESXCLI commands from the command line or in scripts. See ESXi ESXCLI Firewall Commands.
  • Use a custom VIB if the port you want to open is not included in the security profile.

    You create custom VIBs with the vibauthor tool available from VMware Labs. To install the custom VIB, you have to change the acceptance level of the ESXi host to CommunitySupported. See VMware Knowledge Base Article 2007381.

    Note: If you engage VMware Technical Support to investigate a problem on an ESXi host with a CommunitySupported VIB installed, VMware Support might request that this CommunitySupported VIB be uninstalled as a troubleshooting step to determine if that VIB is related to the problem being investigated.

The behavior of the NFS Client rule set (nfsClient) is different from other rule sets. When the NFS Client rule set is enabled, all outbound TCP ports are open for the destination hosts in the list of allowed IP addresses. See NFS Client Firewall Behavior for more information.