For improved security, avoid putting the vCenter Server system on any network other than a management network, and ensure that vSphere management traffic is on a restricted network. By limiting network connectivity, you limit certain types of attack.
vCenter Server requires access to a management network only. Avoid putting the vCenter Server system on other networks such as your production network or storage network, or on any network with access to the Internet. vCenter Server does not need access to the network where vMotion operates.
- All ESXi hosts.
- The vCenter Server database.
- Other vCenter Server systems (if the vCenter Server systems are part of a common vCenter Single Sign-On domain for purposes of replicating tags, permissions, and so on).
- Systems that are authorized to run management clients. For example, the vSphere Client, a Windows system where you use the PowerCLI, or any other SDK-based client.
- Systems that run add-on components such as VMware vSphere Update Manager.
- Infrastructure services such as DNS, Active Directory, and NTP.
- Other systems that run components that are essential to functionality of the vCenter Server system.
Use a local firewall on the Windows system where the vCenter Server system is running or use a network firewall. Include IP-based access restrictions so that only necessary components can communicate with the vCenter Server system.