After you deploy the vCenter Server Appliance, you can edit its firewall settings and create firewall rules using the vSphere Web Client.

You can set up firewall rules to allow or block traffic between the vCenter Server Appliance and specific servers, hosts, or virtual machines. You cannot block specific ports, you block all of the traffic.


Verify that the user who logs in to the vCenter Server instance in the vCenter Server Appliance is a member of the SystemConfiguration.Administrators group in vCenter Single Sign-On.


  1. Use the vSphere Web Client to log in as administrator@your_domain_name to the vCenter Server instance in the vCenter Server Appliance.
    The address is of the type http:// appliance-IP-address-or-FQDN/vsphere-client.
  2. On the vSphere Web Client main page, click Home > Administration > System Configuration.
  3. Under System Configuration, click Nodes.
  4. Under Nodes, select a node and click the Manage tab.
  5. Select Firewall and click Edit.
  6. Edit the firewall settings.
    Option Action
    Add a firewall rule
    1. Click the Add icon (Add icon) to create a new firewall rule.
    2. Select a network interface of the virtual machine.
    3. Type the IP address of the network to apply this rule to.

      The IP address can be IPv4 and IPv6 address.

    4. Type a subnet prefix length.
    5. From the Action drop-down menu, select whether to block or to allow the connection between the vCenter Server Appliance and the network that you specified.
    6. Click OK.
    Edit a firewall rule
    1. Click the Edit icon (Edit icon) to edit a firewall rule.
    2. Edit the settings of the rule.
    3. Click OK.
    Prioritize the rules
    1. Click the down or up arrows to move a rule downwards or upwards in the list of rules.
    Delete a firewall rule
    1. Select a rule from the list, and click the Delete icon (Delete icon).
    2. Click OK.
  7. Click OK to save your edits.