By default, the firewall for each service allows access to all IP addresses. To restrict traffic, change each service to allow traffic only from your management subnet. You might also deselect some services if your environment does not use them.

You can use the vSphere Client, ESXCLI, or PowerCLI to update the Allowed IP list for a service. By default, all IP addresses are allowed for a service. This task describes how to use the vSphere Client. See the topic on managing the firewall in ESXCLI Concepts and Examples at for instructions on using ESXCLI.


  1. Log in to the vCenter Server by using the vSphere Client.
  2. Browse to the ESXi host.
  3. Click Configure, then click Firewall under System.
  4. In the Firewall section, click Edit and select a service from the list.
  5. In the Allowed IP Addresses section, deselect Allow connections from any IP address and enter the IP addresses of networks that are allowed to connect to the host.
    Separate IP addresses with commas. You can use the following address formats:
    •, 2001::1/64
    • fd3e:29a6:0a81:e478::/64
  6. Click OK.