By default, the firewall for each service allows access to all IP addresses. To restrict traffic, change each service to allow traffic only from your management subnet. You might also deselect some services if your environment does not use them.
You can use the vSphere Client, ESXCLI, or PowerCLI to update the Allowed IP list for a service. By default, all IP addresses are allowed for a service. This task describes how to use the vSphere Client. See the topic on managing the firewall in ESXCLI Concepts and Examples at https://code.vmware.com/ for instructions on using ESXCLI.