By default, the firewall for each service allows access to all IP addresses. To restrict traffic, change each service to allow traffic only from your management subnet. You can also deselect some services if your environment does not use them.

To update the Allowed IP list for a service you can use the vSphere Client, ESXCLI, or PowerCLI. By default, all IP addresses are allowed for a service. This task describes how to use the vSphere Client. See the topic on managing the firewall in ESXCLI Concepts and Examples at for instructions on using ESXCLI.


  1. Log in to the vCenter Server by using the vSphere Client.
  2. Browse to the ESXi host.
  3. Click Configure, then click Firewall under System.
    You can toggle between incoming and outgoing connections by clicking Incoming and Outgoing.
  4. In the Firewall section, click Edit.
  5. Select from one of the three service groups, Ungrouped, Secure Shell, and Simple Network Management Protocol.
  6. To display the Allowed IP Addresses section, expand a service.
  7. In the Allowed IP Addresses section, deselect Allow connections from any IP address and enter the IP addresses of networks that are allowed to connect to the host.
    Separate IP addresses with commas. You can use the following address formats:
    •, 2001::1/64
    • fd3e:29a6:0a81:e478::/64
  8. Ensure that the service itself is selected.
  9. Click OK.
  10. Verify your change in the Allowed IP addresses column for the service.