ESXi includes a firewall that is enabled by default. During installation, the ESXi firewall is configured to block incoming and outgoing traffic, except traffic for services that are enabled in the host security profile.

As you open ports on the firewall, consider that unrestricted access to services running on an ESXi host may expose a host to outside attacks and unauthorized access. Reduce the risk by configuring the ESXi firewall to allow access only from authorized networks.

Note: The firewall also allows Internet Control Message Protocol, or ICMP, pings and communication with DHCP and DNS (UDP only) clients.

Manage ESXi Firewall Settings by Using the VMware Host Client

When you are logged in to an ESXi host with the VMware Host Client, you can configure incoming and outgoing firewall connections for a service or a management agent.

Note: If different services have overlapping port rules, enabling one service might implicitly enable other services. You can specify which IP addresses are allowed to access each service on the host to avoid this problem.

Procedure

  1. Click Networking in the VMware Host Client inventory.
  2. Click Firewall rules.
    The VMware Host Client displays a list of active incoming and outgoing connections with the corresponding firewall ports.
  3. For some services you can manage service details. Right-click a service and select an option from the pop-up menu.
    • Use the Start, Stop, or Restart buttons to change the status of a service temporarily.
    • Change the Startup Policy to configure the service to start and stop with the host, the firewall ports, or manually.

Add Allowed IP Addresses for an ESXi Host by Using the VMware Host Client

By default, the firewall for each service allows access to all IP addresses. To restrict traffic, configure each service to allow traffic only from your management subnet. You can also deselect some services if your environment does not use them.

Procedure

  1. Click Networking in the VMware Host Client inventory and click Firewall rules.
  2. Click a service from the list and click Edit settings.
  3. In the Allowed IP Addresses section, click Only allow connections from the following networks and enter the IP addresses of networks that you want to connect to the host.
    Separate IP addresses with commas. You can use the following address formats:
    • 192.168.0.0/24
    • 192.168.1.2, 2001::1/64
    • fd3e:29a6:0a81:e478::/64
  4. Click OK.