The ESXi hypervisor architecture has many built-in security features such as CPU isolation, memory isolation, and device isolation. You can configure features such as lockdown mode, certificate replacement, and smart card authentication for enhanced security.

An ESXi host is also protected with a firewall. You can open ports for incoming and outgoing traffic as needed, but should restrict access to services and ports. Using the ESXi lockdown mode and limiting access to the ESXi Shell can further contribute to a more secure environment. ESXi hosts participate in the certificate infrastructure. Hosts are provisioned with certificates that are signed by the VMware Certificate Authority (VMCA) by default.

See the VMware white paper Security of the VMware vSphere Hypervisor for more information about ESXi security.


ESXi is not built upon the Linux kernel or a commodity Linux distribution. It uses its own VMware specialized and proprietary kernel and software tools, delivered as a self-contained unit, and does not contain applications and components from Linux distributions.

Starting in vSphere 8.0 Update 1, ESXi runs two reverse proxy services:

  • VMware reverse proxy service, rhttpproxy
  • Envoy

Envoy owns port 443, and all incoming ESXi requests are routed through Envoy. Starting in vSphere 8.0 Update 1, rhttpproxy serves as a configuration management server for Envoy.