Security administrators use firewalls to safeguard the network or selected components in the network from intrusion.
Firewalls control access to devices within their perimeter by closing all ports except for ports that the administrator explicitly or implicitly designates as authorized. The ports that administrators open allow traffic between devices on different sides of the firewall.
In a virtual machine environment, you can plan the layout for firewalls between components.
- Firewalls between physical machines such as vCenter Server systems and ESXi hosts.
- Firewalls between one virtual machine and another, for example, between a virtual machine acting as an external Web server and a virtual machine connected to your company’s internal network.
- Firewalls between a physical machine and a virtual machine, such as when you place a firewall between a physical network adapter card and a virtual machine.
How you use firewalls in your ESXi configuration is based on how you plan to use the network and how secure any given component has to be. For example, if you create a virtual network where each virtual machine is dedicated to running a different benchmark test suite for the same department, the risk of unwanted access from one virtual machine to the next is minimal. Therefore, a configuration where firewalls are present between the virtual machines is not necessary. However, to prevent interruption of a test run from an outside host, you can configure a firewall at the entry point of the virtual network to protect the entire set of virtual machines.
For the list of all supported ports and protocols in VMware products, including vSphere and vSAN, see the VMware Ports and Protocols Tool™ at https://ports.vmware.com/. You can search ports by VMware product, create a customized list of ports, and print or save port lists.
Firewalls for Configurations with vCenter Server
If you access ESXi hosts through vCenter Server, you typically protect vCenter Server using a firewall.
Firewalls must be present at entry points. A firewall might lie between the clients and vCenter Server or vCenter Server and the clients can both be behind a firewall.
For the list of all supported ports and protocols in VMware products, including vSphere and vSAN, see the VMware Ports and Protocols Tool™ at https://ports.vmware.com/. You can search ports by VMware product, create a customized list of ports, and print or save port lists.
Networks configured with vCenter Server can receive communications through the vSphere Client, other UI clients, or clients that use the vSphere API. During normal operation, vCenter Server listens for data from its managed hosts and clients on designated ports. vCenter Server also assumes that its managed hosts listen for data from vCenter Server on designated ports. If a firewall is present between any of these elements, you must ensure that the firewall has open ports to support data transfer.
You might also include firewalls at other access points in the network, depending on the network usage and on the level of security that clients require. Select the locations for your firewalls based on the security risks for your network configuration. The following firewall locations are commonly used.
- Between the vSphere Client or a third-party network-management client and vCenter Server.
- If your users access virtual machines through a Web browser, between the Web browser and the ESXi host.
- If your users access virtual machines through the vSphere Client, between the vSphere Client and the ESXi host. This connection is in addition to the connection between the vSphere Client and vCenter Server, and it requires a different port.
- Between vCenter Server and the ESXi hosts.
- Between the ESXi hosts in your network. Although traffic between hosts is usually considered trusted, you can add firewalls between them if you are concerned about security breaches from machine to machine.
If you add firewalls between ESXi hosts and plan to migrate virtual machines between them, open ports in any firewall that divides the source host from the target hosts.
- Between the ESXi hosts and network storage such as NFS or iSCSI storage. These ports are not specific to VMware. Configure them according to the specifications for your network.
Connecting to vCenter Server Through a Firewall
Open TCP port 443 in the firewall to enable vCenter Server to receive data.
By default vCenter Server uses TCP port 443 to listen for data from its clients. If you have a firewall between vCenter Server and its clients, you must configure a connection through which vCenter Server can receive data from the clients. Firewall configuration depends on what is used at your site, ask your local firewall system administrator for information.
Connecting ESXi Hosts Through Firewalls
If you have a firewall between your ESXi hosts and vCenter Server, ensure that the managed hosts can receive data.
To configure a connection for receiving data, open ports for traffic from services such as vSphere High Availability, vMotion, and vSphere Fault Tolerance. See Configuring the ESXi Firewall for a discussion of configuration files, vSphere Client access, and firewall commands. For a list of ports, see the VMware Ports and Protocols Tool™ at https://ports.vmware.com.
Firewalls for Configurations Without vCenter Server
If your environment does not include vCenter Server, clients can connect directly to the ESXi network.
- VMware Host Client
- ESXCLI interface
- vSphere Web Services SDK or vSphere Automation SDKs
- Third-party clients
- Use a firewall to protect your ESXi layer or, depending on your configuration, your clients, and the ESXi layer. This firewall provides basic protection for your network.
- Licensing in this type of configuration is part of the ESXi package that you install on each of the hosts. Because licensing is resident to ESXi, a separate License Server with a firewall is not required.
You can configure firewall ports using ESXCLI or using the VMware Host Client. See vSphere Single Host Management - VMware Host Client.
Connecting to the Virtual Machine Console Through a Firewall
Certain ports must be open for user and administrator communication with the virtual machine console. Which ports must be open depends on the type of virtual machine console, and on whether you connect through vCenter Server with the vSphere Client or directly to the ESXi host from the VMware Host Client.
For more information about ports, purpose, and classification (incoming, outgoing, or bidirectional), see the VMware Ports and Protocols Tool™ at https://ports.vmware.com.
Connecting to a Browser-Based Virtual Machine Console Through the vSphere Client
When you are connecting with the vSphere Client, you always connect to the vCenter Server system that manages the ESXi host, and access the virtual machine console from there.
If you are using the vSphere Client and connecting to a browser-based virtual machine console, the following access must be possible:
- The firewall must allow vSphere Client to access vCenter Server on port 443.
- The firewall must allow vCenter Server to access the ESXi host on port 902.
Connecting to a VMware Remote Console Through the vSphere Client
If you are using the vSphere Client and connecting to a VMware Remote Console (VMRC), the following access must be possible:
- The firewall must allow the vSphere Client to access vCenter Server on port 443.
- The firewall must allow the VMRC to access vCenter Server on port 443 and to access the ESXi host on port 902 for VMRC versions before 11.0, and port 443 for VMRC version 11.0 and greater. For more information about VMRC version 11.0 and ESXi port requirements, see the VMware knowledge base article at https://kb.vmware.com/s/article/76672.
Connecting to ESXi Hosts Directly with the VMware Host Client
The firewall must allow access to the ESXi host on ports 443 and 902.
The VMware Host Client uses port 902 to provide a connection for guest operating system MKS activities on virtual machines. It is through this port that users interact with the guest operating systems and applications of the virtual machine. VMware does not support configuring a different port for this function.