If an ESXi host is accessed through vCenter Server, it is typical to protect vCenter Server using a firewall. This firewall provides basic protection for the network.
You usually provide a firewall at what is considered to be an entry point for the system. A firewall might lie between the clients and vCenter Server. Alternatively, vCenter Server and the clients might be behind the firewall for your deployment.
Networks configured with vCenter Server can receive communications through the vSphere Client or third-party network management clients. vCenter Server listens for data from its managed hosts and clients on designated ports. vCenter Server also assumes that its managed hosts listen for data from vCenter Server on designated ports. Firewalls between ESXi, vCenter Server, and other vSphere components must have open ports to support data transfer.
Firewalls might also be included at a variety of other access points in the network, depending on how the network is planned to be used and the level of security various devices require. Select the locations for firewalls based on the security risks that have been identified for network configuration.