A must in any organization is to control and allow access to its servers, regardless of having segmentations with VLANs, or have control through physical firewalls, A good idea is to implement micro-segmentation, or in some cases to simplify, also enable control on the OS's own firewall.

So in today's post we'll look at that, How to enable access to our VMware ESXi hypervisors and VMware vCSA management appliance, We will enable control with your own firewall, allowing only the accesses that interest us. In order of course that if we were to get some bug, ransomware or whatever and escapes more than it should, so let's mitigate and try to affect it as little as possible. Since it is necessary to have access to the management of the devices, so let's narrow down and indicate who should connect to the vCSA, from which IP addresses, and the same for ESXi hosts.

Firewall de VMware ESXi

We will be able to edit the ESXi firewall in several ways, by CLI, from its web management or even from vCenter, individually in each of them, or through a Host Profile. If we are going to “Configure” > “System” > “Firewall”, We will be able to edit the rules that each hypervisor comes with, both inbound and outbound.

And we will be able to search in the incoming rules for accesses with “vSphere Web Client” which is normally used by the 443TCP and 902TCP, as well as “vSphere Web Access” that would use port 80tcp. There we can add a list of IP addresses separated by commas, that list would be the IP addresses that could access these services. Usually management teams, Jump; as well as backup or other services that can be supported, is a VDI infrastructure…

If we have SSH enabled on the hosts, We can edit the firewall rule in the “Secure shell” to indicate from which IP addresses we will give access to SSH connections.

VMware vCSA Firewall

To change the firewall on our VMware vCSA appliance or Virtual Center Server Appliance, We will access the appliance management with a browser to the port 5480 by https, and after logging in with a privileged account, we will access the menu of “Fiwarell” and we can add rules. By default it has everything open.

And we can make as many rules as we want, adding specific IP addresses that can connect to the vCSA and at the end we must put a denial rule, Rejecting the rest. The same, remember everything that your virtual infrastructure can use, Who Needs vCenter, management positions or jump teams, Backup Systems, self-created VMs…

As always, I hope that they can be documents of interest to you, The idea is always to improve, try to minimize improper access, Let's avoid scares 😉 May it go well for you, that you are very happy and those things =)