If you access ESX hosts through vCenter Server, you typically protect vCenter Server using a firewall. This firewall provides basic protection for your network.

A firewall might lie between the clients and vCenter Server. Alternatively, vCenter Server and the clients can be behind the firewall, depending on your deployment. The main point is to ensure that a firewall is present at what you consider to be an entry point for the system.

If you use vCenter Server, you can install firewalls at any of the locations shown in Sample vSphere Network Configuration and Traffic Flow. Depending on your configuration, you might not need all the firewalls in the illustration, or you might need firewalls in other locations. In addition, your configuration might include optional modules, such as VMware vCenter Update Manager, that are not shown. Refer to the documentation for information about firewall setups specific to products like Update Manager.

For a comprehensive list of TCP and UDP ports, including those for VMware vMotion™ and VMware Fault Tolerance, see TCP and UDP Ports for Management Access.

Sample vSphere Network Configuration and Traffic Flow
This diagram shows a sample vSphere network configuration and traffic flow.

Networks configured with vCenter Server can receive communications through several types of clients: the vSphere Client, vSphere Web Access, or third-party network management clients that use the SDK to interface with the host. During normal operation, vCenter Server listens for data from its managed hosts and clients on designated ports. vCenter Server also assumes that its managed hosts listen for data from vCenter Server on designated ports. If a firewall is present between any of these elements, you must ensure that the firewall has open ports to support data transfer.

You might also include firewalls at a variety of other access points in the network, depending on how you plan to use the network and the level of security various devices require. Select the locations for your firewalls based on the security risks that you have identified for your network configuration. The following is a list of firewall locations common to ESX implementations. Many of the firewall locations in the list and shown in Sample vSphere Network Configuration and Traffic Flow are optional.

Between your Web browser and the vSphere Web Access HTTP and HTTPS proxy server.

Between the vSphere Client, vSphere Web Access Client, or a third-party network-management client and vCenter Server.

If your users access virtual machines through the vSphere Client, between the vSphere Client and the ESX host. This connection is in addition to the connection between the vSphere Client and vCenter Server, and it requires a different port.

If your users access virtual machines through a Web browser, between the Web browser and the ESX host. This connection is in addition to the connection between the vSphere Web Access Client and vCenter Server, and it requires different ports.

Between vCenter Server and the ESX hosts.

Between the ESX hosts in your network. Although traffic between hosts is usually considered trusted, you can add firewalls between them if you are concerned about security breaches from machine to machine.

If you add firewalls between ESX hosts and plan to migrate virtual machines between the servers, perform cloning, or use vMotion, you must also open ports in any firewall that divides the source host from the target hosts so that the source and targets can communicate.

Between the ESX hosts and network storage such as NFS or iSCSI storage. These ports are not specific to VMware, and you configure them according to the specifications for your network.