Avoid putting vCenter Server on any network other than the management network. By limiting network connectivity, you limit certain types of attack.

vCenter Server requires access to the management network only. Avoid putting the vCenter Server system on networks such as your production network or storage network, or on any network with access to the public Internet. vCenter Server does not need access to the network where vMotion operates.

vCenter Server needs network connectivity to the following systems.

All ESXi hosts

The vCenter Server database

Other vCenter Server systems (linked mode only)

Systems that are authorized to run management clients. For example, the vSphere Client, a Windows system where you use the PowerCLI, or any other SDK-based client.

Systems that run add-on components such as VMware vSphere Update Manager

Infrastructure services such as DNS, Active Directory, and NTP

Other systems that run components that are essential to functionality of the vCenter Server system

Use a local firewall on the Windows system where vCenter Server is running or use a network firewall. Include IP-based access restrictions so that only necessary components can communicate with the vCenter Server system.

Block access to ports that are not being used by vCenter Server using the local firewall on the Windows system where vCenter Server is installed or a network firewall.