How to open and close firewall ports on VMware ESXi hosts

• Author
• Recent Posts

Vladan Seget

Vladan Seget is an independent consultant, professional blogger, vExpert 2009-2021, VCAP-DCA/DCD and MCSA. He has been working for over 20 years as a system engineer.

Latest posts by Vladan Seget (see all)

• Disaster recovery strategies for vCenter Server appliance VM - Fri, Nov 26 2021
• Install the free new VMware Tanzu Community Edition - Fri, Nov 12 2021
• How to migrate VCSA to a new host without VMotion - Fri, Nov 5 2021

Whether vCenter Server manages the host or it is a standalone ESXi host, different tools and access paths can do this. The vSphere Web Client and the VMware Host Client allow you to open and close firewall ports for each service or allow traffic from selected IP addresses.

You'll be using the vSphere Web Client (HTML5) if you have VMware vCenter Server in your environment. Or if you are using a standalone ESXi host only, you'll use ESXi Host Client for the job.

For both tools, you do not need to install any software to your management workstation or laptop, and you can use Windows, Linux, or Mac. That's quite some progress since in the past, the most used utility for VMware vSphere was a Windows C++ client, now discontinued.

Use vSphere Host Client (no vCenter server available) ^

In this scenario, we just have a single ESXi host (ESXi 6.7), not managed by vCenter Server. We will look at how to open a port in a second. But before that, I'd like to point out that even if ESXi itself has a free version you can administer this way, it does not allow you to use backup software that can take advantage of VMware changed block tracking (CBT) and do incremental backups.

Note: You don't necessarily need to deploy vCenter Server, but you will need to assign a paid CPU license to the ESXi host to unlock the application programming interface (API).

This is because ESXi has a limited set of API features that won't work with third-party backup software. Other limits of free ESXi are you can only have two physical CPU sockets and can only create eight virtual CPU (vCPU) virtual machines (VMs).

But let's get back to our principal mission to show you how to access the firewall settings and open a closed firewall port.

Connect to your ESXi host via vSphere Host Client (HTML5) by going to this URL:

https://ip_of_esxi/UI

After connecting to your ESXi host, go to Networking > Firewall Rules. You'll see that the VMware Host Client displays a list of active incoming and outgoing connections with the corresponding firewall ports.

Enable a firewall rule in ESXi Host Client

Note: When the rule is grayed out, it is disabled (thus, you can enable it) and vice versa.

For some services, you can manage service details. Right-click a service and select an option from the pop-up menu.

vSphere Web Client (with vCenter) ^

First you'll need to connect to your vCenter Server via the vSphere Web Client. Go to Hosts and clusters, select Host, and go to Configure > Firewall.

Then select the firewall rule you want to change and click Edit.

How to open or block firewall ports on a VMware ESXi 6.7 host

In my example, I'll show you how I configured my firewall rule for NFS access only from a single IP, denying all other IPs. Here is a view of the rule when you click it. As you can see, I unchecked Allow connections from any IP address and entered a single IP that can access my ESXi host.

Allow connections only from a single IP

For some firewall rules, when you open the port, you also need to start the service. For example, after opening a firewall rule for the SNMP port, you'll need to go to the Services page and start and configure the service.

Start the SNMP service

As you can see, both the ESXi Host Client and vSphere Web Client allow you to open and close firewall ports. But you can only manage predefined ports. Can we create custom firewall ports? The answer is yes; however, you'll need to use the VMware command-line interface (CLI) for the job, and I'm not sure that's a supported scenario.

While ESXi 5.x supported this scenario, I haven't found a VMware knowledge base (KB) article detailing the steps for ESXi 6.x. So it's up to you. I'll give you the URL for the VMware KB called Creating custom firewall rules in VMware ESXi 5.x.

Via a Secure Shell (SSH) session using the PuTTY client, for example, you can check the open ports with this command:

esxcli network firewall ruleset list

Final words ^

To some extent, VMware locked out access to custom rules, but there are many predefined ones. Why not try out the predefined ones before going and creating custom ones?

Another gotcha you might encounter is the fact you must configure these custom rules a certain way so they persist across reboots.

You'll need to be familiar with the vi Linux editor because you'll need to modify and create XML files—so it's not that easy of a task. I'm not saying it's not possible, but when it comes to support, I'm not sure VMware still supports it.