When performing security hardening on a vCenter server, you may need to restrict access by allowing only specific IP addresses or subnets and blocking all other traffic. This is accomplished by configuring firewall rules in the vCenter Server Appliance settings.

Note that while you can set up firewall rules to accept or block traffic from specific IPs or subnets, you cannot block traffic by specific ports. The firewall rules apply to all traffic.

vCenter 7, vCenter 8. 

• Access the vCenter Server Appliance Management Interface:

  • Open a web browser and navigate to the vCenter Server Appliance Management Interface at https://appliance-IP-address-or-FQDN:5480.

• Log in:

  • Use the root account to log in. The root password is the one you set during the deployment of the vCenter Server Appliance.

• Create Allow Rules:

  • Navigate to the “Firewall” section.
  • Click on “Add” to create rules for the IP addresses or subnets that you want to allow access.

• Create a Rule to Block All Other Traffic:

  • After configuring the allowed IP addresses/subnets, create a new firewall rule to block all other traffic.
  • Configure the rule with the following details:
    • Network Interface: nic0
    • IP Address: 0.0.0.0
    • Subnet Prefix Length: 0
    • Action: Reject
    • 

  Important: Ensure that the access rules for the allowed IP addresses/subnets are created before applying the rule to block all other traffic. This is crucial because blocking all traffic will include your jump host access, which could prevent you from accessing the appliance if the access rules are not correctly configured.

https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.vcenter.configuration.doc/GUID-3AFB677A-8957-44C2-86DE-1D2D6CC19431.html