Access the vCenter Server Appliance Management Interface:

• Open a web browser and navigate to the vCenter Server Appliance Management Interface at https://appliance-IP-address-or-FQDN:5480.

Log in:

• Use the root account to log in. The root password is the one you set during the deployment of the vCenter Server Appliance.

Create Allow Rules:

• Navigate to the “Firewall” section.
• Click on “Add” to create rules for the IP addresses or subnets that you want to allow access.
  
     Important:-

• • Whitelist All ESXi Management and vSAN VMkernel IPs Ensure every ESXi host’s management interface plus its vSAN VMkernel interface addresses are in your allowlist. If you use multiple VMkernel NICs (e.g., one for vSAN, one for vMotion), include them all.

  • Include Core Infrastructure Services • Domain Controllers / DNS / NTP servers • vCenter HA/Witness appliances (if deployed) • vRealize Suite components, backup proxies, monitoring tools

  • Cover vCenter’s Multiple Interfaces VCSA often has separate NICs for management (nic0), vSAN traffic, vSphere HA networks, etc. Apply your allow/reject rules on each interface where the rhttpproxy or vpxd services listen.

Create a Rule to Block All Other Traffic:

• After configuring the allowed IP addresses/subnets, create a new firewall rule to block all other traffic.
• Configure the rule with the following details:
  • Network Interface: nic0
  • IP Address: 0.0.0.0
  • Subnet Prefix Length: 0
  • Action: Reject
  • 

Important: Ensure that the access rules for the allowed IP addresses/subnets are created before applying the rule to block all other traffic. This is crucial because blocking all traffic will include your jump host access, which could prevent you from accessing the appliance if the access rules are not correctly configured.