After upgrading hosts to ESXi 8.0 U2 or later, new firewall rules named etcdClientComm (port 2379) and etcdPeerComm (port 2380) appear on ESXi hosts. These rules cannot be disabled or removed.

VMware vSphere ESXi 8.0 U2 and later

Starting with vSphere 8.0 U2, ESXi uses internal etcd services to support cluster-level functionality. A minimum of three ESXi hosts per cluster are automatically designated as etcd service members, even when Kubernetes-related services are not in use.

The etcdClientComm firewall rule (port 2379) supports etcd API and client communication. The etcdPeerComm firewall rule (port 2380) supports peer-to-peer synchronization between etcd services. These firewall rules are system-managed and tied to the clusterAgent service.

The clusterAgent service runs on three ESXi hosts within the cluster at any given time. If one of those hosts enters maintenance mode, the clusterAgent service is started on another available host.

When a host is placed into maintenance mode, the clusterAgent service may stop running on that host. The etcdClientComm and etcdPeerComm firewall rules remain present because they are system-managed and tied to cluster services.

These rules are system-managed and cannot be disabled or removed.