vCenter firewall configuration considerations
Article ID: 393717
Updated On:
Products
Issue/Introduction
General guidelines about the vCenter firewall configuration.
Environment
VMware vCenter 7.x
VMware vCenter 8.x
Cause
The vCenter processes the firewall rules from top to bottom in a sequence.
Resolution
Do make sure that all IP addresses of ESXi host and any integrations are allowed in the rule if 0.0.0.0/0 Reject is defined.
The order sequence is critical in defining the firewall rule correctly
- If a specific subnet needs to be allowed and reject all other subnets, the ALLOW rule must be defined as the first rule followed by the REJECT rule.
Example Rule table:
| Order | network Interface | IP Address | Action |
| 1 | nic0 | Network CIDR Block | Accept |
| 2 | nic0 | 0.0.0.0/0 | Reject |
- If a specific IP needs to be allowed in a subnet and reject all other IPs from the subnet, the IP must be allowed first
Example Rule table:
| Order | network Interface | IP Address | Action |
| 1 | nic0 | <IP_Addr>/32 | Accept |
| 2 | nic0 | Network CIDR Block | Accept |
| 3 | nic0 | Network CIDR Block | Reject |
| 3 | nic0 | 0.0.0.0/0 | Reject |
Note: 0.0.0.0/0 - Reject will block all the connections.
If the firewall rules are defined incorrectly (Reject rule at first), the vCenter will lose the connection.
Hence, prior staring the configuration, it is essential to have an offline snapshot of the vCenter for quick revert back plan. If the vCenter is part of ELM, all vCenters in ELM must be powered down and take snapshot for all the vCenters.
Additional Information
Feedback
