• The ESXi host is configured with multiple vmkernel adapters to separate traffic types: vmk0 for Management and vmk2 for vSAN. 
• They have different services configured on them vmk0(Management) and vmk2(vSAN).
• Both these vmkernels are present in different IP subnets, but have the same default TCP/IP stack configured.

VMware ESXi 

By default, the service responsible for loading the Host Client UI binds to the wildcard address 0.0.0.0. In networking, this tells the service to listen for incoming requests on every IP address assigned to the host within the Default TCP/IP Stack. Because vmk0 (Management) and vmk2 (vSAN) share the same stack, the UI is technically "alive" on both IPs. That is the reason the Host UI also loads up with the vSAN IP.

This conflict of access can be restricted by making changes at the ESXi firewall.
By default, the firewall for each service allows access to all IP addresses. To restrict traffic, configure each service to allow traffic only from your management subnet. You can also deselect some services if your environment does not use them.

• Click Networking in the VMware Host Client inventory and click Firewall rule.
• Click a service from the list and click Edit settings
• In the Allowed IP Addresses section
• Click Only allow connections from the following networks and enter the IP addresses of networks that you want to connect to the host.
• Separate IP addresses with commas. You can use the following address formats:
  • 192.168.0.0/24
  • 192.168.1.2, 2001::1/64
  • fd3e:29a6:0a81:e478::/64
• Click OK

For more information related to the firewall settings on ESXI host, please refer the article : Add Allowed IP Addresses for an ESXi Host by Using the VMware Host Client