After upgrading ESXi hosts from legacy versions 8.0 or 8.1 to 9.1, Configuration Management may report the hosts as non-compliant even when the desired state was compliant before host image upgrade and the 9.1 image has been successfully applied. The reported drift often includes network firewall rule sets (for example, etcdClientConn and etcdPeerConn).

VMware vSphere ESXi

If you see configuration compliance drift (including network firewall rule sets such as etcdClientConn, etcdPeerConn) after upgrading ESXi hosts from 8.0 or 8.1 to 9.1, you can restore compliance by creating a new configuration draft from the host after the upgrade and then applying that draft.

Steps

1. Complete the upgrade of the ESXi hosts to 9.1 and ensure the new image is applied.
2. In Configuration Management, create a new configuration draft from the ESXi host (i.e., from the current post-upgrade state of the host).
3. Apply that draft to the cluster.

After applying the draft, the host should report as compliant with the desired configuration, and the firewall rule set drift should clear.