How to Edit Firewall Settings of vCenter Server Appliance
After you deploy a vCenter Server Appliance, you can edit vCenter firewall settings to accept or reject connections and secure the vSphere environment.
What is vCenter Server Appliance firewall
It is critical to secure the entire vSphere environment by restricting and monitoring access to the vCenter Server Appliance (VCSA).
Generally, if you access an ESXi host via vCenter Server, a firewall is used to protect the vCenter Server. This VCSA Firewall is configured per IP or Network (USING CIDR Notation) to Accept or Reject all connections. And customers can create firewall rules that allow or block access to the VCSA from specific servers, hosts, or virtual machines.
In this article, I will introduce how to edit vCenter firewall settings, as well as some other security tips.
After you deploy a vCenter Server Appliance, you can edit vCenter firewall settings and create firewall rules using the vSphere Web Client. But do you need to do that necessarily?
In fact, as the best practice suggested by VMware, the access to the VCSA should only be allowed from trusted hosts or virtual machines, and access to the remaining devices should be blocked. *Also note that some 3rd party VMware backup products or vROPs, SRM etc. should be considered when blocking access to the VCSA.
For the list of all supported ports and protocols in VMware products, including vSphere and vSAN, see the VMware Ports and Protocols Tool at https://ports.vmware.com/.
Before you edit vCenter Appliance firewall settings, you need to verify that the user who logs in to the vCenter Server instance is a member of the SystemConfiguration.Administrators group in vCenter Single Sign-On.
Since vCenter 7.0, you can directly click Firewall in vCenter Server Management Interface to edit firewall settings.
If you are using older versions, the path will take a little detour:
vCenter 6.7 firewall settings:
vCenter 6.5 firewall settings:
Then, you can start the vCenter firewall configuration.
Add a VCSA firewall rule
1. First, you can click Add to create a firewall rule,
2. Select a network interface of the virtual machine, and enter the IP address (could be IPv4 or IPv6 address) of the network to apply this rule to.
3. Enter a subnet prefix length.
4. From the Action drop-down menu, choose Accept, Ignore, Reject, or Return the connection between vCenter Server and the specified network.
5. Click Save to apply the vCenter firewall configuration.
👉To configure an existing VCSA firewall rule: Click Edit to change the settings, and click Save to confirm it.
👉To delete a VCSA firewall rule: Select the rule, click Delete. Then click Delete again at the prompt.
Reorder VCSA firewall rules
The vCenter Appliance firewall rules are applied in the order they appear in the rule table. You can move a custom rule up or down in the table to change the order or application.
1. Select a rule and click Reorder.
2. Then, select the rule to move. Click Move Up or Move Down.
3. Click Save to confirm the changes.
Configure firewall settings without vCenter Server
If your environment does not include vCenter Server, yet you want to use a firewall to protect your ESXi layer, you can directly connect to the ESXi network via the following ways:
- VMware Host Client
- ESXCLI interface
- vSphere Web Services SDK or vSphere Automation SDKs
The firewall requirements for standalone ESXi hosts are similar to the ones for vCenter Server.
Monitor vCenter Server Appliance firewall
VCSA does not log firewall (iptables related activity) by default. If you want to monitor VCSA firewall activities, you need to execute these commands at the shell of VCSA.
# iptables -N LOGGER
# iptables -A LOGGER -j LOG –log-prefix ‘iptable log: ’ ‘ --log-level 7
# iptables -A OUTPUT -j LOGGER
# iptables -I OUTPUT -j LOGGER
# iptables -I INPUT -j LOGGER
After this, you can monitor firewall logs by this command:
# journalctl -k |grep “iptable”
VMware vCenter Server is the primary control center for your vSphere environment. Whether you install it on a Windows or Linux operating system it is important to keep it in a secure state. Besides editing vCenter Appliance firewall settings, here are some best practices you can try:
Uses a static IP address and hostname for your vCenter Server system. Each IP address must have a valid internal DNS registration, including reverse name resolution.
The password of vpxuser account expires after 30 days. You can change it to comply with your security policy.
Ensure the security patches for the operating system up to date, and install an anti-virus solution.
Do not allow users to log on directly to the vCenter Server host. Thus a user can only log in with permissions assigned directly on that host.
Adopt a reliable backup solution for vCenter Server. VCSA contains a file-based backup function to recover your environment after any failure, you can use it before you perform some major operations on the VCSA.
✍Note that this file-based backup function does not protect the virtual machines managed by vCenter. If you want to back up your VMs on a regular basis to avoid data-loss and restore the VMs to a usable state (or even to another place) quickly, you can use a dedicated VMware backup solution.
Backup virtual machines managed by vCenter easily and flexibly
Here I will recommend a reliable VMware VM backup software - AOMEI Cyber Backup. It works for VMware ESXi 6.0 and above versions (free ESXi is also supported), offering you the following benefits with the easiest operation:
Click the button below to enjoy a fully-functional free trial:
*You can choose to install this VM backup software on either Windows or Linux system.
This article introduces how to edit and manage vCenter Appliance firewall settings. In addition to this, you can take some more measures to ensure network security.
If your virtual machines are loaded with some critical business or data, it’s also important to back them up in case of any accidents. To minimize the possible loss, it’s best to adopt an efficient VMware backup solution beforehand to enhance risk resistance.