ESX Virtualization

VMware ESXi, vSphere, VMware Backup, Hyper-V... how-to, videos....

Nakivo Backup and Replication - #1 Backup solution for Virtual, physical, cloud, NAS and SaaS

VMware vCenter Server Appliance (VCSA) – Manage Firewall Settings

By | Last Updated:

Shares

VMware vSphere 6.7 has introduced a firewall management for the VMware vCenter Server Appliance (VCSA). The firewall options allow you to create new firewall rules or edit some existing firewall rules. the feature has been introduced in vSphere 6.7 Update 1. We'll have a look at all those options in this post –  VMware vCenter Server Appliance (VCSA) – Manage Firewall Settings.

Previous releases of VCSA did not provide the GUI option so the only way to interact with the firewall, was the appliance shell. Now, according to the release notes With vCenter Server 6.7 Update 1, you can use the Appliance Management User Interface (AMUI) to configure and edit the firewall settings of the vCenter Server Appliance.

For people not experienced with VMware technology, I'd recommend having a look at our article here – How To Login Into VMware vCenter Server Appliance (VCSA) Management page. It's just a basic info post for non-experienced VMware folks usually working with other technologies.

Let's get back to our VCSA. After deployment of VMware vCSA, you can log in to the appliance via the https://ip_of_vcsa:5480 UI.

Then via the menu on the left, navigate to Firewall.

After, there you can click on Add menu button to add a new rule.

Configure firewall settings of VMware vCSA

You'll see an overlay pop-up window appear inviting you to fill certain details.

Here are the details. You have the choice of:

  • Network Interface – a drop-down menu allowing you to chose the vNIC you want to add the rule for.
  • IP address – address from which you want to allow/block traffic
  • Subnet Prefix Lenght – subnet details
  • Action – accept or refuse traffic

VMware VCSA Firewall settings

and here is a screenshot of when you hover the mouse over the “i” next to the Action.

Add new firewall rule in VMware VCSA

What's not so good is the fact that you cannot choose a specific port. This is usually useful when you want to pass traffic for a specific application using a specific port(s). It might be intentional, however like this, it does not allow to “fine tune” the firewall settings if needed.

So basically you can set up firewall rules to allow or block traffic between the vCenter Server Appliance and specific servers, hosts, or virtual machines. However you cannot block specific ports, you block all of the traffic.

Note: You can do the exact same thing if you login into a VCSA via [email protected] (or whatever your local config is) via the Flash client and going to:

On the vSphere Web Client main page, click Home, and select System Configuration.

Then, under System Configuration, click Nodes.

And after, under Nodes, select a node and click the Manage tab. Select Firewall and click the green plus sign to add a new firewall rule.

VMware vSphere 6.7 Update 1 was released few weeks back and brougt some signifficant changes and improvements.

Fully Featured HTML5-based vSphere Client –  yes, this one was a long time requested. We’ve been waiting to have a vSphere client which works (and not the one which is slow and buggy). VMware delivers after few years of wait, but yes, it’s finally here and we can enjoy it.

New Cluster Wizard – allows configuring vSphere HA, DRS, and other cluster’s services, including host’s networking, within a simple wizard. Additionally, when you add more hosts to the cluster you can go back to this wizard and do that through there.

Configuring clusters is no longer the same.

Would you like to have a dark theme?

vSphere 6.7 Update 1 with dark theme

Shop for vSphere licenses at VMware Store:

So, if there is an unplanned hardware failure, vSphere High Availability (HA) can restart automatically those VMs which failed when the host failed. Those VMs are automatically restarted on other hosts which are part of VMware cluster.

There is small downtime during which the system figures out which host has failed and which are the hosts that are able to start the failed VMs. Those hosts must have enough available capacity in terms of memory or CPU.  Once this automatic decision is taken, the VM boots up. The whole process is completely automatic and acts without the admin’s intervention. A shared SAN/NAS storage or VMware vSAN needs to be part of the cluster. (Please note that VMware VSAN is a separate product).

vSphere Tips:

More from ESX Virtualization

Stay tuned through RSS, and social media channels (TwitterFBYouTube)

Shares
5/5 - (1 vote)

About Vladan SEGET

This website is maintained by Vladan SEGET. Vladan is as an Independent consultant, professional blogger, vExpert x16, Veeam Vanguard x9, VCAP-DCA/DCD, ESX Virtualization site has started as a simple bookmarking site, but quickly found a large following of readers and subscribers.

Connect on: Facebook. Feel free to network via Twitter @vladan.

Comments

  1. Mathias says

    It is possible to implement a deny all strategy and only allow certain IPs to the VCSA?

    • Diego says

      I am working on this, here I will whitelist all VMware related device/appliance and blacklist 0.0.0.0/0