Search
StarWind is a hyperconverged (HCI) vendor with focus on Enterprise ROBO, SMB & Edge

ESXi Firewall Rules Configuration

  • November 1, 2019
  • 10 min read
Cloud and Virtualization Architect. Kevin focuses on VMware technologies and has vast expertise in cloud solutions, virtualization, storage, networking, and IT infrastructure administration.
Cloud and Virtualization Architect. Kevin focuses on VMware technologies and has vast expertise in cloud solutions, virtualization, storage, networking, and IT infrastructure administration.

As the title is speaking for itself, it is quite clear that today, I am going to discuss various methods to open and close firewall ports on ESXi hosts. It is useless to consider whether configuring firewall rules is harmful or not since every admin once in a while meets the necessity of fine-tuning network to distribute access rights. So, you ought to know all the tools at your disposal one way or another.

Firewall Rules Configuration via vSphere Client

This way is very simple, and even a beginner will get it right. However, you’ll need VMware vCenter to pull this off, so it’s pretty much useless for the small infrastructures that don’t need vCenter in the first place.

Thus, to configure a firewall, open the Web Console, and choose a host. Then, in the property bar, choose Monitor, wherein in section Firewall, you just have to find the required rule and check its current settings. To edit these settings, pick Edit. Furthermore, as an example, I’ll use a firewall rule configuration for the DHCP Client.

Сonfiguration for the DHCP Client

To turn on/off a rule, you simply have to put a mark. Using tips along the way, set the addresses and address ranges (subnet address with a network prefix) covered by this rule. With a respective mark, allow or deny access from all IP addresses. according to this rule.

Allow or deny access from all IP addresses

Firewall Rules Configuration via vSphere Client via Web-GUI

This method is just as simple and understandable as the previous one, but that time it is open for use in any infrastructure since it doesn’t need vCenter. The sequencing here is similar, with an exception that you’ll need to access ESXi host through the Web interface. So, the settings location will be a bit different.

To configure a firewall, сhoose Navigator. Then, in the tab Firewall rules, find the name of a required rule, and check its current settings. To edit these settings, pick Edit, and make necessary adjustments in order to configure settings of this specific rule.

Firewall rules

Proceed with configuration following the previous example.

Configuration

You can turn on/off a rule by clicking on Actions or RMB (right mouse button).

Actions or RMB

Firewall Rules Configuration via PowerCLI

Pay attention, because without knowing this approach, you won’t be able to automate the whole process with scripts. For the following actions, the PowerCLI module is necessary. It is a PowerShell extension for Windows. Of course, as the PowerShell extension, this module can be installed on Linux, but I’m not going to describe it in this article explicitly.

First of all, connect the ESXi host through PowerCLI via the host login credentials. After this, PowerShell will require the name of the local account and password to it.

Find the list of all the rules for the host. Then, find the name of the rule that you need and check its settings

VMHostFirewallException

To turn on the rule, use the following command sequence:

To turn on the rule

At this moment, the work with PowerCLI directly is over. Unfortunately, it doesn’t have its own commandlets required for further work. To continue, you’ll need to ingrate ESXCLI commands.

Get the cli object with the list with ESXCLI commands available for the use.

Find the rule you look for in the list of the firewall rules. Be attentive, for its name is different from the one listed in the PowerCLI and Web Console!

Find the rule

Check the firewall rules list for network addresses available for the rules.

C:\3492c0c0efa5fbf1358dbb7e71ab227a

Deny access from all IP addresses.

Add the IP addresses range allowed for the rule.

C:\f0246de6708b38de78af8101da8cfbdb

Firewall Rules Configuration via ESXCLI

This approach is quite similar to the second part of the previous one, but there are differences. Primarily, you won’t go very far without a terminal manager. As one, I usually tend to use putty. Just like previously, connect to the host via IP address with login credentials.

Get the list of the firewall rules. Pay attention: you won’t need putting any other symbols between commands here.

Firewall Rules Configuration via ESXCLI

Choose the required rule.

Check if the rule turned on.

Check if the rule turned on

Turn off All connections from all IP addresses option. Without disabling this option, ESXCLI won’t let you allow access for specified addresses or the group of addresses for this rule!

Add the required subnet with the subnet mask.

Check the results.

Check the results

That’s all for now. I’m sure hoping this material will be of use!

Found Kevin’s article helpful? Looking for a reliable, high-performance, and cost-effective shared storage solution for your production cluster?
Dmytro Malynka
Dmytro Malynka StarWind Virtual SAN Product Manager
We’ve got you covered! StarWind Virtual SAN (VSAN) is specifically designed to provide highly-available shared storage for Hyper-V, vSphere, and KVM clusters. With StarWind VSAN, simplicity is key: utilize the local disks of your hypervisor hosts and create shared HA storage for your VMs. Interested in learning more? Book a short StarWind VSAN demo now and see it in action!