I'm facing a security challenge and need to set up an access list on our network switches to protect our ESXi hosts and vCenter. These ESXi hosts are using fiber channel for storage, and both the hosts and vCenter are located on local subnets. They should not have any access from the internet, as there's no NAT configured. We have about 50 IT staff members who need access to vCenter while they are on the local network for their day-to-day tasks. I still need the ESXi hosts and vCenter to reach the internet, but I want to restrict access to them to only certain local subnets, rather than allowing every subnet access. Can anyone share what ports I need to allow for access to the ESXi hosts and vCenter?
5 Answers
Consider separating the management network from the rest and creating a VPN. This could be a secure way into your network. However, make sure to have proper ACLs in place rather than relying solely on a VPN.
Security is key here! It makes sense to limit internet access for vCenter and the hosts. You can just allow essential URLs for updates and set up an internal NTP server. Also, using a separate subnet for access with ACLs just for the IT team might be the way to go.
You mainly need to allow HTTPS and TCP port 901 for access to vCenter and the ESXi hosts. Those are the key ports you'll want to take care of to ensure communication works for management.
Having that many people needing access to vCenter raises some flags. You need to ensure that your access rights are tightly controlled. Definitely check your permissions setup to avoid excessive access through inheritance. It's also best not to use regular accounts for admin tasks.
It really depends on what features you plan to use. I'd recommend checking out the official ports guide for Broadcom, which lists all necessary ports based on different configurations.
I wouldn't recommend relying just on a VPN. Proper segmentation with ACLs is crucial for security.