makspogonii - Fotolia
With vSphere, you can reconfigure VMkernel port settings and limit access from services such as Secure Shell exclusively to your management network.
Every VMkernel TCP/IP stack with an IP address uses that address to listen for services. If you want to use a service such as Secure Shell (SSH) only on your management network, additional configuration is necessary. It's impossible to bind a service to a certain TCP/IP stack, but you can configure the firewall to only allow access to one or a range of addresses.
It's likely you've never had to access the ESXi firewall configuration in your system. The default configuration only allows for the use of those ports that are necessary for the enabled services. When you enable a service, the accompanying VMkernel ports open for you. For example, if you enable the Network Time Protocol service, it opens outgoing UDP port 123.
You can manually open and close each VMkernel port if you want. You can also follow these directions to access and add additional configuration settings for certain VMkernel ports.
Adjust these settings in vSphere Client in the configure tab of your ESXi host. In Figure A, you can see an example of this configuration.
In this example, the checkbox for Allow connections from any IP address is disabled for the SSH server and one address is in the IP list. With this configuration, the only connections allowed are from that single address to the SSH server. You can add multiple addresses in a list separated by commas.
You can also add a subnet range, such as 172.31.0.0/16. The format is the network address, which is 172.31.0.0 in this example, followed by the prefix length, which is 16 bits. This allows access to only those computers with an address in that subnet.
Dig Deeper on VMware and networking
Related Q&A from Rob Bastiaansen
Centralize vCenter log files with vRealize Log Insight. Configuration with vSphere is simple and enables the centralization and transmission of event... Continue Reading
The host in a VMware high availability cluster uses a heartbeat network that can incorrectly report host isolation. Reconfigure your settings to ... Continue Reading
Conservative vSphere cluster settings tell DRS to only apply the recommendations that are required for host maintenance, so you might not get any ... Continue Reading