VMware vCenter Server Appliance (VCSA) – Manage Firewall Settings

VMware vSphere 6.7 has introduced a firewall management for the VMware vCenter Server Appliance (VCSA). The firewall options allow you to create new firewall rules or edit some existing firewall rules. the feature has been introduced in vSphere 6.7 Update 1. We'll have a look at all those options in this post –  VMware vCenter Server Appliance (VCSA) – Manage Firewall Settings.

Previous releases of VCSA did not provide the GUI option so the only way to interact with the firewall, was the appliance shell. Now, according to the release notes With vCenter Server 6.7 Update 1, you can use the Appliance Management User Interface (AMUI) to configure and edit the firewall settings of the vCenter Server Appliance.

For people not experienced with VMware technology, I'd recommend having a look at our article here – How To Login Into VMware vCenter Server Appliance (VCSA) Management page. It's just a basic info post for non-experienced VMware folks usually working with other technologies.

Let's get back to our VCSA. After deployment of VMware vCSA, you can log in to the appliance via the https://ip_of_vcsa:5480 UI.

Then via the menu on the left, navigate to Firewall.

After, there you can click on Add menu button to add a new rule.

You'll see an overlay pop-up window appear inviting you to fill certain details.

Here are the details. You have the choice of:

• Network Interface – a drop-down menu allowing you to chose the vNIC you want to add the rule for.
• IP address – address from which you want to allow/block traffic
• Subnet Prefix Lenght – subnet details
• Action – accept or refuse traffic

and here is a screenshot of when you hover the mouse over the “i” next to the Action.

What's not so good is the fact that you cannot choose a specific port. This is usually useful when you want to pass traffic for a specific application using a specific port(s). It might be intentional, however like this, it does not allow to “fine tune” the firewall settings if needed.

So basically you can set up firewall rules to allow or block traffic between the vCenter Server Appliance and specific servers, hosts, or virtual machines. However you cannot block specific ports, you block all of the traffic.

Note: You can do the exact same thing if you login into a VCSA via [email protected] (or whatever your local config is) via the Flash client and going to:

On the vSphere Web Client main page, click Home, and select System Configuration.

Then, under System Configuration, click Nodes.

And after, under Nodes, select a node and click the Manage tab. Select Firewall and click the green plus sign to add a new firewall rule.

VMware vSphere 6.7 Update 1 was released few weeks back and brougt some signifficant changes and improvements.

Fully Featured HTML5-based vSphere Client –  yes, this one was a long time requested. We’ve been waiting to have a vSphere client which works (and not the one which is slow and buggy). VMware delivers after few years of wait, but yes, it’s finally here and we can enjoy it.

New Cluster Wizard – allows configuring vSphere HA, DRS, and other cluster’s services, including host’s networking, within a simple wizard. Additionally, when you add more hosts to the cluster you can go back to this wizard and do that through there.

Configuring clusters is no longer the same.

Would you like to have a dark theme?

Shop for vSphere licenses at VMware Store:

• vSphere Essentials Term (time-limited)  | vSphere Essentials
• vSphere Essentials Plus Term (time-limited)  | vSphere Essentials Plus

So, if there is an unplanned hardware failure, vSphere High Availability (HA) can restart automatically those VMs which failed when the host failed. Those VMs are automatically restarted on other hosts which are part of VMware cluster.

There is small downtime during which the system figures out which host has failed and which are the hosts that are able to start the failed VMs. Those hosts must have enough available capacity in terms of memory or CPU.  Once this automatic decision is taken, the VM boots up. The whole process is completely automatic and acts without the admin’s intervention. A shared SAN/NAS storage or VMware vSAN needs to be part of the cluster. (Please note that VMware VSAN is a separate product).

vSphere Tips:

• How to Configure VMware High Availability (HA) Cluster
• What is VMware vMotion?

More from ESX Virtualization

• What is VMware vCenter Convergence Tool?
• What is VMware Platform Service Controller (PSC)?
• VMware Transparent Page Sharing (TPS) Explained
• ESXi Free vs Paid – What are the differences?
• How To Reset ESXi Root Password via Microsoft AD
• How to Patch VMware vCenter Server Appliance (VCSA) 6.7 Offline
• How To do a Dry Run of an esxcli Installation or Upgrade on VMware ESXi
• VMware DRS Entitlement Viewer – Free Tool

Stay tuned through RSS, and social media channels (Twitter, FB, YouTube)