The First Line of Defence: vCenter Server Appliance Firewall

May 24, 2021


Limiting and monitoring access to the vCenter Server Appliance(VCSA) is vital in securing the overall vSphere environment. VCSA firewall enables customers to create firewall rules that can allow or block access to the VCSA from specific servers, hosts, or virtual machines.  VCSA firewall can allow or block only network traffic and not the specific ports.

VCSA firewall under the hood

Creating VCSA firewall rules from the Virtual Appliance Management Interface( VAMI) creates corresponding “iptables” rules in the VCSA appliance. iptables are used to set up, maintain, and inspect the tables of IP packet filter rules in the Linux kernel. More information on iptables can found on this page.

As a best practice, access to VCSA should be allowed only from trusted hosts or VMs and blocked for the rest of the devices. It is important to note that while blocking access to the VCSA, considerations should be made for other VMware products like vROPs, SRM, etc.

VCSA firewall can be accessed from the VAMI UI(https://vc_fqdn_or_ip:5480). The following GIF shows creating a firewall reject rule for an IPAddress:

VCSA firewall

VCSA firewall rules

The following firewall rules can be specified for incoming network traffic in the VCSA firewall:

S. No.





Allow packet with corresponding IP Address.



Drop packet with corresponding IP Address.



Drop packet with a corresponding IP address while sending destination not reachable.



Apply default or port-specific rules to packet with the corresponding IP address

Monitoring VCSA firewall

VCSA firewall activities can be monitored from the shell of the VCSA appliance. VCSA, by default, does not log firewall(iptables related activity). To log firewall-related activities following commands must be executed at the shell of VCSA.

# iptables  -N LOGGER
# iptables  -A LOGGER -j LOG –log-prefix ‘iptable log: ’ ‘ --log-level 7
# iptables  -A OUTPUT -j LOGGER
# iptables  -I OUTPUT -j LOGGER
# iptables -I INPUT -j LOGGER	

After setting the logger, firewall logs can be monitored by executing the following command

#  journalctl -k |grep “iptable”

Accessing and Creating VCSA firewall rules through APIs

VCSA firewall supports the following REST methods:

GET  https://vcsa_fqdn_or_ip/api/appliance/networking/firewall/inbound


Get method lists the existing firewall rules. Within the list of traffic rules, rules are processed in order of appearance, from top to bottom. When a connection matches a firewall rule, further processing for the connection stops, and the appliance ignores any additional firewall rules.

PUT  https://vcsa_fqdn_or_ip/api/appliance/networking/firewall/inbound


PUT method creates the ordered list of firewall rules to allow or deny traffic from one or more incoming IP addresses. This overwrites the existing firewall rules and creates a new rule list. Within the list of traffic rules, rules are processed in order of appearance, from top to bottom


For more information on VCSA firewall APIs and sample code, please refer to

To Conclude

Securing the vCenter Server appliance is a foundational step towards securing the overall vSphere environment.  Blocking access from unnecessary systems reduces the overall footprint and minimizes potential attacks on the VCSA. VCSA firewall is an easy yet powerful way to enforce and monitor firewall policies.

For more information on VCSA security best practices, please refer to this document.

Filter Tags

Networking Security vCenter Server vSphere vSphere 6.5 vSphere 6.7 vSphere 7 Blog Technical Overview Tool Overview