Hello all,

I would like to harden a single ESXi instance that doesn't need to be connected to any vCenter or other services.
It's infact managed only locally via KVM, Web access and SSH, using only certain IPs.

The instance is just an ESXi deployed with out-of-the-box default configuration, nothing custom or else.
Just created a datastore and a couple of VMs that are working fine.

I am putting behind a firewall allowedip rule, any service that doesn't need to be publicly exposed.
My question is: what to restrict safely without breaking ESXi functionalities, sensors or self diagnostic?

I done some tests but I guess it's better to ask for some services that I don't know precisely.
I guess the following services can of course be placed safely behind an allowedip rule (tested):

• sshServer
• webAccess
• httpClient
• updateManager
• vMotion
• vSphereClient

The following services I guess should remain exposed (tested, without dns service, ESXi loses part of it's network configuration):

• dns

But what about the following services? What is safe to put behind a rule, what its needed to be necessarly exposed or without a rule?

• dhcp
• sshClient
• nfsClient
• nfs41Client
• dhcp
• snmp
• ntpClient
• CIMHttpServer
• CIMHttpsServer
• CIMSLP
• iSCSI
• vpxHeartbeats
• faultTolerance
• activeDirectoryAll
• NFC
• HBR
• ftpClient
• gdbserver
• DVFilter
• DHCPv6
• DVSSync
• syslog
• WOL
• vSPC
• remoteSerialPort
• rdt
• cmmds
• rabbitmqproxy
• ipfam
• vvold
• iofiltervp
• esxupdate
• vit
• vsanEncryption
• pvrdma
• vic-engine
• vsanhealth-unicasttest

Thanks to everyoone that will clarify my doubt!