Hello,
Are there any firewalls between the VM and vSwitch Portgroup, perhaps, see below:
VM <--> vNIC <-> VMSafe-Net <--> Portgroup <--> vSwitch
The VM could have a firewall in it such as Windows Firewall, Linux IPtables, or use of TCPwrappers. The vNIC cannot have a firewall in it. If you have something like one of the VMsafe-Net tools (vShield App, vShield Zones, Trend Micro Deep Security, IBM VSS, Juniper vGW (aka Altor), Reflex Systems vTrust, Checkpoint Virtual Edition, and maybe one or two others) then yes the VMsafe-Net provides a firewall. There is no firewall in the Portgroup or the vSwitch.
However if the vSwitch is a dVSwitch you can have Private VLANs that could deny access as well per the following:
VM <--> vNIC <-> VMSafe-Net <--> Portgroup <--> dVSwitch
There is NO firewall within the Management appliance of ESXi either. That must be protected as well.
YOu can also have inline firewalls per the following:
VM <--> vNIC <-> VMSafe-Net <--> Portgroup <--> vSwitch <--> Portgroup <--> vFW <--> Portgroup <--> vSwitch
So the question becomes what do you have in place? And in addition, what routing is in place as if your routing is not correct or the vNetwork not connected to the outside properly there is a chance traffic will also not work outside the ESXi host.
Lots of places to put firewalls/security however there are other issues at hand as well such as routing, connectivity, etc.
Best regards,
Edward L. Haletky
Communities Moderator, VMware vExpert,
Author: VMware vSphere and Virtual Infrastructure Security,VMware ESX and ESXi in the Enterprise 2nd Edition
Podcast: The Virtualization Security Podcast Resources: The Virtualization Bookshelf
--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
