Hi, we have a vsphere cluster to which need to grant customer access with a limited set of permissions.
The customer environment is separate i.e. there is a Firewall NAT configuration in place, and an identity source created in vCenter for customer AD.
The required permissions are working bar one issue. If the customer tried to upload a file or folder to a datastore they cannot. They can do all other functions such as browse datastore or move/delete files.
As part of the NAT configuration we've implemented DNS entry to resolve to the vCenter server - this is working.
In addition, to DNS/NAT for vCenter is there also a requirement for ESXi hosts to have DNS/NAT? We don't want to do this so does anyone have experience in a similar setup?
To be able to upload a file to a datastore you need connectivity also to the ESXi. If you try the upload to each ESXi host standalone, the connectivity goes specificaly to those servers, but if you do it thorugh vCenter, the Upload operation could go to a random ESXi which has the mounted Datastore.
So in your case, yes, you need DNS and NAT to be configured.
Regardless of require to networking access to the ESXi host for upload files in corresponding datastore, your customer should accept/trust to the ESXi self-signed certificate (or generated locally by an internal CA) from its computer client, otherwise it's not possible to upload file into the datastore. So simply tell him open the vsphere web client once time (no need to login) and accept the certificate