We have a remote datacenter that conains esxi hosts.

Our security requirements for that datacenter only allow initiating network connections from our local vcenter to the remote datacenter.

Can we manage remote esxi hosts from a local vcenter with firewall rules that only allow initiated connections from local to remote.

Ports for vcenter to esxi:

Port    Protocol    Source    Target    Purpose
443    TCP    vCenter Server    ESX/ESXi Host    vCenter Agent
902    UDP    vCenter Server    ESX/ESXi Host    Heartbeat
903    TCP    vCenter Server    ESX/ESXi Host    VI/vSphere Client to VM Console (after connection established between VI/vSphere Client and vCenter)

The difficulty lies in allowing udp traffic from our remote datacenter to come back to the our local vcenter.

We can add the hosts (with our existing firewall rules) to vcenter, but the heartbeats never arrive so vcenter loses the esxi host in a few minutes.