VMware Cloud Community
Goodfred
Enthusiast
Enthusiast
‎12-01-2021 05:27 AM
Jump to solution

Change IP address on two ESXi hosts from public to private

Hello everyone!

I only want to hear if I am right, and I would be happy if you can help me if Im not! 😀

We have 2 x ESXi 7.0u2 hosts with public IP address at the moment.
We want to change the public IP addresses to private IP addresses and access the ESXi webinterfaces only with VPN/private IPs.
We've already changed the IP addresses of the HP iLO hosts successfully.
Now in the last step we want to change the ESXi IPs.

I hope that I am right with following steps:

1. I disconnect the ESXi hosts from vCenter in the ESXi web client
2. ESXi web client -> Network -> VMKernel-Network -> Change Settings -> Change IPv4 address -> Apply
3. I hope I dont need to restart the whole ESXi servers. But I think I have to restart the network service.
4. Change the IP address of the vCenter (how to I need to research now) and eventualy restart the network service.
5. Add the ESXi machines again to the vCenter

Following thoughts I have:
a. We will attach a 2nd hardware-network-card to the network for access to the private network on both machines. Maybe I have to add the Uplink at the virtual switch on the ESXi webinterfaces? (I think I have to)
b. I have to change the TCP/IP-stack before I apply the changes on the ESXi machines? (between step 2 and 3) - there I have to change the subnetmask and the gateway

I hope I did not forget something and I would be happy if you answer! 😊

A wish good week! Kind regards!

0 Kudos
1 Solution

Accepted Solutions
a_p_
Leadership
Leadership
‎12-03-2021 09:49 AM
Jump to solution

Ok, let's see whether this works:

Current configuration:
1 vSwitch with 2 port groups (Management Network, VM Network)

  • Login to iLO an open the host's console window
  • Login to the ESXi DCUI and change the Management Network settings
    - from vmnic0 > vmnic1
    - IP and DNS settings from public addresses to private (VPN subnet) settings

At this point you should be able to access the ESXi host's web UI from your VPN subnet, and the VM's are inaccessible from the Internet.

  • Login to the ESXi host's Web UI
  • Create a new vSwitch with a new virtual machine port group (e.g. "Evil-Internet"), and select vmnic0 as its uplink
  • Change the VM's network connections from "VM Network" to "Evil-Internet" for VMs that need to be accessible from the Internet

New configuration:
2 vSwitches, One with the Management Network and "internal" VMs on vmnic1, and one for the Internet VM's on vmnic0

Note: The above steps are just technical steps to change the setup to what you are asking for, and do not take any security concerns into account. I don't know what kind of VMs you have, which need to be accessed from the Internet, but you should think about placing them behind some kind of firewall.

André

View solution in original post

6 Replies
Goodfred
Enthusiast
Enthusiast
‎12-02-2021 05:30 AM
Jump to solution

Hello again!

I tried it on the ESXi machine which doesnt have production data, without success.

Our setup:

We use 2 network ports
- one for the internet data (is currently in use - public IP address (the webinterface/ESXi and the VMs have public IPs))
- one new attached with VLAN and VPN (private IP address network)

Our problem:

We dont know how to configure the network settings that for
- the VMs are plugged with public IP address to the internet (LAN-port 0)
- We only can access the webinterface of ESXi from the private VPN/V-LAN network/LAN-port 1

We was at the point that the device is running on LAN-port 1 with an private IP address and we was able to access the webinterface from this private IP/VLAN/VPN.
But then the VMs cant access the internet anymore.
(we changed the IP address/subnetmask/gateway on the remote console/customize system)

I would be very happy if someone has ideas/tips/solution for me!

I wish a good day! Sincerly yours!

(P.S.: we want that we only can access the ESXi webinterface from the LAN-port 1 which is in a VLAN with VPN. This port is plugged in since yesterday
And we want that the VMs can access the internet with their public IPs as they do now from the LAN-port 0 which is currently in use)

0 Kudos
a_p_
Leadership
Leadership
‎12-02-2021 09:12 AM
Jump to solution

How does the virtual network look like at the moment?
Please post a screenshot that shows the vSwitch and port groups (consider to gray out the public Management IP address).

André

0 Kudos
Goodfred
Enthusiast
Enthusiast
‎12-02-2021 11:21 PM
Jump to solution

Here are screenshots.

Thank you!

P:S.: When we was at the point that we can access the webinterface from the 2nd NIC-port with VLAN/private IP/VPN, the internet was not working anymore for  the VMs on the other NIC-port. Maybe we was near at the right solution

Preview file
20 KB
Preview file
17 KB
Preview file
18 KB
Preview file
22 KB
Preview file
20 KB
Preview file
23 KB
Preview file
26 KB
0 Kudos
depping
Leadership
Leadership
‎12-03-2021 12:54 AM
Jump to solution

If you had your ESXi hosts connected to the internet with public IP addresses, I would recommend getting a VMware consultancy partner involved to be honest. This is so far removed from any best practices and so insecure, that you should get an expert to explain how this works.

a_p_
Leadership
Leadership
‎12-03-2021 09:49 AM
Jump to solution

Ok, let's see whether this works:

Current configuration:
1 vSwitch with 2 port groups (Management Network, VM Network)

  • Login to iLO an open the host's console window
  • Login to the ESXi DCUI and change the Management Network settings
    - from vmnic0 > vmnic1
    - IP and DNS settings from public addresses to private (VPN subnet) settings

At this point you should be able to access the ESXi host's web UI from your VPN subnet, and the VM's are inaccessible from the Internet.

  • Login to the ESXi host's Web UI
  • Create a new vSwitch with a new virtual machine port group (e.g. "Evil-Internet"), and select vmnic0 as its uplink
  • Change the VM's network connections from "VM Network" to "Evil-Internet" for VMs that need to be accessible from the Internet

New configuration:
2 vSwitches, One with the Management Network and "internal" VMs on vmnic1, and one for the Internet VM's on vmnic0

Note: The above steps are just technical steps to change the setup to what you are asking for, and do not take any security concerns into account. I don't know what kind of VMs you have, which need to be accessed from the Internet, but you should think about placing them behind some kind of firewall.

André

Goodfred
Enthusiast
Enthusiast
‎12-07-2021 06:50 AM
Jump to solution

Thank you!

This was the solution and easy! 😄

I've tried it on one ESXi without production VMs and it worked.

Some minutes ago I changed it back because I did not remove the ESXi from the vCenter before.
Now I'll wait some minutes and I hope that it will work without problems to remove the ESXi in the vCenter webinterface with "Remove from Inventory"

Thank you again! 😃

0 Kudos