Hello.
I don't like my ESXi host see the internet but VMs can. How can I block ESXi host?
Thank you.
It depends on your network.
The easiest way would be to remove the default gateway from the host's settings, but this may not an option in a corporate network.
Another option would be to block the hosts vmkernel network on your firewall.
André
Normally you would do this on a networking level. You have a management network for ESXi, that VLAN usually shouldn't be allowed to go outside.
How? Can you show me a tutorial about it?
Hello,
If you have a firewall in your environment just go there and block ESXi management IP this is the address which resides on vmk0.
And if your VMs uses same subnet with mgmt subnet is. then do not block all subnet.
And if you remove gateway ip of vmk0. Your mgmt packets cannot span between vlans. So that the best option is do it on firewall.
Can it cause any problem for VMs?
On Esxi - Remove the nameserver from /etc/resolv.conf file to Block Internet Connectivity
and On Vm - You can add DNS Record
unfortunately it will not block internet connectivity. That will only stop ESXi hosts to resolve FQDNs and if environment deployed with fqdns thats not good.
As said earlier use different subnets for management and vm traffic and block egress traffic from management
Such as other experts mentioned, this operation highly depends on your network structure. For example in the most basic environment, you can remove the default gateway from the VMKernel port that handles the ESXi management traffic, of course, IF it didn't cause losing host connectivity! If you have VLANs in your network, you can restrict internet connectivity for the ESXi host management VLAN (If the hosts have a separate VLAN ID in your planning). BTW consider this matter: Changing the VMKernel IP settings for any VMK interfaces, will never interrupting virtual machines networking, even you lost the host connection while modification some settings until you don't change the VM's port groups, they still have their connections.
by simply learn basics about iptables, set up a small virtual machine and define it as default gateway which blocks outbound forwarding from whatever sources you ant