Moving the management interface turned out to be more daunting than I had imagined. By design this is not possible to do within the GUI that is accessed over HTTP. Instead you are required to do this via the CLI. I assume local shell access is required, but it may be possible to do this over SSH. Ensuring you have physical access is critical in the event you make a mistake and lose network access to the management interface.
By default it seems the management interface is associated with the vmnic0 interface. This is fine until you realize that guest VM’s may also share the vmnic0 interface. This can happen when you do not create any additional vSwitches beyond vSwitch0 and you subsequently create virtual machines that are using vSwitch0.
I would consider it a best practice to isolate the management interface so that it does not share a physical nic with any other vm guests. Doing so will allow you to isolate the management interface by connecting it to a separate switch port and vlan.
Some folks go so far as to air gap the management interface, which I will do too, but only after I have managed to isolate the management interface from all other traffic.
To begin, I access the web based gui and identify a vSwitch that is not currently used and I give it a unique name, I will reference this later in the code examples. In my case vSwitch0 was used by many guest VM’s and the management interface. In addition vSwitch1 and vSwitch2 were configured to utilize vnic2 and vnic3 respectively. Because I am using a 4 port ethernet adapter I confirmed vSwitch1 was unutilized and I renamed it to vSwitch-MGMT.
As you can see from the next image, I am unable to update the Management Network port group settings to utilize a different virtual switch. Note, the example reflects my changes, but the fact remains that you are prevented from making the change via the GUI.
The ESXi shell is not enabled by default, for good reason, so you first must have physical access to the server and login by clicking F2. The move through the menu and access
- Create new portgroup on