ESXi hosted on public IP without firewall

You can limit the IP addresses permitted through the ESXi firewall.

That is really all you need to harden it. Locking your management down to specific IP addresses is very secure. Naturally follow the other best practices re passwords etc as well.

Just make sure to look at the firewall completely and lock down everything to your management IPs.

Non Static IP Alternative

Lock all ports down to as given above except for SSH. Lock SSH down to private/public key authentication only and disable ChallengeResponseAuthentication and PasswordAuthentication. This is very secure.

Use your favourite SSH client connect to the server with a command line such as:

ssh my.vmhost.rackhoster -L80:localhost:80 -L443:localhost:443 -L903:localhost:903

Then leave the SSH session running and point your browser to https://localhost/ and it will automatically forward port 443 through to the ESXi host. Change the ports if you are already using port 443 on your local machine (ie, -L8443:localhost:443 instead -> https://localhost:8443/). Same for port 80. Port 903 is for the console.

If you ever loose your private key you're pretty screwed this way so back it up! :-)

For ultra security ensure your private key is encrypted with a good passphrase. Don't forget it!

Use the ESXi builtin firewall to close down unneeded ports and limit access to the open ones to a range of known IP addresses.

This might be challenging if you do not use a fixed external IP address at home (like most people), so you may end up restricting access to the addresses of some other servers that you have on the Internet.