Prevent 200+ virtual machines from seeing each other

How can we prevent 200+ virtual machines from seeing each other but can access the Internet and a shared server?

These VMs are in a couple of ESXi machines.

Having a 1-1 subnet for each virtual machine seems wrong.

The only way I can see to do this is to use one of VMWare's "vShield App" or "vShield App with Data Security" products, it's what they suggest themselves for this type of scenario.

The problem with creating a VLAN or Private VLAN per client/VM is that you'll have to create that on the switch and then either on every vswitch on every host or using distributed switches (as mentioned you need the very spendy Ent+ licence for that). Using the vShield tools you'd be able to use one big VLAN but tie a particular client/VM/VMs together - as I say it's this exact problem that the software was written to deal with.

You are probably looking for what is called Private VLANs which allow the hosts to talk out, but not to each other at Layer2.

Software firewall rules to deny all traffic except to/from the gateway.

I don't know how to script that to 200 users in Linux (or even what the script would be, I'm assuming something with iptables), but on Windows you would deploy that rule via a group policy.

It might seem wrong, but it seems to me to be the right solution. In principle, yes, Ethernet-layer filtering (which is, when you get down to it, what you're trying to do with Private VLANs) might get you where you want to be, but it does confuse the living hell out of anything that expects to be able to communicate directly -- say, a VM that happens to be on the same "subnet" as one it (legitimately) wants to talk to (I might want to wget a tarball from a site that happens to be hosted on the other VM).