I am assuming you have an existing vswitch with physical NIC(s) (also called uplinks) on the physical network - you will have to create a new vswitch that does not habe any uplinks - this will allow you to create an internal only network (a network that exists only inside the ESXi host). This internal only vswitch will have a vmkernel port and virtual machine port group.
Conect the virtua router to the new virtual machine port group assigning an IP address on this internal network and connect it to the existiing virtual machine port group that has access to your physical network.