Overview

Summary Overview

Detailed explanation of the Azure-based homelab, including DNS, firewall, Traefik routing, and Docker networking decisions.

ArchitectureAzureSecurityDocker

Homelab Architecture

This guide explains how the homelab is structured so that recruiters and non-technical reviewers can understand its reliability and security posture without reading YAML files. Every component described below is defined as code, so the entire environment can be rebuilt from a clean Azure virtual machine in roughly one hour.

Audience and Goals

  • Audience: Non technical users and stakeholders who want to validate my infrastructure experience.
  • Goal: Demonstrate that I can design a secure, observable platform using modern DevOps practices (Infrastructure as Code, Zero Trust networking, automated certificates).

Layered Design

LayerTechnologyPurpose
1. DNS and IdentityVercel DNSRoutes human-friendly addresses (for example, grafana.homelab.ivanncabardo.tech) to the Azure VPS IP.
2. Network PerimeterAzure Network Security GroupAllows only ports 22 (SSH), 80 (ACME challenges), and 443 (HTTPS). All other ports are blocked.
3. Edge RouterTraefik v3Terminates TLS, requests certificates from Let's Encrypt, and routes traffic to internal services based on hostnames.
4. Application NetworkDocker Compose + traefik_proxyKeeps services on a private Docker network so they communicate internally while Traefik remains the only public entry point.
5. ObservabilityPrometheus, Grafana, cAdvisor, Node ExporterCaptures metrics about the host, containers, and Traefik for dashboards and alerting.

DNS and Firewall Flow

  1. I register subdomains such as grafana.homelab.ivanncabardo.tech in Vercel DNS and point them to the static IP of the Azure VPS.
  2. Azure Network Security Group rules block every port by default. Only 22, 80, and 443 are open. Ports such as 3000 (Grafana) and 9000 (Portainer) are intentionally blocked from the internet.
  3. Traefik listens on ports 80/443, terminates TLS, and sends traffic to the appropriate container running on the private traefik_proxy network.

Traefik Configuration Explained

Key parts of traefik_proxy/traefik.yml are shown below:

entryPoints:
  web:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https
          permanent: true

  websecure:
    address: ":443"
    http:
      tls:
        certResolver: letsencrypt

providers:
  docker:
    exposedByDefault: false
    network: traefik_proxy

certificatesResolvers:
  letsencrypt:
    acme:
      email: ivan@ivanncabardo.tech
      storage: /acme/acme.json
      httpChallenge:
        entryPoint: web
  • Automatic HTTPS: All HTTP traffic is redirected to HTTPS using the web entry point. The websecure entry point terminates TLS with Let's Encrypt certificates stored in acme.json.
  • Service Opt-in: exposedByDefault: false ensures no container is exposed unless I explicitly add labels like traefik.enable=true. This prevents accidental exposure.
  • Shared Network: network: traefik_proxy keeps all internet-facing containers on a dedicated Docker network so that Traefik can reach them while the public cannot.

Container and Service Layer

Every service is defined in a Docker Compose file with two key sections:

  1. Networks: Services that must be accessible from the internet join traefik_proxy. Internal-only components (Prometheus, Node Exporter) stay on a private monitoring network.
  2. Labels: Declarative routing rules connect hostnames to services. Example (Grafana):
labels:
  - "traefik.enable=true"
  - "traefik.http.routers.grafana.rule=Host(`grafana.homelab.ivanncabardo.tech`)"
  - "traefik.http.routers.grafana.entrypoints=websecure"
  - "traefik.http.routers.grafana.tls.certresolver=letsencrypt"
  - "traefik.http.services.grafana.loadbalancer.server.port=3000"

These labels tell Traefik to route any HTTPS request for grafana.homelab.ivanncabardo.tech to the Grafana container’s internal port 3000. No host port is published, so the container remains unreachable from the public internet if Traefik is down.

Security Principles in Practice

  • Single entry point: Only Traefik accepts inbound traffic from the internet. Everything else runs on private Docker bridges.
  • Encryption everywhere: Traefik obtains certificates automatically and renews them before expiration. All user traffic is HTTPS-only.
  • Least privilege: Containers run with restart: unless-stopped, non-root users when available, and limited capabilities (e.g., no-new-privileges:true on Traefik).

Why This Matters to Non-Technical Stakeholders

  • Reproducibility: The entire environment is defined as code under version control. Disaster recovery is as simple as cloning the repository on a new VPS and running docker-compose up -d.
  • Security Story: Demonstrates practical application of Zero Trust principles, automated certificate management, and network segmentation—capabilities expected of modern DevOps engineers.
  • Observability and Accountability: Because Prometheus scrapes Traefik, Host metrics, and container metrics, I can show uptime, load, and audit trails for any interview or client review.