If this page is accessible, the request has passed through all the layers below, from the edge to the internal services.
Architecture originally implemented on a dedicated bare metal server at OVH, using VMware ESXi, pfSense, network segmentation, and monitoring with Zabbix.
USER
Internet
Cloudflare
Edge Protection
WAF
Anti-DDoS
TLS
OVH EDGE FIREWALL
Filtro L3/L4
Anti-DDoS
Port Filtering
Edge Datacenter
pfSense
Public IP
Firewall Statefull
NAT / Port Forward
VPN
VM-WEB01
Nginx
Private IP (LAN)
Access via NAT
Headers Hardening
Ubuntu LTS (CLI Managed)
VM-DB01
MySQL
Isolated Network
Allowlist
Access via VPN
Ubuntu LTS (CLI Managed)
MONITORING
Zabbix
Internal Network
Access via VPN
Ubuntu LTS (CLI Managed)
Architecture and Technical Decisions
- Infrastructure deployed on a bare metal server using VMware ESXi virtualization.
- Only the perimeter firewall has a publicly exposed IP address.
- Services operate within a private network with no direct external access.
- Website publishing is performed via controlled NAT on pfSense.
- The database is isolated, accepting connections only from the Web VM.
- Database administration and maintenance are performed exclusively via VPN.
- Architecture based on defense-in-depth principles and attack surface reduction.
- Monitoring infrastructure is isolated and accessible only via VPN.
Previously Implemented Infrastructure
This architecture was implemented and operated on a dedicated bare metal server
in the OVH datacenter as a real laboratory environment.
Each component presented reflects real firewall rules, network segmentation,
access control, and monitoring configurations used during the operation of the environment.
What this environment demonstrates
- Ability to design and operate secure infrastructure in a production-like environment
- Practical application of the principle of least privilege and minimal service exposure
- Network segmentation by function with isolation of critical services
- Architecture based on defense-in-depth security principles
- Experience with system hardening, stateful firewalling, VPNs, and attack surface reduction
- Real-world experience with troubleshooting, availability, and continuous monitoring
- Implementation of active monitoring with proactive alerting
- Architectural decision-making based on security, cost, and operational control
