Homelab Architecture Overview
Comprehensive architecture documentation for the enterprise-grade home lab infrastructure.
Table of Contents
- Overview
- Design Principles
- Technology Stack
- Infrastructure Layers
- Network Architecture
- Component Relationships
- Data Flow
- Security Architecture
- Deployment Workflow
Overview
This homelab demonstrates a production-grade cloud-native infrastructure suitable for enterprise workloads, development, and learning. The architecture follows modern DevOps practices with infrastructure-as-code, automated deployments, and cloud-native application patterns.
Design Goals
- Enterprise-Grade: Production-ready components and configurations
- Scalable: Horizontal scaling capabilities across all layers
- Secure: Defense-in-depth security model with encryption and isolation
- Automated: GitOps and infrastructure-as-code throughout
- Observable: Comprehensive monitoring and logging
- Cost-Effective: Efficient resource utilization in home environment
Design Principles
1. Layered Architecture
The infrastructure follows a clear separation of concerns across distinct layers:
- Physical Infrastructure: Hardware, networking, storage
- Virtualization Layer: vSphere with NSX-T for compute and networking
- Platform Layer: BOSH for deployment automation and lifecycle management
- Container Platform: Kubernetes with Tanzu for application workloads
- Application Layer: Cloud-native applications and services
2. Infrastructure as Code
- All configurations stored in version control
- Declarative manifests for reproducible deployments
- Automated testing and validation of infrastructure changes
- Rollback capabilities for all deployments
3. Security by Design
- Zero-trust network model with micro-segmentation
- Encryption in transit and at rest
- Role-based access control (RBAC) at every layer
- Automated certificate management and rotation
4. GitOps Workflow
- Git as single source of truth for all configurations
- Automated CI/CD pipelines for infrastructure and applications
- Pull-based deployment model with Concourse CI
Technology Stack
Why These Technologies?
VMware vSphere + NSX-T
Why: Enterprise-grade virtualization with advanced networking
- vSphere: Proven hypervisor with enterprise features (vMotion, HA, DRS)
- NSX-T: Software-defined networking with micro-segmentation
- Benefits: High availability, automated load balancing, security isolation
BOSH Platform
Why: Declarative deployment and lifecycle management
- Infrastructure Abstraction: Deploy same workloads across different clouds
- Health Monitoring: Automatic VM recovery and healing
- Rolling Updates: Zero-downtime deployments with canary releases
Tanzu Kubernetes Grid (TKG)
Why: Enterprise Kubernetes with integrated security and compliance
- Upstream Kubernetes: No vendor lock-in, standard APIs
- Security Hardening: CIS benchmarks, Pod Security Standards
- Lifecycle Management: Automated updates and cluster operations
Harbor Registry
Why: Enterprise container registry with security scanning
- Vulnerability Scanning: Automated image security analysis
- Content Trust: Image signing and verification
- Multi-tenancy: Project-based isolation and RBAC
Tanzu Build Service (TBS)
Why: Cloud-native buildpacks for secure, efficient container builds
- Automatic Updates: OS and runtime patching without rebuild
- Security: Minimal attack surface with distroless images
- Compliance: Supply chain security with SBOMs
Infrastructure Layers
Layer 1: Physical Infrastructure
┌─────────────────────────────────────────────────────────────┐
│ Physical Infrastructure │
├─────────────────────────────────────────────────────────────┤
│ ┌─────────────┐ ┌─────────────┐ ┌─────────────────────┐ │
│ │ NUC 1 │ │ NUC 2 │ │ NUC 3 │ │
│ │ i7-6770HQ │ │ i7-6770HQ │ │ i7-6770HQ │ │
│ │ 64GB │ │ 64GB │ │ 64GB │ │
│ │ 250GB SSD │ │ 250GB SSD │ │ 250GB SSD │ │
│ │ 2x NIC │ │ 2x NIC │ │ 2x NIC │ │
│ └─────────────┘ └─────────────┘ └─────────────────────┘ │
├─────────────────────────────────────────────────────────────┤
│ Network Infrastructure │
│ ┌─────────────┐ ┌─────────────┐ ┌─────────────────────┐ │
│ │USW-Aggreg │ │ US-8 PoE │ │ Synology NAS │ │
│ │ (10G Core) │ │ (Garage) │ │ (Storage) │ │
│ └─────────────┘ └─────────────┘ └─────────────────────┘ │
└─────────────────────────────────────────────────────────────┘
Why This Hardware Configuration?
- Intel NUCs: Compact, energy-efficient, enterprise-grade processors
- 64GB RAM: Sufficient for multiple VMs and container workloads
- Dual NICs: Network redundancy and traffic separation
- 10G Core Switch: High-bandwidth backbone for storage and vMotion traffic
Layer 2: Virtualization Platform
┌─────────────────────────────────────────────────────────────┐
│ vSphere Cluster │
├─────────────────────────────────────────────────────────────┤
│ ESXi Host 1 ESXi Host 2 ESXi Host 3 │
│ │ │ │ │
│ └──────────────┼──────────────┘ │
│ │ │
│ ┌──────────────▼──────────────┐ │
│ │ vCenter Server │ │
│ │ (Management & HA) │ │
│ └─────────────────────────────┘ │
├─────────────────────────────────────────────────────────────┤
│ NSX-T Manager │
│ ┌─────────────┐ ┌─────────────┐ ┌─────────────────────┐ │
│ │ Controllers │ │ Edge Nodes │ │ Transport Zones │ │
│ │(Control) │ │(Edge Svcs) │ │ (Overlay/VLAN) │ │
│ └─────────────┘ └─────────────┘ └─────────────────────┘ │
└─────────────────────────────────────────────────────────────┘
Why NSX-T?
- Micro-segmentation: Granular security policies at VM level
- Load Balancing: Built-in Layer 4/7 load balancing
- Network Automation: API-driven network provisioning
- Multi-cloud Ready: Consistent networking across environments
Layer 3: BOSH Platform
┌─────────────────────────────────────────────────────────────┐
│ BOSH Ecosystem │
├─────────────────────────────────────────────────────────────┤
│ ┌─────────────┐ ┌─────────────┐ ┌─────────────────────┐ │
│ │ BOSH │ │ Jumpbox │ │ Concourse │ │
│ │ Director │ │ (Access) │ │ CI/CD │ │
│ │ │ │ │ │ │ │
│ │ ┌─────────┐ │ │ ┌─────────┐ │ │ ┌─────────────────┐ │ │
│ │ │CPI/vSph │ │ │ │SSH/VPN │ │ │ │Web│DB│Workers │ │ │
│ │ │Health │ │ │ │Tunnel │ │ │ │UI │PG │Build │ │ │
│ │ │Monitor │ │ │ │Bastion │ │ │ │ │SQL│Agents │ │ │
│ │ └─────────┘ │ │ └─────────┘ │ │ └─────────────────┘ │ │
│ └─────────────┘ └─────────────┘ └─────────────────────┘ │
└─────────────────────────────────────────────────────────────┘
Why BOSH?
- Consistency: Identical deployments across environments
- Self-Healing: Automatic VM resurrection and health monitoring
- Rolling Updates: Zero-downtime upgrades with automatic rollback
- Release Management: Versioned, tested software packages
Layer 4: Kubernetes Platform
┌─────────────────────────────────────────────────────────────┐
│ Tanzu Kubernetes Grid (TKG) │
├─────────────────────────────────────────────────────────────┤
│ Management Cluster │
│ ┌─────────────┐ ┌─────────────┐ ┌─────────────────────┐ │
│ │ Cluster │ │ Cluster │ │ Shared │ │
│ │ API │ │ Lifecycle │ │ Services │ │
│ │ │ │ │ │ │ │
│ │ ┌─────────┐ │ │ ┌─────────┐ │ │ ┌─────────────────┐ │ │
│ │ │TKG CLI │ │ │ │Tanzu │ │ │ │TMC│Harbor│DNS │ │ │
│ │ │kubectl │ │ │ │Package │ │ │ │ │Cert │Load │ │ │
│ │ │Helm │ │ │ │Manager │ │ │ │ │Mgr │Bal │ │ │
│ │ └─────────┘ │ │ └─────────┘ │ │ └─────────────────┘ │ │
│ └─────────────┘ └─────────────┘ └─────────────────────┘ │
├─────────────────────────────────────────────────────────────┤
│ Workload Clusters │
│ ┌─────────────┐ ┌─────────────┐ ┌─────────────────────┐ │
│ │Development │ │ Staging │ │ Production │ │
│ │ Cluster │ │ Cluster │ │ Cluster │ │
│ └─────────────┘ └─────────────┘ └─────────────────────┘ │
└─────────────────────────────────────────────────────────────┘
Why Separate Management and Workload Clusters?
- Isolation: Platform services separate from application workloads
- Upgrade Safety: Update cluster infrastructure without affecting apps
- Multi-tenancy: Different security and resource policies per environment
- Disaster Recovery: Management cluster can recreate workload clusters
Layer 5: Application Platform
┌─────────────────────────────────────────────────────────────┐
│ Application Platform Stack │
├─────────────────────────────────────────────────────────────┤
│ Ingress Layer │
│ ┌─────────────┐ ┌─────────────┐ ┌─────────────────────┐ │
│ │ Contour │ │ NSX-T │ │ cert-manager │ │
│ │ (Ingress │ │ L7 LB │ │ (Auto TLS) │ │
│ │Controller) │ │ │ │ │ │
│ └─────────────┘ └─────────────┘ └─────────────────────┘ │
├─────────────────────────────────────────────────────────────┤
│ Build & Deploy │
│ ┌─────────────┐ ┌─────────────┐ ┌─────────────────────┐ │
│ │ Harbor │ │ TBS │ │ Knative │ │
│ │ (Registry │ │(Buildpacks) │ │ (Serverless) │ │
│ │& Security) │ │ │ │ │ │
│ └─────────────┘ └─────────────┘ └─────────────────────┘ │
├─────────────────────────────────────────────────────────────┤
│ Observability │
│ ┌─────────────┐ ┌─────────────┐ ┌─────────────────────┐ │
│ │ Prometheus │ │ Grafana │ │ Fluent │ │
│ │ (Metrics) │ │(Dashboards) │ │ (Logging) │ │
│ └─────────────┘ └─────────────┘ └─────────────────────┘ │
└─────────────────────────────────────────────────────────────┘
Network Architecture
VLAN Segmentation Strategy
┌─────────────────────────────────────────────────────────────┐
│ Network Segmentation │
├─────────────────────────────────────────────────────────────┤
│ VLAN 10 - Management Network (192.168.10.0/24) │
│ ├── vCenter, NSX-T Manager, BOSH Director │
│ ├── ESXi Management, iDRAC/iLO interfaces │
│ └── Network device management │
├─────────────────────────────────────────────────────────────┤
│ VLAN 20 - vMotion Network (192.168.20.0/24) │
│ ├── ESXi vMotion interfaces │
│ ├── High-bandwidth VM migration │
│ └── Storage vMotion traffic │
├─────────────────────────────────────────────────────────────┤
│ VLAN 30 - Storage Network (192.168.30.0/24) │
│ ├── NFS/iSCSI storage traffic │
│ ├── Backup and replication │
│ └── Storage array management │
├─────────────────────────────────────────────────────────────┤
│ VLAN 100 - TKG Workload (192.168.100.0/24) │
│ ├── Kubernetes worker nodes │
│ ├── Pod-to-pod communication │
│ └── Internal service mesh traffic │
├─────────────────────────────────────────────────────────────┤
│ VLAN 110 - TKG Frontend (192.168.110.0/24) │
│ ├── Load balancer external IPs │
│ ├── Ingress controller services │
│ └── External-facing applications │
└─────────────────────────────────────────────────────────────┘
Why This VLAN Strategy?
- Traffic Isolation: Separate network domains for different traffic types
- Security: Granular firewall rules between VLANs
- Performance: Dedicated bandwidth for storage and vMotion
- Compliance: Network segmentation for regulatory requirements
Physical Network Topology
Internet
│
│ Fiber Connection
▼
┌─────────────────┐
│ Arris S34 │ (Cable Modem)
│ Modem │
└─────────────────┘
│
│ Ethernet
▼
┌─────────────────┐
│ UXG-Lite │ (Gateway/Firewall)
│ Gateway │
└─────────────────┘
│
│ Trunk Link
▼
┌─────────────────┐ ┌─────────────────┐
│ US-8 PoE │◄────►│ USW-Aggregation │ (10G Core)
│ (Garage) │ │ (Office) │
└─────────────────┘ └─────────────────┘
│
│ 10G Links
▼
┌─────────────┐ ┌─────────────┐ ┌─────────────┐
│ NUC 1 │ │ NUC 2 │ │ NUC 3 │
│ (ESXi Host) │ │ (ESXi Host) │ │ (ESXi Host) │
└─────────────┘ └─────────────┘ └─────────────┘
NSX-T Logical Network
┌─────────────────────────────────────────────────────────────┐
│ NSX-T Architecture │
├─────────────────────────────────────────────────────────────┤
│ Management Plane │
│ ┌─────────────────────────┐ │
│ │ NSX-T Manager │ │
│ │ (API, UI, Config) │ │
│ └─────────────────────────┘ │
├─────────────────────────────────────────────────────────────┤
│ Control Plane │
│ ┌─────────────┐ ┌─────────────┐ ┌─────────────────────┐ │
│ │Controller 1 │ │Controller 2 │ │ Controller 3 │ │
│ │(Clustering, │ │(Switching, │ │ (Routing, │ │
│ │State Mgmt) │ │Security) │ │ Services) │ │
│ └─────────────┘ └─────────────┘ └─────────────────────┘ │
├─────────────────────────────────────────────────────────────┤
│ Data Plane │
│ ┌─────────────┐ ┌─────────────┐ ┌─────────────────────┐ │
│ │ Host TEPs │ │ Edge VMs │ │ Logical Switches │ │
│ │(Tunnel │ │(N-S Traffic │ │ (Overlay/VLAN) │ │
│ │Endpoints) │ │Routing) │ │ │ │
│ └─────────────┘ └─────────────┘ └─────────────────────┘ │
└─────────────────────────────────────────────────────────────┘
Component Relationships
Service Dependencies
┌─────────────────────────────────────────────────────────────┐
│ Component Dependency Map │
└─────────────────────────────────────────────────────────────┘
Applications
│ depends on
▼
┌─────────────────┐ ┌─────────────────┐ ┌──────────────┐
│ Knative │ │ Harbor │ │ Contour │
│ (Serverless) │ │ (Registry) │ │ (Ingress) │
└─────────────────┘ └─────────────────┘ └──────────────┘
│ │ │
│ depends on │ depends on │ depends on
▼ ▼ ▼
┌─────────────────┐ ┌─────────────────┐ ┌──────────────┐
│ cert-manager │ │ TBS │ │ NSX-T LB │
│ (TLS Certs) │ │ (Buildpacks) │ │ (L4/L7 LB) │
└─────────────────┘ └─────────────────┘ └──────────────┘
│ │ │
│ depends on │ depends on │ depends on
▼ ▼ ▼
┌─────────────────────────────────────────────────────────────┐
│ Tanzu Kubernetes Grid │
│ (Management + Workload Clusters) │
└─────────────────────────────────────────────────────────────┘
│ depends on
▼
┌─────────────────────────────────────────────────────────────┐
│ BOSH Platform │
│ (Director, Concourse, Health Monitoring) │
└─────────────────────────────────────────────────────────────┘
│ depends on
▼
┌─────────────────────────────────────────────────────────────┐
│ vSphere + NSX-T Platform │
│ (Compute, Storage, Network Virtualization) │
└─────────────────────────────────────────────────────────────┘
│ depends on
▼
┌─────────────────────────────────────────────────────────────┐
│ Physical Infrastructure │
│ (Hosts, Storage, Network Hardware) │
└─────────────────────────────────────────────────────────────┘
Data Flow Patterns
Build and Deploy Pipeline
Developer
│ git push
▼
┌─────────────────┐ webhook ┌─────────────────┐
│ Git Repo │─────────────→ │ Concourse │
│ (Source Code) │ │ Pipeline │
└─────────────────┘ └─────────────────┘
│ trigger
▼
┌─────────────────┐
│ Tanzu Build Svc │
│ (Cloud Native │
│ Buildpacks) │
└─────────────────┘
│ push image
▼
┌─────────────────┐ scan ┌─────────────────┐
│ Harbor │◄──────────────│ Container │
│ Registry │ │ Image │
│ (Vulnerability │ │ │
│ Scanning) │ └─────────────────┘
└─────────────────┘
│ deploy
▼
┌─────────────────┐ route ┌─────────────────┐
│ Kubernetes │◄──────────────│ Contour │
│ Cluster │ │ Ingress │
│ (Application │ │ Controller │
│ Runtime) │ └─────────────────┘
└─────────────────┘
Traffic Flow (North-South)
Internet User
│ HTTPS Request
▼
┌─────────────────┐
│ UXG Gateway │ (Firewall/NAT)
│ Firewall │
└─────────────────┘
│ port forward
▼
┌─────────────────┐
│ NSX-T T1 │ (Load Balancer)
│ Load Balancer │
└─────────────────┘
│ distribute
▼
┌─────────────────┐ ┌─────────────────┐ ┌──────────────┐
│ Contour │ │ Contour │ │ Contour │
│ Instance 1 │ │ Instance 2 │ │ Instance 3 │
└─────────────────┘ └─────────────────┘ └──────────────┘
│ │ │
│ route to service │ route to service │ route to service
▼ ▼ ▼
┌─────────────────┐ ┌─────────────────┐ ┌──────────────┐
│ Application │ │ Application │ │ Application │
│ Pod 1 │ │ Pod 2 │ │ Pod 3 │
└─────────────────┘ └─────────────────┘ └──────────────┘
Security Architecture
Defense in Depth Model
┌─────────────────────────────────────────────────────────────┐
│ Security Layers │
├─────────────────────────────────────────────────────────────┤
│ Layer 7: Application Security │
│ ├── RBAC, Pod Security Standards, Network Policies │
│ ├── Container Image Scanning, Admission Controllers │
│ └── Service Mesh mTLS, Application Firewalls │
├─────────────────────────────────────────────────────────────┤
│ Layer 6: Platform Security │
│ ├── Kubernetes API Authentication/Authorization │
│ ├── Secrets Management, Certificate Rotation │
│ └── Audit Logging, Compliance Scanning │
├─────────────────────────────────────────────────────────────┤
│ Layer 5: Orchestration Security │
│ ├── BOSH Authentication, VM-level Isolation │
│ ├── Encrypted Communications, Secure Tunnels │
│ └── Deployment Validation, Change Approval │
├─────────────────────────────────────────────────────────────┤
│ Layer 4: Network Security │
│ ├── NSX-T Micro-segmentation, DFW Rules │
│ ├── VPN Access, Network Intrusion Detection │
│ └── VLAN Isolation, Traffic Encryption │
├─────────────────────────────────────────────────────────────┤
│ Layer 3: Virtualization Security │
│ ├── vSphere Authentication, VM Encryption │
│ ├── Resource Pools, DRS Anti-Affinity Rules │
│ └── vCenter RBAC, Audit Logging │
├─────────────────────────────────────────────────────────────┤
│ Layer 2: Operating System Security │
│ ├── Hardened OS Images, Security Patches │
│ ├── Host Firewalls, Anti-malware │
│ └── System Monitoring, Intrusion Detection │
├─────────────────────────────────────────────────────────────┤
│ Layer 1: Physical Security │
│ ├── Secure Location, Access Controls │
│ ├── Hardware Monitoring, Tamper Detection │
│ └── Power Protection, Environmental Controls │
└─────────────────────────────────────────────────────────────┘
Certificate Management Flow
┌─────────────────────────────────────────────────────────────┐
│ Automated Certificate Lifecycle │
└─────────────────────────────────────────────────────────────┘
cert-manager
│ request certificate
▼
┌─────────────────┐ ACME Challenge ┌─────────────────┐
│ Let's Encrypt │◄─────────────────────│ Route53 DNS │
│ CA │ │ Validation │
└─────────────────┘ └─────────────────┘
│ issue certificate
▼
┌─────────────────┐ store as secret ┌─────────────────┐
│ TLS Secret │◄─────────────────────│ Kubernetes │
│ (cert + key) │ │ Secret │
└─────────────────┘ └─────────────────┘
│ mount certificate
▼
┌─────────────────┐ auto-reload ┌─────────────────┐
│ Contour │◄─────────────────────│ Certificate │
│ Ingress │ │ Update │
│ Controller │ │ Notification │
└─────────────────┘ └─────────────────┘
│ serve HTTPS traffic
▼
┌─────────────────┐
│ Application │
│ Services │
└─────────────────┘
Deployment Workflow
GitOps Deployment Pipeline
┌─────────────────────────────────────────────────────────────┐
│ GitOps Workflow │
└─────────────────────────────────────────────────────────────┘
Developer
│ git commit
▼
┌─────────────────┐ webhook ┌─────────────────┐
│ Git Repo │─────────────────→ │ Concourse │
│ (IaC Manifests) │ │ Pipeline │
└─────────────────┘ └─────────────────┘
│ validate
▼
┌─────────────────┐
│ Infrastructure │
│ Validation │
│ (lint, security)│
└─────────────────┘
│ deploy
▼
┌─────────────────┐ update config ┌─────────────────┐
│ BOSH │◄──────────────────│ Platform │
│ Director │ │ Deployment │
│ │ │ │
└─────────────────┘ └─────────────────┘
│ deploy VMs
▼
┌─────────────────┐ provision ┌─────────────────┐
│ Kubernetes │◄──────────────────│ TKG │
│ Clusters │ │ Deployment │
│ │ │ │
└─────────────────┘ └─────────────────┘
│ deploy apps
▼
┌─────────────────┐
│ Applications │
│ & Services │
└─────────────────┘
Disaster Recovery Strategy
Backup and Recovery Tiers
┌─────────────────────────────────────────────────────────────┐
│ Recovery Objectives │
├─────────────────────────────────────────────────────────────┤
│ Tier 1: Critical Infrastructure (RTO: 4 hours) │
│ ├── vCenter, NSX-T Manager, BOSH Director │
│ ├── Management Cluster, Harbor Registry │
│ └── DNS, Certificate Management │
├─────────────────────────────────────────────────────────────┤
│ Tier 2: Platform Services (RTO: 8 hours) │
│ ├── Workload Clusters, Ingress Controllers │
│ ├── Build Service, CI/CD Pipelines │
│ └── Monitoring, Logging Infrastructure │
├─────────────────────────────────────────────────────────────┤
│ Tier 3: Applications (RTO: 24 hours) │
│ ├── Development Environments │
│ ├── Non-critical Applications │
│ └── Test/Staging Workloads │
└─────────────────────────────────────────────────────────────┘
This architecture provides a robust, scalable, and secure foundation for cloud-native application development and deployment in a home lab environment while following enterprise best practices.
This document serves as the central architectural reference for the homelab infrastructure