All posts
infrastructure Posted on 13 March 2026 2 min read

Proxmox as a Private Cloud: Technology Mapping to AWS Paradigms

Architecture of a resilient infrastructure on an Intel N100 node: virtualization, network security with nftables, and Cloud-Hybrid logic.

proxmoxcloud-hybridself-hostingsecuritylinuxdevops

Introduction: Hardware Abstraction and Computational Efficiency

In the modern IT landscape, the ability to abstract hardware resources to ensure scalability and isolation is a fundamental requirement. I designed a Private Cloud based on the Proxmox VE hypervisor, optimized to operate on an Intel N100 node. The choice of this hardware was driven not only by its excellent performance-per-watt ratio but also by the technical challenge of orchestrating heterogeneous workloads while minimizing energy overhead.

Although the environment was born for testing and R&D purposes, the adoption of rigorous resource management strategies (CPU pinning, thermal monitoring, and ZFS storage) allows it to reach reliability standards comparable to professional infrastructures. This model represents a concrete solution for small businesses aiming for Data Sovereignty: the guarantee that data resides within the physical and legal boundaries of one’s own governance, ensuring privacy and full availability of information systems.

Technology Mapping: From Bare Metal to Cloud

To contextualize the on-premise architecture, I mapped the local components against Amazon Web Services (AWS) managed services, applying the same operational paradigms:

Local ComponentAWS EquivalentCore Function
Debian VM (KVM)Amazon EC2Compute instances for isolated and persistent workloads.
LXC ContainersAmazon ECS / FargateHigh-density microservices sharing the host kernel.
Nginx Proxy ManagerApplication Load BalancerIngress controller, TLS termination, and Layer 7 routing.
nftables / UFWSecurity Groups / NACLStateful packet filtering and network segment segregation.
Wireguard VPNAWS Client VPNEncrypted access to the management plane (OOB - Out of Band).
Bash & Systemd UnitsAWS Systems ManagerLifecycle automation, CI/CD, and state configuration.

Security and Hardening: “Defense in Depth” Strategy

In an exposed infrastructure, security cannot be an afterthought; it must be native (Security by Design). I manage diverse services such as Vaultwarden (identity management), Navidrome, and Jellyfin. The latter, in particular, requires dynamic resource allocation to prevent CPU throttling or RAM saturation, which could compromise the thermal integrity of the node.

I have implemented a multi-layered defense posture:

  • Identity & Access Management (IAM): SSH authentication is strictly restricted to asymmetric keys (Ed25519), neutralizing brute-force attack vectors.

Practical example:

# File: /etc/ssh/sshd_config.d/user.conf
# Specific configuration for user 'antonio'
Match User user
    # Disable password authentication, forcing SSH keys
    PasswordAuthentication no
    
    # Allow TCP forwarding if necessary for secure tunneling
    AllowTcpForwarding yes
    
    # Restrict access from a specific subnet (optional, for hardening)
    # Match Address 192.168.1.0/24
    
    # Disable root login and other less secure authentications
    PermitRootLogin no
    PubkeyAuthentication yes
    
    # Set a custom welcome message or shell restrictions
    # X11Forwarding no