Infrastructure | Kevin Rivera

Design 1 — Secure Lab / Small Office Topology

Network Security Resilience

A practical design for a home lab or small office where the goals are strong perimeter control, centralized visibility (SIEM), and repeatable response (SOAR), while keeping the environment easy to operate and document.

ISP Modem → Firewall → Router → Primary Switch (+ Backup Switch) → KVM → Endpoints
                                              ├─ Windows / macOS workstations
                                              ├─ Linux / Kali (testing)
                                              ├─ SIEM (log collection + correlation)
                                              └─ SOAR (workflow automation)
Power: Back-UPS for network + monitoring stack

View description

Component Breakdown

Modem: terminates ISP service and provides internet handoff.
Firewall: security boundary (NAT, inspection, threat filtering, VPN, logging).
Router: internal routing / subnet design (sometimes combined into firewall).
Primary + Backup switch: access-layer connectivity and fast recovery from switch failure.
KVM switch: operational control of multiple endpoints from one console.
SIEM: central telemetry for detection, investigation, and reporting.
SOAR: playbooks for triage, enrichment, notifications, and controlled response actions.
Back-UPS: prevents monitoring and routing interruption during brief power events.

How SIEM + SOAR Work Together

Collect: endpoints and firewall forward logs/telemetry into the SIEM.
Detect: correlation rules generate alerts with context (user/device/network).
Automate: SOAR ingests alerts, enriches data, and runs playbooks (ticket, notify, script).
Respond (controlled): safe actions such as blocking a test IP or isolating a lab endpoint (where supported).

Segmentation SIEM SOAR Back-UPS Operational Resilience

Design 2 — Business On-Prem Virtualized Environment

Virtualization WAN Failover Core Services

A traditional business infrastructure design with primary + backup ISP, VMware-hosted server workloads, and centralized identity/services to support internal applications and remote access.

Primary ISP + Backup ISP → Firewall → Switch (+ Backup Switch) → VMware Hosts → Server Workloads
                                         ├─ Domain Controller (Primary)
                                         ├─ Domain Controller (Secondary/Backup)
                                         ├─ Remote Desktop Services (Employees)
                                         ├─ QuickBooks Server (DB/App role)
                                         ├─ IIS Web Server
                                         ├─ SQL Server
                                         ├─ Linux Server (apps/services)
                                         └─ Exchange Server (or migration path to M365)

View description

Why This Design Works

ISP failover: continuity when the primary circuit fails (policy enforced at firewall).
Virtualization: consolidates workloads, improves recovery options, and supports scaling.
Identity-first: domain services enable centralized authentication, policy, and access control.
Remote access: RDS provides controlled access to internal tools without exposing services directly.

Role Breakdown (High-Level)

Domain Controllers: authentication, GPO, and often DNS (resilience with a secondary DC).
RDS: secure workspace access for employees and contractors.
QuickBooks Server: centralized accounting database/app access for multi-user workflows.
IIS: internal applications, web portals, or service endpoints.
SQL: database layer for business apps and services.
Linux: app runtimes, automation services, monitoring, or middleware.
Exchange: on-prem messaging or transitional hybrid model.

Operational Practices Typically Paired

Patch and change windows for servers and network infrastructure.
Backups (image + app-aware) and periodic restore testing.
Least privilege, RBAC, and administrative separation.
Network segmentation (VLANs) and restricted management access.

Virtualization Identity Services Remote Access Backup & Restore Testing Business Continuity

Design 3 — Hybrid Network Topology Diagram

Hybrid Segmentation Architecture

This reference diagram illustrates hybrid connectivity between on-prem infrastructure and Azure cloud components, including segmented VLANs, firewall boundaries, site-to-site VPN, and tiered server architecture.

Tip: click to expand • scroll to zoom • drag to pan

Diagram is intentionally abstracted to avoid internal identifiers.

Architecture Highlights

Azure segmentation: separate tiers for app, web, admin access, and data services.
Site-to-Site VPN: secure connectivity between on-prem and cloud networks.
Firewall boundary: enforced policies for inbound/outbound traffic and inter-zone traffic.
Core services: identity services, remote access, and application/database tiers.
VLAN design: segmentation for user, server, and specialized device networks.

Cloud + On-Prem Network Boundaries Tiered Architecture Resilience

All details are shared at a high level with no internal IPs, hostnames, or sensitive configuration data.