Private Cloud on a Budget - Why We Chose Hetzner
The first meeting lasted 45 minutes. I still wasn’t sure what they needed when it was over.
The CTO brought his engineer. Both talked. A lot. Open questions, security requirements, something about Kubernetes, sensitive data that can’t leave their control. It took a while to understand where they were and where they wanted to go.
What became clear: they have their own product. They need to run it themselves. Public cloud is out - the data is too sensitive. Their own data center is out - too expensive, too much overhead. They had already ordered dedicated hardware at Hetzner. That part was decided.
Everything else wasn’t.
The real problem wasn’t the hardware
They had a capable engineer. They had budget. What they didn’t have was a clear path through three open questions at the same time: virtualization, storage, and network segmentation.
Each one is complex on its own. All three together, without prior experience, leads to exactly one thing: nothing moves.
The CTO knew what he didn’t want. He didn’t want to spend his time on infrastructure. He wanted to focus on his product. The platform should work, stay secure, and not pull him in every time something breaks.
That’s a reasonable expectation. And a useful one to work with.
Why not OpenStack
I could have built a small OpenStack cluster on Hetzner. I’ve done it before. But OpenStack would have been the wrong tool here.
The flexibility OpenStack offers has a price - complexity. For a team that wants to focus on their product, that complexity has no value. It would have cost them more time to understand and operate than they were willing to spend.
Why Incus
Proxmox would have worked too - probably better known, easier to find help for. But Incus is leaner, faster to get into, and now part of the Linux Foundation. That last point matters for a platform you’re planning to run for years.
Simple to understand. Simple to install. Simple to operate - that part we’re still learning.
What we built
Three dedicated nodes at Hetzner. Ceph for storage, Incus for virtualization. Three security zones - Public, DMZ, and Private - each with its own VyOS firewall. The Private zone is air-gapped. The only way out is through an HTTP proxy.
Kubernetes runs inside the Private zone. That’s where their product lives.
VyOS wasn’t part of the original plan. I found it during research. Linux-based, flexible, capable, free. It took time to get right - the network topology went through several iterations before it made sense. The CTO gave me that time.
How it’s going
This week he told me about a 10-hour outage with his old setup. Something he built himself, something that was hard to understand when things went wrong.
With the new platform, he said, he can see the logic. He knows where to look.
That’s not a guarantee against outages. But it’s the difference between fighting a fire in the dark and fighting it with the lights on.
When this makes sense
This setup works if you need control over your data, don’t want to manage a full data center, and are willing to accept that Hetzner is part of your infrastructure.
It doesn’t work if you need guaranteed SLAs, have compliance requirements that go beyond data residency, or if your team has no capacity to learn a new platform.