One edge, one door

Two things in this lab are deliberately funnelled through a single chokepoint each:

• All HTTPS terminates at one edge proxy with one wildcard certificate. Nothing behind it touches a certificate.
• All inbound SSH lands on one bastion. No internal box is reachable from the internet.

The win is cognitive, not just technical. Ask "what's exposed, and how is it encrypted?" and the answer is two boxes you can fully describe — not fifteen you have to audit. Adding a new service means one proxy entry; it inherits TLS and the security posture for free.

exposure surface:  Internet -> [edge proxy: TLS] -> everything (HTTP, private)
                   Internet -> [bastion: SSH]    -> everything (private)

The mindset: centralise the things you must get right. You will harden, patch, and reason about a chokepoint far better than you'll do it for every box. The flip side — don't centralise the things that should be independent (each app's database, each VM's failure domain). The skill is knowing which is which: concentrate the security boundary, distribute the blast radius.