@NoLooseEnds The management network is over which the XAPI calls and SSH connections are made, these need to be isolated and kept from any internet connectivity (addressable), to protect from direct attack. In other words don't open any ports in the firewall of the network, pointing directly to the management network of the XCP-ng host(s) and the storage server. As well as give them internet visible host names as this will point black hats directly, at the hosts, this is really bad when with open firewall ports.
If you do not do this your practically begging for security issues (incidents) as this is a major part of how the XCP-ng hosts are managed, as well as carrying out actions on each other for the administrator (root). Remote internet based management of the XCP-ng host, and later multiple hosts are over the Xen Orchestra software. It's designed and secured for Internet based access, if you wish to make your hosts internet accessible for remote management by yourself from another location.
Oh by the way once everything is setup you can post your home lab (if you wish) on https://xcp-ng.org/forum/category/26/share-your-setup, several people have even posted photos of their home lab setup.