BMCs like DRAC or iLO are invaluable when you have hundreds or thousands of fresh servers with no OS. The BMC lets you mount an OS or hypervisor ISO in a way reminiscent of DaemonTools et al., and update bios and other firmware from a shared network folder. I'm pretty sure there's even an API to develop against.
BMC's are great--all my home builds have them because I'm too old to be fiddling around trying to figure out why a computer won't boot an installer from a USB key. But even on my home network the BMC's are on a separate switch on a subnet that doesn't have internet access except through a VPN gateway.
I think the parent meant, you have them on a subnet with no default route, but have a vpn / management system with one interface pointing in to the management network. You can get in via the vpn but they can’t get out.
You can bootstrap fresh servers using PXE. The problem with BMC is that it never goes away even after you've booted your system. BMC owns your system and there's no way to completely disable it. Options for disabling it simply control the BMC's software interfaces, and they only work to the extent that the software is bug free. It's like the infamous cPanel, but for hardware--it's a juicy target that you're stuck with.
There's definitely an API. It's a core part of OpenStack Ironic, which lets you automate bootstrapping them like you described (for example, to put the rest of your OpenStack cloud on top of).
