Unless you need it to be reachable from the Internet, at which point it has to be... reachable from the Internet.
Public facing services routed through a firewall or waf (cloudflare) always.
Backend access trivial with Tailscale, etc.
alt Hacker News
Public facing services routed through a firewall or waf (cloudflare) always.
Backend access trivial with Tailscale, etc.