Currently, a lot of servers have public IcannNet addresses.
This is not needed, as we can switch to a more secure network topology:
- bastion: allow developers and operations to connect per SSH to other machines
- load balancer: receive public IP to act as a reverse proxy or network balancer for traffic
- back-end server: keep private IP
That would help to reduce the attack surface of services.