Xcp-ng in DMZ - cloud hosted

My xcp-ng box is currently in the DMZ with an public IP on it since its cloud hosted by a provider. What’s the best way to lock it down to prevent hacking and security problems but still maintain access to the management console? I already disabled ssh access through the xcp-ng management console option. Do I need to do anything else? TIA!

Put a firewall in front of it and use a VPN.

I don’t have that option since its cloud hosted. I put pfsense after it as a virtual machine.

Never tested but something like this could lock it down a bit more.

Thank you! Ill take a look!