Perspective Cloud Architecture Advice

We've got a project that is intended to monitor and control a few remote pumps. The client wants to use a web interface, so we are utilizing Perspective. The plan is to use a cloud service, IE AWS/Google Compute/AZURE to host the Ignition gateway, and then use a MOXA with Ignition EDGE to get the tag data from a small PLC up to the cloud.

Basically this

Now... my questions revolve around proper security, advice, and best practices.

What is the best way to protect the Perspective front end from surface attacks? Do I need to encapsulate this entire system, including the Gateway network access etc... behind an OpenVPN solution? Where the MOXA initiates acts as a VPN client up to the Cloud for data transfer, and the clients connect to a VPN as well prior to accessing the perspective application?

Or will a reverse proxy on the cloud provider and the Gateway network across the internet without a VPN secure enough?

This is a very small implementation for a customer that doesn't have any real IT support, so we are going to be implementing much of this solution for them, and I just want to make sure that we approach this in a secure and robust fashion. It's possible that if this solution works for the client, they may add a few more remote pumping stations, hence the edge and central gateway.

I'm all ears at this point... we are just starting to put this solution together so we have the opportunity to craft the cloud solution as needed, within reason, if we need to make recommendations for the cloud solution, or other software that need to run.

I would put the facility-to-cloud connections on a VPN. Setting up proper SSL on your gateway (possibly delegated to proxy) and an identity provider should suffice for the Perspective clients, as long as everything exposed is set to require authentication.

That was what I was thinking... I just didn't want to put something out there that would be wide open and exposed for issues.

I would take 1 more step on the front-end. Add a WAF (web application firewall) to reduce attack vectors...such as limiting requests to your area of the country or to also inspect the type of traffic trying to access the Perspective front end. Just my two cents.