Answers to this question may also be forced by your requirements. In our case, both the clients and the data sources needed to be able to connect from anywhere in the world and it was unreasonable to require VPN software on our clients.
We had more control of our data sources (embedded devices we manufacture), so we load all of them with certificates from our internal CA and only allow them to connect to an MQTT broker over TLS with full bi-directional certificate validation against our CA.
For the clients, we have a web proxy in front of our ignition servers which forces all HTTP-to-HTTPS, and forward HTTPS to Ignition.
The proxy, MQTT, and Ignition servers are in a private cloud together. The only ports open to the outside world are the TLS port on the MQTT server and the HTTP/HTTPS ports on the proxy server. None of the Ignition ports are open to the outside world.
Our setup is as safe as we can make it currently. I feel very confident that no one is easily getting into our MQTT broker. I feel reasonably confident that the team at IA is keeping Ignition safe from attackers who don’t know a valid username/password. The weakest spot is if a username/password login is compromised. I’m eagerly awaiting fix 1953 to land in a stable build so I can restrict more powerful actions to certain source IPs.