frumplestlatzThis is a metric ton of completely pointless theater.
Your services should simply be unreachable over anything but wireguard (or another secure VPN option).
These are what I call, corporate solutions. They're used to make CEOs feel good while deflecting blame, not to actually do the job. See also how nobody gets blamed if AWS goes down, but everyone who used a different host with higher uptime did get blamed when that went down.
Open source tools are good at actually doing the job, as long as it's a programmer type of job. We've known how to do unbreakable encryption for decades now. Even PGP still hasn't been broken. Wireguard is one of those solutions in the "so simple it has obviously no bugs" category - that's actually what differentiates it from protocols like OpenVPN.
Think about the recent satellite listening talk at DEFCON and how that massive data leak could have been prevented by even just running your traffic through AES with a fixed key of the CEO's cat's name on a Raspberry Pi, but that's a non-corporate solution and so not acceptable to a corporation, who will only ever consider enabling encryption if it comes with a six figure per year license fee which is what the satellite box makers charged for it. Corporations, as a rule, are only barely competent enough to make money and no more.
PGP has very much had breaks, both in its authenticator and a full-on confidentiality break for the mail plugins, both traceable to the structure of the system itself, and that's before we get into the fundamental DOS flaw that killed the keyservers, which themselves are an antifeature. I don't think you can find a practicing cryptography engineer to stick up for PGP.
I don't like or trust OpenVPN. I'd sooner expose OpenSSH itself, which has really a pretty stunning security track record.