The best solution I’ve found for probes is to put all eggs into the basket listening on 443.

Haproxy with SNI routing was simple and worked well for many years for me.

Istio installed on a single node Talos VM currently works very well for me.

Both have sophisticated circuit breaking and ddos protection.

For users I put admin interfaces behind wireguard and block TCP by source ip at the 443 listener.

I expose one or two things to the public behind an oauth2-proxy for authnz.

Edit: This has been set and forget since the start of the pandemic on a fiber IPv4 address.