Actually you always have an option to properly secure.
If you have own data center and more than one machine you do have a LAN.
I'm guessing you're talking about public cloud like AWS.
Similarly you can have private subnets (which is the best practice).
If you have a single instance that's only public, you can place definitions on local S3 and have instance pull it. You can secure everything so it's not accessible from outside, and you don't need service to be available from the outside.
If you have multiple instances and all are on public subnets and talk to each other over the Internet, you should rethink your design, but at very least have firewall configured. Security groups that list themselves could help.
In a word: Hetzner. Dedicated servers scattered across data centers, sufficiently numerous to make IPAM too painful to manually tie them together with wireguard. It's possible that some sort of overlay network or VPN could be made to work, but I could also just expose port 22 with only public key auth enabled, use ansible, and be done.
I never used Hetzner but based on my research, Hetzner says that they only have 3 data centers:
- Nuremberg, Germany
- Falkenstein/Vogtland, Germany
- Helsinki, Finland
so you could place 3 instances, one in each and would have to use public IP to communicate between them.
But, Hetzner also offers Cloud Network, which is essentially a LAN that you should prefer for communicating.
Anyway, whatever works for you, using Ansible is easier, because doesn't require any prior setup, but you pay that back with worse experience keeping things running and slower speed.