[igorzij]

Typically the entire stack is copied so that you have the exact same setup, including auth, as in production. Basic auth isn't a great idea unless your production is using basic auth too. If you're using some federated login tool like Cognito or Auth0 then you can create smth like an isolated pool of users for each environment, forgot the exact name. VPN only needed if it's a compliance requirement, otherwise nothing wrong in having it public.

[summera]

Totally agree with this sentiment in theory - it's best to keep the environments as similar as possible. But in practice there are requirements that will differ, such as having production be publicly available and staging be protected, mocking of certain third-party services that may not be available in a non-production environment, etc.