Thank you for the tip- still a bit confused (and maybe mixing up terms). If I wanted to keep the DB and App server on separate servers, would i leave them out in the open or house them in a private network?
Remove Public IP for DB server. Keep them in one private network. You don't need VPN. Servers in any data-center are already connected into one network.
You can use iptables to prevent external connections to your DB.
Generally use a private network for having your servers communicate with eachother. It also makes setting up IP Tables to lockdown access to your DB server much easier/intuitive.