I think your approach is sound in what you'd typically do and this is a similar approach to what I take. However, it does cause some issues when trying to deploy an accessory like PostgreSQL because the private network is inaccessible from the outside. However, you can use a proxy which is what I do. I have a separate VM that is on the same network (could be the web server or another server that is accessible from the internet) and the Kamal deployment comments get tunneled through the proxy. This means that Kamal would have access to the PostgreSQL server through the proxy. I'll then allow-list/white-list the IP Addresses that can access the proxy server to prevent unauthorized access.