In the cloud manager, you set "IP allow lists" to stop random public viewing your non-production / in-development instances. You set these lists to your office IPs and/or VPN IP.
However, this shotgun approach blocks essential tools, e.g. blazemeter, pagespeed insights, webpagetest, lighthouse etc.
In EPiServer DXP cloud env, you can whitelist headers (or useragent strings), so we used a header with a secret key to allow these tools to hit our non-prod envs.
How do we do this in AEM?
The AEM allow list is limited to 25 ips, and most of these services have hundreds of ips which change constantly.