You posted 2 requirements:restrict PROD publish instance to internal traffic (from a certain IP range)not preventing the domain to load externally.I don't understand how these 2 requirements can be met at the same time, because they contradict each other (if you allow external access to the domain, ...