• create a kubernetes cluster on private network
• create an external load balancer on separate network that will expose the traffic to outside
• point your DNS to the public IP of your external load balancer
• discover the kubernetes services from external loadbalancer
• in most of the cases , you just need kubernetes service of type nodeport that external load balancer will talk to
• if your apps need session persistence , configure the k8s service to serve only from local node

In the cloud my answer will be different! From what i understand טםו are not going to scale your nodes so my answer is based on that.

1. Create all your services in K8S cluster (do not expose any one of them).

2. Create Nginx or any Loadbalancer that you prefer as VM (if you can create 2 VM's for HA much better).

3. Route Nginx to the Frontend (please use ingress controller that not expose)

Now regarding security:

1. Add WAF to your Loadbalancer.

2. Control on the allowed process in every container type (use Falco for that).

3. Create network policy that define what service allowed to speak with what service or i strongly suggest using Istio.

4. Create certificate to the DB and only the pods that contain certificate will able to speak with him.

Good luck.