For additional security, instead of exposing your internal services to the Internet, communicate using a Tor Onion service. It handle NAT for you, and can be very resilient (you have 6500 servers that can act as a rendezvous point in the Tor network instead of just the 1 VPS). It's not going to give you the same low latency and high throughput as putting the service straight on the Internet but it's going to be difficult to match the security (for confidentiality, integrity and availability) properties any other way.