Has anyone restricted access to the rack API service? I would like to only allow access through a Tailscale VPN connection

I would like to prevent public access to the API service and only allow access from the private
network. I just set up a Tailscale subnet router service to access some private services that I’m running on render.com, and this gave me the idea to also set it up for my Convox rack. It feels a bit dangerous to have the convox API service open to the public internet.

How can I set up a security group / firewall rules to only allow requests to the API from the private network?