It would be nice if we could have some sort of IDS/IPS product that you can attach in front of a droplet or load balancer that you can use to protect traffic from external/internet networks. You have a nice tutorial for configuring all of this but it requires a separate droplet that doesn't auto-scale based on traffic like your load balancer solution does. Ideally there should be a gateway that you can configure and attach load balancers or droplets to it with the option to restrict traffic only through the gateway. A public facing ip can be assigned to the gateway along with DNS information.

Then have the option of assigning a logging system to it. For example, sending to your partner betterstack, or storing logs within your Spaces.

It could also be a hybrid HAProxy/Suricata/Snort type of product.