Best Practice for safe connections

What are the best practices for setting up host computers to be available for safe remote connections? I understand that the Fluid connection is encrypted end to end, but I'm more focused on reducing the attack surface to prevent unauthorized login attempts.

I have a VPN server, but it is clear that normal Jump Desktop Connections are bypassing that. I don't have a Teams subscription, as my Team is only 1 person, and at the moment, I mostly want to secure my own incoming connections to my own Mac desktop while reducing the opportunity for hackers to rattle the door knob. It seems potentially weak or at least risky for the Jump Connection Cloud server to always be at the ready to allow hackers try login passwords to my desktop.

It seems like a solution would be for me to block outgoing Jump Desktop Connect at the router, which would then mean the VPN server would be the only way to get in from outside. (And I would need to know the IP number, which is ok). But the Jump ports are 80 & 443, so probably not a good idea to block that.

Another possibly better solution would be if JDC offered a preference to only allow connections from the local LAN, or only from specified IP ranges. That could have a similar effect of forcing the connections through the VPN.

What are the best practices for setting up JumpDesktop Connect for the best security against attacks from the internet?