Usually, in your web application, you have an admin area, and it could be the case that this part of your portal isn't accessible by everyone. Of course, you have a username and password, but an attacker can steal those credentials in many ways.
If it is a sensitive application, for the principle of least privilege to be followed, it is convenient to restrict access to the locations where this kind of admin access needs to be used; for example, from the office. If you can have different access for the admin section you can put this behind an internal load balancer and connect the VPC to your office by using a VPN service, as discussed in previous sections. The internal load balancer DNS ...