If you haven’t already, it’s always necessary when creating production deployments to have TLS on all WAN interfaces of your Chirpstack server. For me that is MQTT (8883) the web interface (443) and gRPC (also 443). Also if your form of TLS does not include authentication, you likely also want to add that using for example a username / password on MQTT broker.
Depending on how serious you are, you should also probably consider some form of redundancy so if your server fails there is another that could take it’s place seamlessly. There are many ways to do this, depends on your use case and what works best for you, but I was researching this topic a few months ago and if your curious you could check my plan out: