Inside the Miraheze Cluster, there is no such thing as a private network. While some traffic is encrypted, for example SSH, Parsoid (TLS) and connections between cache proxies and MediaWiki servers (via TLS/stunnel), various forms of traffic is still unencrypted. Good examples are MediaWiki <-> Redis and MediaWiki/Redis/Phabricator <-> MariaDB.
Especially since we don't have private networking yet, it's not in line with our view on securing communications.
Unfortunately, encryption in software is still not a standard thing (and not without performance impact either). For example, Redis does not support TLS and MariaDB only supports OpenSSL (or the less popular yaSSL, which is the default) if compiled manually, Matomo (-> MariaDB) offers support for ssl_* configuration inside config.inc.php and with regards to MediaWiki (-> MariaDB) I have no idea - while Phabricator (-> MariaDB) definitely doesn't support it.
Creating a VPN between Miraheze servers in the NL Cluster is one way to go; vpncloud.rs seems reasonable to do and doesn't require complex changes to current IP configuration.. On the other hand, stunnel (for Redis) is very easy to do and ProxySQL may even bring performance improvements instead of degradation!
Sub-tasks will be created as necessary.