I helped roll out Twingate at work today which essentially provides a secure relay to your protected cloud resources, in our case, AWS.
It acts as a replacement for a traditional VPN, which comes with its own set of risks and maintenance implications.
With Twingate you can deploy a small connector that lives within the same network of your protected resources. We chose ECS as that was really easy to setup.
It also comes with a small OSX native client and setting the whole thing up was done within minutes.
Oh and it's also free for up to 5 users if you want to quickly test it out.