I'm getting ready to deploy a website and wanted a second opinion on the security. I have a database containing hashed passwords with correlating usernames to log in with. On top of that, I'm using a google cloud instance that can only be accessed over a certain IP range (CIDR range) and specific IPs such as employees' home IPs.
Currently the website can pull files to manipulate the data. It can also upload data to the database but all these connections are refused outside of the whitelisted IPs. Should this be enough security for me not to worry?