Whether and to what extent you need a VPN in your production pipeline will depend on how your company network is configured. Out shop is a virtual office, so our developers have to be able to reach our production instances from anywhere. There are a number of ways to solve this problem, and most providers allow some form of console access right from their web-based control panels; but we'd like our own network path to all the services we're going to set up in the cloud and we don't want to have to be messing with firewall rules every time we add or lose a team member. This means a VPN server and VPN clients on all of our droplets.