A nice feature to have for security reasons is to black list all IP's that are located outside of the country in which I am intending on serving IP service. If I serve US only why should I be bothered with constant IP's from France or Europe trying to loginto my 3CX phone system. There are many GeoLocation services now offering the ability to query the country for which the IP is coming from and if that country is not in the allow list then it should not be allowed to be presented the login or any response from the server. Alternatively, if there an easy way to block of all external Public IP's except for those that are approved that will do the trick as well. One can argue that you can do that on the firewall however when you try to offer a hosting options to clients you don't want to manage the firewall rules for each one of your clients.