The Triggered Pipeline Access Control document (https://docs-snaplogic.atlassian.net/wiki/spaces/SD/pages/1438214/Triggered+Pipeline+Access+Control) states, “It is not recommended to make the Groundplex nodes accessible over the Internet.”. Why?
I can’t speak for Snaplogic as I am not an employee, etc… But ONE good reason for not making a groundplex accessible over the internet is because many use that, I’m sure, because they want to access their internal secure network. Generally making such a product accessible over the internet is a security risk.
The CLOUD snaplex is different because if someone somehow broke into that, they still wouldn’t have direct access to your network, or internal systems, and likely not even to your pipelines, etc… Also, hopefully someone at snaplogic is watching somehow. It has been my experience that they are pretty responsive. A HUMAN often contacts me, and sometimes even solves a problem, before some competitors send me an automated canned message that means NOTHING! They also may have some sort of trap, to prevent such access.
Of course, if I am right there, you could easily have the item accessible through a VPN, or firewall, and perhaps even through a common system that is only accessible via VPN, or firewall, and kind of have your cake and eat it too, since a VPN could add a few extra procedures, and even then isolate the network through another link. Since effectively nobody else knows the software, and the keys, and the credentials, and the procedure, they would not be able to access the site and you would be safe.
Of course this is a one way wall. It doesn’t restrict your accessing other internet sites from the groundplex, only the site from the internet. Even there, it would be good to use a proxy to prevent any access through that.
I once, for example, accessed a public and open board, and it crashed. I could do ANYTHING I wanted and wasn’t even trying. Luckily, for them, I was honest and told them the problem. At the time it was what was considered a decent size computer. I could have looked at more than I did, merely out of curiousity. Every now and then, even today, people find exploits to do such things.
Also, the article you mentioned DOES say:
To turn off cloud triggered tasks, check the option to Only allow Triggered Tasks to be invoked from the following IP ranges and do not add any IP address range.
So that implies it CAN be accessed over the internet, and can be BY DEFAULT, but they recommend using INTERNAL ranges, such as ones starting with 10 or 127, or 192, etc… or ones ASSIGNED TO YOU, because they would only be reachable within your network.