Summary
In order to limit possible security vulnerabilities, we will make a single url sub-space which will be exposed outside the VPC, and all other urls will only be accessible inside the VPC.
Details
At the hosting layer (AWS VPC), requests from outside the VPC to any url not in the /public prefix will return a 404. This will be enabled by default on all new IDAs, and will be rolled out on existing IDAs as teams have the bandwidth to adjust their URLs.