Your router is exposed to public internet as long as it gets a public ip address. Domain is just an alias of ip easy to remember. Set strong policy on router will protects your local network on most scenarios.
What I did on self hosting is:
- Purchase a domain, add record pointing to my router's public ip.
- Expose ports for non-sensitive or authentication-capable application on home server. Those apps can be accessed from anywhere using public domain directly in browser.
- Deploy an OpenVPN server on home server, generate SSL certificates, install OpenVPN client and import certificates on my devices. Then set series of policies on router, to let data packets from OpenVPN's subnet can be routered to home server with certain ports. Whenever a sensitive app or app without login portal need to be accessed (from public internet), just start OpenVPN client at first.
- Make sure some critical apps could only be access from local network, even not for OpenVPN's subnet, such router's portal.
If you're bothered to tweak config on router, you could also use Cloudflare's tunnel, to manually add second level domain record for each service, if there are not many.
Besides, I use caddy to auto regenerate Let's Encrypt's certificate. It default requires that 80 port of you network is accessiable, not blocked by ISP. Or you can use dns verification in Let's Encrypt's config, just provide your domain provider's API credential to it.
Have ordered AWS snowcone service to upload 10TB data to S3, then downloaded directly from S3 to other site of my company, it takes about 200 bucks. We use borg to backup data and compress at high level before copying to snowcone, the original data might be 30TB.