Best practice for securing the admin console

We would like to use the jboss\keycloak docker image in production deployment. What is best practice to ensure that the admin console is accessible for support and management but not accessible publicly?

Use reverse proxy in front of Keycloak service and use custom “routing” for /auth/admin/ path. E.g. enable proxying for intranet network and deny access for the rest of networks. Of course you may use also another options: mutual TLS, basic auth, …