In traditional web applications you have the option to make UI flows only available internally (internal access only). Unfortunately in reactive applications you don't have this option. When you do not have a on-premise installation you can also not work with selective deployment zones to acomplish this. Which means that you can only create your own IP filtering  and put them in the different screens or login flow. This solution however is not ideal and also less secure. It would be easier if you also have a internal acces option in reactive apps.