I have a couple of sites with SME boxes in server only sitting behind a 4 port Draytek 3300 WAN router. I just forward the required ports and nothing more. Usually the ssh port (whatever, keys only), smtp (25), ssmtp (465), imaps (993), https (443) and possibly http (80)
On one I have a proxy running with SARG with browers all pointed at it just to keep an eye on surfing habits. Has worked well for me for years.
As an aside what I have done with a couple of VMs on my cloud server is run them in gateway server with a 'dummy' internal adaptor to help with firewalling where there is no router/firewall in front of it.
As long as you have firewalling SOMEWHERE you should be OK.
B. Rgds
John