I think one disadvantage of putting everything (nginx, web server, database, monitoring tools, etc.) in one machine is that suddenly your machine is exposing a myriad of ports to the internet and one mistake on your side (e.g., misconfigured auth module) is all what's needed to compromise your entire service.
Having some sort of vpc where you can safely put your db server that only listens to requests from servers within the same vpc (e.g., web server) sounds like good practice to me.
> I think one disadvantage of putting everything (nginx, web server, database, monitoring tools, etc.) in one machine is that suddenly your machine is exposing a myriad of ports to the internet and one mistake on your side (e.g., misconfigured auth module) is all what's needed to compromise your entire service.
All the Linux distributions I got to know use sensible defaults so that critical services don't bind to a public-facing interface / bind only to localhost, e.g. mariadb and mysql on Debian.
Besides that, Hetzner's "Robot" interface allows to configure which ports/IP addresses you allow access to your Hetzner server.
Having some sort of vpc where you can safely put your db server that only listens to requests from servers within the same vpc (e.g., web server) sounds like good practice to me.