I suppose a question might be why you would want to put a zabbix server on a cloud based vm on the public internet? Seems like you would need to do a lot of work with securing this for both inbound and outbound agent checks.

Or, do you want to put a zabbix agent on a cloud based public virtual machine like a web server?

why not?

one would like to pay a small fee instead of buying & maintaining a whole server.

I can understand.

For a monitoring host like zabbix, it would be better for that host to be on the inside of your protected network.

If you have the means to do so, some of these cloud services have a VPN service you can use to connect to your cloud hosts on a private IP address range. Where I work, we use amazon and they have a service called VPC where an IPsec tunnel is stood up and we then essentially get cloud provisioned machines available to our internal private network. You could also use something like openVPN to accomplish similar. If you don't have access to that but you do have internal linux hosts you can work with, you could also cook up something with persistent SSH tunnels to get the necessary connections back and forth.

If you have a small enterprise to monitor, you could also consider running the zabbix appliance on a VMware or Oracle virtual box machine.

If you cannot do that, then a monitoring service on a public cloud host would not only require hardening, but firewall rules and such to allow the connections you need to make. With no vpn style service, you may have to forego use of SNMP monitoring.

A typical zabbix server with passive agents will periodically connect to hosts to collect data. So in this case, you would need to open firewall ports on your corporate network to allow zabbix to connect in. Zabbix can also have agents connect with active connection where the monitored hosts connect to the server, in which case you will need to maintain firewall rules on the zabbix host to allow incoming connections from your hosts.

A few cloud services I've used seem to open up the OS for easier access/use, and focus on firewall rules in service network to protect the hosts. So most of the hardening is likely there ... it would be more of an issue to figure out which style of connection is better for you (active or passive) and then manage your firewall rules to permit the traffic you need.

I hope this helps,

I am using iptables

I changed the ssh port to some random number,
I have rules to allow the traffic that I need, anything else is blocked.
using iptables-preserve package