First ... probably a good idea to post in only one forum a question (such as yours). Posted in 2 you will/might get responses split ... confusing if someone trying to keep track.
Concept ... moodle is nothing more than a web site, running under apache/nginx (?), accessed via a browser (URL - best if by fully qualifed domain name (hint: external and internal DNS is involved) ... it's a series of php scripts and backended by a DB ... MySQL/MariaDB/etc. That, you already know. But add this to the concepts ... networking comes before application (moodle).
So ... does this 'cloud-security team' already run something web based?
As to the security of moodle itself ... a valid tls cert (https), show nothing on front page of the moodle - require all to login to see anything - consider using some internal corp auth for users but at least 3 users need to remain manual ... guest (even if you don't use guest access), the initial admin user that installed and one other account.
If moodledata is gonna have tons of uploaded files, an internal NFS or other file system that is hidden to outside ... and the DB box probably as well.
Those would be 10. IP's?
Am sure others (at least one Moodle Partner) will chime in here.