Allow access to remote VM with Postgres only from VPN access

I'm missing knowledge about VPNs. Given is a remote VM with Postgresql. The Server has a public IP.

Is (and if how) is it possible to:

• Database Level: allow connections to postgres (pg_hba.conf) only if the user has the company VPN activated (<- how can it be identified?)
• Server Level: close the public IP but allow access to the server if the user is within the VPN? (Does this makes sense?)

I'm even more puzzled as the remote VM has nothing todo with the company network. Thanks for every direction!

Quite possible.

Database Level: allow connections to postgres (pg_hba.conf) only if the user has the company VPN activated (<- how can it be identified?)

Pretty simple - add a line that would match both certain database and the VPN IP prefix which the user connects from.

Server Level: close the public IP but allow access to the server if the user is within the VPN? (Does this makes sense?)

Definitely does. Same approach, but on different (lower) OSI model layer: filter out any connections from the outer world to the tcp/5432 (apply the filter rules to the outer interfaces on the server, if it has multiple), and allow only connections from the VPN prefix.

To enforce the security even more, make the PostgreSQL instance bind only to specific interfaces (if the server has multiple) in postgresql.conf using the listen_addresses directive (specify specific addresses instead of *).