Connect mobile app to a server in LAN

we have a system running in a LAN without access from outside. Now we developed a mobile app which should communicate with this system using API calls.The mobile phone would use a celuular network connection and access the system from internet.

The question is how to make the system avaiable from internet for the mobile app. This is what I came up.

1. Open a port and forward the communication to the server.I was told this is not secure by their admins.
2. Use a VPN connection on the mobile phone to connect into the LAN. I don't like this because user needs to spin up the VPN connection before using the app.
3. Having a second instance accessible form internet and sharing the same DB.

Any other ideas ?

The system is a .NET app running on a windows server. The mobile app is an android app.

Thank you

Most organizations will/should be reluctant to have an Internet-facing web application or API. But these do exist so they are typically front ended by a reverse proxy or API Gateway. These provide more granularity of control and a host of other features.

https://en.wikipedia.org/wiki/Reverse_proxy

https://stackoverflow.com/questions/35756663/api-gateway-vs-reverse-proxy

https://www.l7defense.com/cyber-security/api-gateway-vs-reverse-proxy/

https://www.ibm.com/docs/en/mpf/7.1.0?topic=proxy-integrating-datapower-as-security-gateway-reverse

Option 4. Pay someone who knows how to do this properly and securely - don't try to re-invent this particularly complex wheel themselves.

I would run the reverse proxy and/or API gateway in a container or Kubernetes cluster to increase availability, and further separate it from your actual internal network.

I would go with a VPN. OpenSSL would be the easiest.

You could try Hashicorp's Boundary too. It is an SDP (Software Defined Perimeter) tool that would help provide secure access to the server.

And lastly, you can try a ZTNA provider that would also provide secure access to the server.