By default, when opening up OWA (Outlook Web App) access to the internet, you could technically also get into Exchange Admin Center (EAC) by appending /ecp after the external OWA URL, potentionally creating a security vulnerability and increasing the chance for a brute-force attack to succeed.
While it is generally a good idea to deny access to the Administrator user to manage the Exchange-server, this is not always possible or desireable. Additionally, because EAC is a VirtualDirectory within a site in IIS, it is not possible to have it listen on a separate internal IP address and secure it through the edge firewall. Luckily, IIS also has some other mechanisms to secure access. There's an easy way to restrict access, and although it's not really a pretty solution, and not a perfect one either, it is quite effective as an additional security boundary.
For this to work, you need to install IP and Domain Restrictions, a subfeature that can be selected when installing the Web Server (IIS) role on your server. If you have not done so, go to Server Manager, and install it. You do not need to reboot the server after installation.
After installation, go to IIS Manager and look for the VirtualDirectory ecp, in the Default Web Site.
In the right pane, double-click IP Address and Domain Restrictions.
First, we have to set the default action for unspecified clients to Deny, so that all clients not listed will be denied access. Click in the Actions pane on Edit Feature Settings to change the default behaviour:
Next, use Add Allow entry to add your own subnets to the list to allow access.
In order to be able to open EAC from the Exchange CAS itself, add the "localhost" subnet (127.0.0.0/8).