The simplest approach to making Node-RED available over the Internet is not to do it at all! Node-RED was not initially designed to be exposed direct to the Internet but rather as a prototyping tool for IoT and Home Automation. As such, it does not have regular security audits and you should very much limit its exposure.
The next simplest approach: A Telegram bot 🔗︎
However, access over the Internet is a common requirement and certainly extends the usefulness of Node-RED.
So the next simplest approach is to make use of a secure 3rd-party messaging service such as Telegram Messenger. Telegram has client apps for just about every platform. It is fast, robust, secure and has a relatively easy to use API (_Application Programming Interface_).
You can use the bot to send information to Telegram clients and also to allow authorised clients/users/groups to send information and commands to Node-RED via the bot.
The main current limitation is that you cannot use your bot to bridge information from other Telegram bots into Node-RED.
Also, using an instant messaging style interface does limit how you can interact with your users. However, telegram allows a number of ways ranging from conversational interfaces to buttons & autocomplete.
You can also use a bot to send rich data including video and audio to clients. You can also receive such data and other files from users.
Alternative approaches 🔗︎
If a Telegram bot doesn’t meet your requirements, you will want to ensure that all Node-RED web interfaces (including admin, Dashboard, http-in/out, etc) are all properly protected. You will also need to protect the websockets and Socket.IO interfaces that are used. This is non-trivial and care is needed when configuring.
Some additional information is available on the WIKI for the Node-RED Cookbook.