IMO, it's entirely fine to start here. I have a couple ZAC instances exposed like https://ctrl.clint.demo.openziti.org:8441/zac/login. So I don't think there's any harm in having it exposed per-se. Is it better to have it split off an inacessible to the world? sure, but I would STRONGLY urge you to get things working with it exposed, understand how things work without splitting the API, then migrate to having it split off. But if you want to start off that way - you can 
If you're interested in a video you can watch https://www.youtube.com/watch?v=FI4byEDg344