This is a fairly short topic but will detail some essentials which people usually miss out on.
There have been reports of automated DDoS attack on verifiers which become eligible close to the moment where upon a new verifier is allowed to enter.
It speaks for itself that in current times when cost of entry (depending on your calculations) is around 300 USD (with a queue size of 10 000, cycle size 1400) – missing out on joining the cycle due to a DDoS event is a non-negligible setback.
To combat this the latest version equips the sentinel with the capability to join the mesh when your verifier is incapable of doing so at the time. (Details here)
To properly prepare yourself for joining the cycle your setup should consist of minimally one sentinel and one Nyzo verifier waiting to join.
Each additional queue node can be added to the existing sentinel for protection – as your operations scale it might make sense to deploy more than one sentinel and to hedge counter-party risk by deploying them at different VPS providers or even at home.
-> at least one sentinel
-> add each verifier to your sentinel configuration file
-> hedge counter-party risk by hosting sentinels with different companies