Is there any recommended way to secure the Airbyte Open Source API so it can't be pinged externally?

I would suggest securing the API in the same way you secure access to the Airbyte console. The simplest approach is to use a firewall with IP whitelisting. Please check this documentation and open a topic on our forum if need further assistance.