I would recommend you to use the physical mgmt-interface (on the box) as your primary way of management.
In Device -> Setup -> Services you can click on Service Route Configuration in case you need to "reroute" which interface is used for updates as example (updates goes through mgmt-interface by default but you can "reroute" this to use a dataplane interface instead without having to expose your management for the whole world).
Then if you need a secondary mgmt-interface you can create such in Network -> Network Profiles -> Interface Mgmt by setting up a Interface Management Profile, dont forget to define Permitted IP Addresses while you setup this dataplane mgmt interface.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!