I usually go for the non-accessible one first, but if that one is occupied or dirty or something I readily use the handicap accessible one.

Encryption in transit even internally is a good practice. That said, op is making life hard by refusing to use DNS.

I feel like op is about to find out why businesses pay for cloud services.

You just described a load balancer. The router doesn’t know about DNS but clients using your service use DNS. You can do some simple load balancing behind DNS. If you want to do it by IP address you want a load balancer though.

If overcomplicating things is a concern for you, then just use let’s encrypt. Running your own ca is a pain in the ass and probably decreases security for most people due to the difficulty of doing it correctly.

I’d be interested in a community for commercial sysadmin type stuff, but the ones I’ve seen are all pretty dead. I am one of those people that work in the industry.