Most Magento needs need to be PCI Compliant because they accept payment cards (ie. credit/debit cards).
As you'll see at https://magento.com/resources/pci-compliance "Your business must utilize a firewall configuration to protect cardholder data and create a secure network. A firewall controls your network traffic and blocks any transmissions which don’t meet your particular security criteria."
Many Magento stores get their Web Application Firewall (WAF) as part of their hosting package. A good Magento host will provide this as a standard part of your hosting environment, and will help to configure and manage your firewall for you. This includes setting up IP whitelists for the Magento admin.
Unfortunately, this isn't a standard that all hosts that offer Magento hosting follow. We saw this with the cardbleed attacks last year: https://twitter.com/gwillem/status/1306196862991577088
If your host isn't taking care of this for you, you should consider a vendor that fits your budget, like Cloudflare, Sucuri, Sitelock, Foregenix, or Sectigo.
While you can manage IP whitelisting from Apache or NGINX, if you're going to be using a proper firewall, it may indeed be a better decision to manage your
