I personally use a UDM Pro, but most of the Unifi Cloud Gateways should be able to handle what you want to do. You could use a pfsense or opnsense router as well. Basically, as long as your router can handle L2 VLAN’s and firewall for the LAN, you should be able to do this.
I configure the firewall to block all traffic to/from my apps VLAN, and only punch holes for things that need access, like my proxy, database servers, user access from the local network (99.9% handled mostly through NPM [proxy]), etc.
I have a bond setup with LACP on my switch with VLAN tagging on my ports, then VLAN’s and bridges setup in TNCE to allow for access to those networks. If I don’t need the app to talk back to the host, then I just use a VLAN interface, as a result the apps will be segregated to their own networks. I have jails setup that run docker and those jails are configured on the VLAN’s I need. With the jails, they are locked up in their own sandboxed “jail” with no access to the host except for host based storage (which they have app permissions set, so very little access) and locked down networks.
This shouldn’t affect authentik. authentik checks against failed logins, ip addresses, impossible travel, and will act accordingly. You can customize the polices and reputation as well. Besides, the RAC access is pretty cool too.