...

As the API server is intended to always sit behind a gateway, it does not itself provide HTTPS transport. This makes a reverse proxy or gateway a requirement even for single-node envs where you don't need load balancing.

Additional security/hardening

SCIM endpoints need to be available from the Internet, and access to them are protected by the use of HTTPS transport and a secret bearer token. Changing the bearer token regularly is recommended.

If possible, restricting access by IP in the company firewall or gateway is also recommended. By only forwarding request that originate from a whitelisted IP-range, you will have an extra layer of safety on top of the bearer token.

If the Bearer token is stolen, and an attacker obtains physical access to the SCIM endpoints, it is potentially possible to provision fake users and set roles as they see fit.

Data Center vs Server 

While Atlassian Datacenter is not required to use SCIM, we do recommend it for the added redundancy it provides. In a single server environment, provisioning can occur simply because the only server is taken down for temporary maintenance or a reboot, as that makes SCIM endpoints temporarily inaccessible. Depending on the IDP, this could simply mean a newly added user or group doesn't get provisioned for another hour (when the IDP automatically retries), or it could mean a manual refresh/force sync is needed for that user. Some IDPs, Azure among them, will disable SCIM provisioning and send the admin an e-mail if enough SCIM operations fail within a certain time frame.