Your burgeoning fleet of virtual machines poses a problem: No public IP means you use a VPN to access. But, you have only sufficiently secured the SSH, you worry about what else the VPN can access.You have considered an SSH jump box, but then the SSH is not end-to-end encrypted. You have a set of 3rd parties and vendors you want to sometimes grant access to a single server, but not all via a VPN. What do to?
SSH by its very nature is end-to-end encryption with strong protection against Man-In-The-Middle attacks. All servers need to be accessible via SSH to be manageable, often by external users (e.g. vendors, outsourced NOC, etc). However, despite SSH being strong on encryption it is challenging on accessiblity. The servers are typically on private networks (e.g. Virtual-Private-Cloud VPC, internal network VLAN’s, etc). Making them directly accessible to the Internet can be dangerous (we would have to somehow police that all users have passphrases on their keys, that we don’t have passwords allowed, etc.). SSH jump-boxes add a step to the workflow, are difficult to ssh-port-forward and scp through. VPN access is difficult to secure on a per-server basis, often being all-or-none.