You can securely connect to VMs running in a VNet private subnet without exposing them to the Internet. You can set up a public subnet that acts as a proxy/jump box.
To securely connect to VMs running in a VNet private subnet, you can use SSH tunneling. Using SSH tunneling improves security by not exposing the management ports of your VM to the Internet or to other subnets in your VNet. See Azure Documentation Center.