You can securely connect to VMs running in a VNet private subnet without exposing them to the Internet. You can set up a public subnet that acts as a proxy/jump box.
To securely connect to VMs running in a VNet private subnet, you can use SSH tunneling. Using SSH tunneling improves security by not exposing the management ports of your VM to the Internet or to other subnets in your VNet. For information on how to create an SSH tunnel, see Azure Documentation Center and search for Use SSH Tunneling to access Ambari.