Ssh – Right Security Design for SSH Access on Proxmox host and VMs

I understand that for security, one has to be wearing a paranoid-hat always.

My scenario:

I will have 3 KVM virtual machines installed on Proxmox VE

1. Apache/Tomcat server
2. Server running mysql

3. Server running mongod

   • All these virtual machines are going to be direct-root-login-disabled and will use only passphrase-ssh keys. Each of them will have CSF firewall engine installed and will allow traffic based on ip & port.

Now the Question

I have 3 choices on how to setup remote login when the host-server is going to be co-located with a provider.

Choice 1

a. Enable SSH access to all machines directly from internet and the risk here is I do not want to expose mysql, mongodb and App server directly to outside world even if it is just passprhrase-protected-ssh-key.

Choice 2

a. Enable SSH only to Proxmox host and then store my ssh keys here. This looks scary that anyone hacking my login into Proxmox will have the keys to all machines (even if they are passphrase protected)

Choice 3

a. Create a openvpn on another VM/router and allow firewall rules to give ssh access to the virtual machines with that VLAN segment only and this way I can store SSH keys on my laptop/computer and not any server.

I am a startup company with a very limited talent availability on managing linux servers. I can navigate in linux and not very good at sys admin stuff, but read enough of linux security in the last few weeks of limiting access and general strengthening of linux system. I just want to follow the rule use/install only those tools that are absolutely needed.

A second question
I also want to know if this is right – My preference is to stop web interface of Proxmox by default and start/stop apache2 servicing this web interface on need basis. Because the apache interface is very powerful and will provide console-access each of the VMs directly without any SSH-keys

Any ideas and general advice or pointers are also very very welcome.