You need to reduce the external attack surface of a Linux bastion host by removing its public IP address, while still allowing Site Reliability Engineers (SREs) to access it from public locations to reach the internal VPC. How should you provide this access?