Is it possible to SSH to a virtual machine without public IP, inside an ESXI 6.7 with public IP?

Solution 1:

I insist on correct terminology. static or dynamic is how you configure IP address to the machine (in the config file, via DHCP or whatever). public or private is which class this address belongs to, these classes are defined by IANA, in particular private addresses are defined in the RFC1918.

You still call public address static, ignoring that I corrected you in the comment up there. This is disappointing. My next communication will assume if you say static you meant static, so better refer to things correctly.

Nobody taxes for staticness or dynamicness of address, because it is silly and stupid. But the world is short on globally routable ("public") IPs and so these are costly nowadays, so I understand your desire to minimize their usage.

I recommend to always have a dedicated public IP on the virtualization host system, for it to be accessible always, and another one for its BMC (iLO in your case), it may save you a lot of hassle when you have problems with hypervisor or drives or RAID another core hardware. And then you'll need at least one another (third) public IP address for the virtual router, which will do NAT for the rest.

If you want to dedicate VM-1 to be your router with NAT, it must have two vNICs, one with public IP towards internet and the other in the virtual network together with other virtual machines. Other machines must have only one vNIC towards private NIC of the router VM-1; configure them so their default gateway will be private IP of the VM-1.

Now, treat it like an ordinary software router; I'd install Linux on it and do usual NAT with iptables. You also may use it as VPN endpoint, it'll be desired in some cases. There are plenty of manuals on this topic on the Internet, including ServerFault.