The solution was to configure the tunnel and ssh tunnel on some port of the public computer to all other computers in the cloud. Thus, my load balancer serves HTTP traffic on socket 80, is accessible through socket 22, and uses sockets 2222, 2223, 2224, ... to tunnel ssh for non-public cloud instances. On the load balancer (or any public authority) do:
ncat --sh-exec "ncat PRIVATE.SUBNET.IP 22" -l 2222 &
eg:
ncat --sh-exec "ncat 10.0.1.1 22" -l 2222 &
source share