If you already have authentication and authorization in front of every service in your internal network (unlikely), it's as easy as making everything routable from the internet.
If not (more likely) you need to start there, which will improve your security posture incrementally, even if the beyondcorp project gets cancelled along the way.
I will add that in the case of authentication before each service, it is important that it does not happen in the application itself, but before reaching it, which usually means either network centralization (e.g. Teleport) or authentication proxy (Traefik + forward auth + proxy, GCP identity-proxy, AWS Verified Access). It is also important to centralize the identity provider, of course, which in the times of SAML / OAuth is easily achievable even for small organizations.
If not (more likely) you need to start there, which will improve your security posture incrementally, even if the beyondcorp project gets cancelled along the way.