2FA and VPNs are not exclusively the only way to secure things. X.509, bastion servers, airgaps that require physical access to a secure facility etc are also valid options, dependent on your systems and their configuration.

Granted, but an airgap would make working with some internal support tool a bit cumbersome :)

Bastion servers if properly firewalled might be OK for a short term solution. The concern there is if you allow unfettered ssh (for example) is someone watching for the inevitable brute-forcing that will ensue?

Mandatory SSH keys mitigates the brute forcing risk, and turns it into a nuisance. My employer presently has this arrangement and has done so for a while. Bastions only get you in the door: different entrances for different environments, users keys are only propagated to the machines they need.

Roger that. I keep thinking of my customer support people as non-technical and for whom ssh keys, port forwarding & bastion hosts are way over their heads but your point is taken. There are other (cheaper!) ways to secure an internal network.

Disable login via password, install fail2ban to help with the extra overhead/traffic.

If you have ssh running anywhere, please disable password access. Use keys. It should come installed like that.

I bet many products have a similar 'impersonate' feature. Nothing wrong with that if you take proper precautions.

Nope. Having it on the external internet is what's wrong here.