After installing an AWS cluster with CAPI for the latest 4.16, checked the TCP/22 port configured in the master or worker's SG, the source was limited to the "<cluster_id>-node" and "<cluster_id>-controlplane" SGs.

                {
                    "FromPort": 22,
                    "IpProtocol": "tcp",
                    "IpRanges": [],
                    "Ipv6Ranges": [],
                    "PrefixListIds": [],
                    "ToPort": 22,
                    "UserIdGroupPairs": [
                        {
                            "Description": "Port 22 (TCP)",
                            "GroupId": "sg-062320796a693e265",
                            "UserId": "301721915996"
                        },
                        {
                            "Description": "Port 22 (TCP)",
                            "GroupId": "sg-045d04f22471f849f",
                            "UserId": "301721915996"
                        }
                    ]
                },

While in a Terraform install, the source of this is configured with the VPC CIDR

                {
                    "FromPort": 22,
                    "IpProtocol": "tcp",
                    "IpRanges": [
                        {
                            "CidrIp": "10.0.0.0/16",
                            "Description": "Created By OpenShift Installer"
                        }
                    ],
                    "Ipv6Ranges": [],
                    "PrefixListIds": [],
                    "ToPort": 22,
                    "UserIdGroupPairs": []
                },

So the current configuration in CAPI will block the SSH connection from any other machine(such as a bastion) not associated the matched SG inside this VPC to master and node. 

    

4.16.0-0.nightly-2024-05-16-092402
    

    1.
    2.
    3.