By default all connections between every provided node are secured via TLS by easyrsa, including the etcd cluster.
This page explains the security considerations of a deployed cluster and production recommendations.
This page assumes you have a working Juju deployed cluster.
The TLS and easyrsa implementations use the following layers.
layer-tls-client layer-easyrsa
By default the administrator can ssh to any deployed node in a cluster. You can mass disable ssh access to the cluster nodes by issuing the following command.
juju model-config proxy-ssh=true
Note: The Juju controller node will still have open ssh access in your cloud, and will be used as a jump host in this case.
Refer to the model management page in the Juju documentation for instructions on how to manage ssh keys.