In my experience the appropriate firewall rules for SSH are to rate limit connections. You could have a allow list for IP address, but for a bunch of the servers I run that is a none starter. Think login nodes for a HPC cluster and our users are coming from all over the place. And no my servers didn't get hacked unlike a bunch of other HPC sites inthe UK and Europe

The collective experience is you can't trust fricking users because they generate private SSH keys that are not protected with a passphrase, and you can't check what the idiots are doing. Consequently SSH key logins have been disabled (never liked them for this very reason). So decent password, three unsuccessful logins IP banned for 5 minutes. Sure the user might write the password down (though this is super unlikely in our scenario as it's their AD password and it's regularly needed). However some state sponsored hacker in China cant see the postit note in your draw unlike your SSH key.
Oh and I would strongly recommend making sure your known_hosts file is hashed. Default on Ubuntu/Debian, not on RHEL derivatives.
On a related note I have setup site to site VPN's between two Edgerouters, and between an Edgerouter and a Draytek. Though I can't get a CentOS 7 box to talk to an Edgerouter. I tend not to use the web interface on the Edgerouters. In fact I can't think when I last logged on, I have a feeling they may be disabled.