There's massive differences of using this compared to throwing some keys on a server and opening 22. These systems use the cloud provider's proxying and authz/authn to dynamically grant access.
One could have a box with no public IP and no open ports and still use this to connect.
No, through their in-house proxy tools such as Session Manager or Identity Aware Proxy or whatever Azure has.
> With an SSH key?
Not at the edge, and not an SSH key you manage. A dynamically generated one managed by the cloud provider which exists just for that session. So, not really, not like you're thinking.
Ssh has 2fa options if that's the real reason.
Fwiw, this guide also suggests setting up a wg connection which is no better than ssh, and probably worse in some ways.