Private LAN foreman server, public compute resources

As part of some custom development and hosting, I'm looking to move my host
management tools into the modern age. My current requirements are pretty
simple, and I'm wondering if someone can give me any warnings or ideas
where to go for best practices?

Currently running foreman on Ubuntu 16.04.
Currently have the locally installed docker-engine configured as a compute

I currently have a public Rackspace-type hosted arrangement that also has a
docker host, and am discussing possibly adding either Xen or esxi hosts as
compute resources. These servers have no ability to initiate communication
to the foreman host - that host is in my private home network.

I'd like to be able to provision and manage hosts from my office desk to
these remote systems, and I'm trying to identify the best way that doesn't
require full-time VPN or SSH tunnels to facilitate access - can foreman
push most things such that I can create tunnels to the public compute
resources? Or must the public compute resources be able to reach back? I
realize for PXE that would probably be a requirement, but for docker I'm
less sure.

Thanks for any thoughts you could share, or directions you could point me.
I'm still digesting the all the great docs.