You can conceal that open port with some form of port knocking. Though this does reinforce your "easy" point.
Also, if it's an UDP port, then using a protocol that expects first client packet to be pre-authenticated and not emitting any response otherwise gets you pretty damn close to having this port closed.
I looked into it but it seems that port knocking and Single Packet AuthZ literally open the firewall and expose the port when used.
Meaning it is great to reveal the SSH port when needed, do your business quickly and close it back when you are done. But my guess is those overlay networks need to port available all the time, so...
Also, if it's an UDP port, then using a protocol that expects first client packet to be pre-authenticated and not emitting any response otherwise gets you pretty damn close to having this port closed.