Possible ways to reach AKS private cluster pods

Question

Scenario: a dev/test AKS cluster has been deployed on a custom and non-routable VNet. The cluster is using two subnets from this VNet. I have also deployed a bastion host on the same VNet to interface with the cluster using kubectl, helm, etc. This setup works fine. What I'm clueless now is on how to allow our other VNets to reach this cluster's apps but without establishing a peering.

• I'm not entirely sure if deploying a public load balancer would work. Edit: it did work, but business and IT Sec require an internal one.
• Also, would it be possible to deploy an internal load balancer with the frontend IP in a different VNet and its backend pool point to the AKS (which is in a different VNet)? This would be perfect, but there's no mention about different VNets, only different subnets: https://docs.microsoft.com/en-us/azure/aks/internal-lb.
• Is the Azure Load Balancer the alternative here, could we try to address the matter by using AKS own ingress controller (I believe not, right?)
• Lastly, a custom ingress controller would support a different VNet?

Please consider the need to support both http/https apps as well as other L4 protocols.

• Network type (plugin): Azure CNI
• Pod CIDR: -
• Service CIDR: 192.168.1.0/24
• DNS service IP: 192.168.1.100
• Docker bridge CIDR: 172.17.0.1/16
• Network Policy: None
• Load balancer: Standard
• HTTP application routing: Not enabled
• Private cluster: Enabled
• Authorized IP ranges: Not enabled
• Application Gateway ingress controller: Not enabled

Just looking for a direction here on what to research next.

Cheers