Not sure there’s a guide on this specifically - but I have talked to at least one user who did set this up.
Note that if you do this - you will have to do the Pulumi deployment from an environment that can reach the endpoint - so either run the Pulumi deployment from the bastion host, or vpn into the private network from the deployment environment.