Use of Apiserver Network Proxy instead of SSH tunnels

Hello K8s Community!
I have a Kubernetes cluster in a not common configuration. My master services (kube-apiserver, kube-controller-manager, kube-scheduler, etcd) run in an isolated, private network. Apiserver is published to the Internet by NAT. Nodes are in a different private network, and every node has a public IP address.
Communication from nodes to apiserver works flawlessly, but I also need backward communication. To solve this problem, I used SSH tunnels - apiserver set up SSH tunnel to every node, through the public network - the setup worked fine.

But I want to leave SSH tunnels and switch to the new Apiserver Network Proxy. I set up Kubernetes 1.16, and what should I do now? The documentation isn’t clear for me. As I understand, I have to run proxy-pods on my nodes, set up service for it, but what should I do on the kube-apiserver site?
How should I configure kube-apiserver, to use the new proxy mode, to reach the services inside the cluster network?