What is the best way to avoid exposing NodePort

I am trying to avoid exposing the non standard port in the on premise cluster. I tried ingress controller (nginx) and here too nodeport has to be exposed. Is there any alternates to avoid the same?

Cluster information:

Kubernetes version: 1.21.1
Cloud being used: bare-metal
Installation method: kubeadm
Host OS: CentOS 7.5
CNI and version: Calico
CRI and version: Docker