All Nutanix clusters that run on third-party hypervisors share the same problem – how to communicate to that hypervisor.
A Controller VM performs an array of tasks, many of which are triggered by the state of the host. In addition to that, a range of health checks is running regularly to ensure the cluster's health. For ESXi, CVM collects the information via SSH. Turning off SSH service on a host results in a multitude of health errors.
While recommendation exists to keep the SSH service down on the ESXi hosts and only bring it up for ad-hoc tasks, this is not the way with Nutanix. Instead, look at strengthening network security. Consider limiting access to the hosts via SSH form a limited number of network segments, that are well protected by multiple additional layers of firewalls, two-factor authentication and what not.
Stay safe, stay secure.
KB-2051 NCC Health Check: esx_check_services
vSphere Administration Guide for Acropolis: Nonconfigurable ESXi Components