If the PAM cluster has to be accessed from outside the company and no third party Load Balancer is used, then the VIP (Virtual IP Address) of the cluster and the IP Addresses of the cluster nodes must be public addresses.

If the PAM cluster has to be accessed from outside the company and a third party Load Balancer is used, then depending on how it works, only the VIP of the PAM Cluster must be a public address.

That is why the PAM  Internal load balancer verifies the nodes availability and just diverts to one of the cluster nodes the communication between the PAM Client workstation and the selected PAM server itself, so this communication becomes permanent.

Some third party load balancers can have more sophisticated algorithms to manage the connections internally having a common entry point (the VIP) and diverting to other subnets where the PAM nodes reside. So the PAM Clients remain connected to the load balancer VIP and not to the IP Address of the nodes themselves. In this case, only the VIP should be a public address.