This would be a common setup. They allow SSH ingress so that the server can be managed or provisioned with something like Ansible. However, they block all other unused ingress ports, as well as any egress that does not contribute to the function of the server. Also common would be a bastion or VPN to get to the network where SSH is accessible. A mistake is to have SSH accessible to the entire corporate network, which is all too common.