Can I deploy private IPFS network over public internet?

If a few bootstrap nodes and client nodes (could be many. but only pointing to a few bootstrap nodes above) are all on public internet, is it possible to still form a private IPFS network which only allow access for the bootstrap nodes and client nodes mentioned above?

I think the answer is no: nodes joining the private network need to be configured for it (using the swarm key), and therefore cannot use the public bootstrap nodes. A private network needs to provide its own bootstrappers (or ensure a local discovery method like mdns works).

I understand that the private IPFS network has to have its own bootstrap nodes. My question is if the private IPFS network can be built using the nodes on public internet. For example both the bootstrap nodes and the client nodes are on public internet but those nodes can still form a private IPFS network.

No, since nodes in the private network cannot communicate to the public bootstrappers…

But if they set up their own bootstrap nodes, it would work, right?

Yes. It will also work if peers are on a LAN and mdns is enabled and allowed (they will autodiscover without bootstrappers).