Funny you say that about using public IP addresses in an internal segment, it stems from back in the day when IP was fairly new, they would just buy a whole batch of public IP addresses, unaware of RFC1918. either way it doesnt have to be a problem just treat them as private IP with Address hiding though nat overload, and like you said DMZ deployments.
another way of granting 3rd party access to your network, is through a secure portal. F5's APM is very good at that, and can do 2FA authentication as well. S2S VPNs only when constant connectivity is required.
Please remember to rate useful posts, by clicking on the stars below.