NextCloud version: 15.0.2
Apache or nginx version (eg, Apache 2.4.25) : Apache
PHP version: 7.2.1.6
The issue you are facing:
currently we are having users in the internal/private network and also public users, who can access from the internet.
Now we want to restrict the internal users connecting to the own cloud from the internet. And provide only to specific users/group to access from the internet.
Networks : private network and one natted public network to access to nextcloud.
If you have such kind of strict policies, I would create 2 instances for externals and internals and share content in between per federation feature. In this case you can have pure different access and other policies, as also make internal nextcloud not accessible from the internet.