Best way to deploy a webapp that has some public part but most of it is used from intranet

If I want to design a system which has some public components that can be used from the internet. However, most part of the app is to be used from intranet and for security reason, we never want that part to be public accessible.

Now, I think its enough to block the private 开发者_StackOverflowpart by firewall and allow only the public portion from Internet. But what do you think? What is the best approach? Should we deploy two servers one public / other private just to be 100% sure?

I would prefer physical split better. You mitigate security issues and risks on infrastructure level already. Sharing some code fragments in both applications worth if comparing with risk you taking when deploying features available only for intranet users to public..

One approach is to have 2 separate apps, one for public and one for internal, possibly using common components. Have a process(es) migrate the data from one to another.