Intranet vs Public Networking
Private internal networks versus the open public internet — when to wall things off and when to let the world in.
The short answer
Public Networking over Intranet for most cases. An intranet is a posture, not a destination.
- Pick Intranet if have genuinely air-gapped or compliance-bound workloads (OT/ICS, classified data, lab equipment) that legally cannot touch the public internet, and a stable on-site user base
- Pick Public Networking if have remote users, cloud services, SaaS dependencies, or any future where the perimeter dissolves — which is everyone now
- Also consider: The real answer for most orgs is neither pure intranet nor naked public exposure: it's zero-trust — public reachability with identity-aware proxies (Tailscale, Cloudflare Access, BeyondCorp) authenticating every request.
— Nice Pick, opinionated tool recommendations
The perimeter is already dead
The intranet's core promise — "inside the wall is trusted" — broke the day your laptop left the office. VPNs tried to extend the wall and gave you a slow, brittle tunnel that, once breached, hands an attacker the entire flat internal network. That's how ransomware spreads: one phished credential, lateral movement across a soft interior. Public networking forces the honest position from day one: nothing is trusted by location, everything authenticates. You stop pretending a network segment is a security control. Castle-and-moat architecture assumes attackers stay outside; in 2026 they're already inside, on a contractor's laptop or a compromised dependency. The intranet doesn't make that go away — it just lets you sleep through it. A public-by-default posture with per-request identity is less comfortable and far more honest about who's actually on your network.
Operational cost of the wall
Intranets are expensive in ways that don't show up on a diagram. Split-horizon DNS, VPN concentrators, jump boxes, internal CAs that nobody remembers to rotate, firewall rules that calcify until no one dares delete one. Every new contractor, every remote hire, every acquired team becomes a networking ticket. Onboarding a vendor to one internal app means VPN access to far more than that app. Meanwhile public networking with an identity-aware proxy makes access a policy line, not a routing change: grant this user this app, revoke in seconds, audit every request. The intranet's hidden tax is human — the network team becomes a bottleneck for everything. You pay it in latency, in support tickets, and in the security debt of rules nobody owns. Walls feel cheap to build and cost a fortune to maintain.
Where the intranet still earns it
I'm decisive, not delusional. There are workloads that belong off the public internet entirely: industrial control systems, medical lab equipment, classified networks, manufacturing OT where a firmware-locked PLC can't run a modern TLS stack or an identity agent. Air-gapping is a legitimate, sometimes legally mandated control there — and "just put zero-trust on it" is the answer of someone who's never met a 15-year-old SCADA box. For these, the intranet isn't nostalgia; it's the correct architecture. But notice the shape: these are narrow, physically bounded, low-churn environments with on-site operators. That is not your CRM, your wiki, your dashboards, or your dev tooling. If your "intranet" is hosting business apps for knowledge workers, you've taken a control built for turbines and applied it to spreadsheets.
The pick, stated plainly
Public Networking wins because it's where every serious security model now starts. "Zero trust" is just the formalization of treating the network as hostile — which it is, including the part you call internal. Cloudflare Access, Tailscale, BeyondCorp, Okta-fronted apps: these give you public reachability with identity enforced at every hop, full audit logs, and access that follows the user instead of the cable. You get remote work for free, SaaS integration for free, and you stop maintaining a moat that an attacker crosses with one stolen password. Keep a true intranet only for the narrow, regulated, air-gapped cases that genuinely demand it — and call that what it is, an exception, not your default. Build public-first, authenticate everything, segment by identity not by subnet. The wall was never the security. The wall was the illusion of it.
Quick Comparison
| Factor | Intranet | Public Networking |
|---|---|---|
| Remote / distributed workforce | Requires VPN; slow, brittle, broad lateral access once in | Native — identity-aware access follows the user anywhere |
| Breach blast radius | Flat interior; one credential = lateral movement everywhere | Per-request auth contains compromise to a single grant |
| Operational maintenance | Split DNS, VPN, jump boxes, calcified firewall rules | Access is a policy line, granted/revoked in seconds |
| Air-gapped / OT / regulated workloads | Correct and sometimes legally mandated control | Often impossible — legacy devices can't run identity agents |
| SaaS / cloud integration | Fights the cloud; everything needs a tunnel back inside | Assumes the cloud; integrates without perimeter gymnastics |
The Verdict
Use Intranet if: You have genuinely air-gapped or compliance-bound workloads (OT/ICS, classified data, lab equipment) that legally cannot touch the public internet, and a stable on-site user base.
Use Public Networking if: You have remote users, cloud services, SaaS dependencies, or any future where the perimeter dissolves — which is everyone now.
Consider: The real answer for most orgs is neither pure intranet nor naked public exposure: it's zero-trust — public reachability with identity-aware proxies (Tailscale, Cloudflare Access, BeyondCorp) authenticating every request.
An intranet is a posture, not a destination. The moment your users are remote, your services are SaaS, and your auth lives in an identity provider, the "private network" stops being a security boundary and becomes a maintenance tax. Public networking with zero-trust identity at every hop is where the industry actually landed — and where you should land too.
Related Comparisons
Disagree? nice@nicepick.dev