In some core network, public Internet will be treated as a VRF in the router. But VyOS doesn't seem to have really good support on VRFs.
For example, you can't use IPsec/OpenVPN to punch a tunnel through a VRF (T5049, T4031). And NTP/DNS client can't correctly handle VRF.
e.g. If I set a public accessible DNS server, the dns service works only in ip vrf exec internet ping <some domain>, but not in ping <some domain>.
And source NAT is not working when I want to NAT between two VRFs, too (T3655). VyOS can correct translate the outbound packet in the source nat rule, but doesn't handle the reply (inbound) packet correctly.