Accepted Solutions
Firstly you need to understand that routed vapp means there is already a routing in place.There are multiple scenarios were you might need a routing for a vapp network, for eg you have a vapp network connected to routed org vdc network -A, You have one more vapp network connected to another org vdc network B . If there is a requirement for ORG VDC A need to communicate with ORG VDC B , you can configure Routes at Edge level of Org VDC A&B ,not just static routing,dynamic routing is also supported if you are using NSX Edges.
With regards to public network access, you can simply NAT private IP of the VCD VM with Public IP which would be usually part of sub allocation pool of NSX/VCNS Edge device,that way the rule will be x.x.x.x(private) Translates to Y.Y.Y.Y(Public) with respective port numbers and firewall rules for ingress/outgress traffic. Choice is yours whether you need separate Public for each Private IP or it can be 1:Many NAT as well. Routing and NAT will not secure your network,rather it will establish network connectivity. This is were VPN will benefit ,so in that case all your Internal Networks in VCD will be able to communicate with Internal Networks in your organisation or may be a different site altogether via Public network and establish a secure IP Sec tunnel. KB is very well documented for IPSEC -->Configuring IPsec VPN within VMware vCloud Air to a remote network (2051370) | VMware KB . Let me know if you have any further queries 
Firstly you need to understand that routed vapp means there is already a routing in place.There are multiple scenarios were you might need a routing for a vapp network, for eg you have a vapp network connected to routed org vdc network -A, You have one more vapp network connected to another org vdc network B . If there is a requirement for ORG VDC A need to communicate with ORG VDC B , you can configure Routes at Edge level of Org VDC A&B ,not just static routing,dynamic routing is also supported if you are using NSX Edges.
With regards to public network access, you can simply NAT private IP of the VCD VM with Public IP which would be usually part of sub allocation pool of NSX/VCNS Edge device,that way the rule will be x.x.x.x(private) Translates to Y.Y.Y.Y(Public) with respective port numbers and firewall rules for ingress/outgress traffic. Choice is yours whether you need separate Public for each Private IP or it can be 1:Many NAT as well. Routing and NAT will not secure your network,rather it will establish network connectivity. This is were VPN will benefit ,so in that case all your Internal Networks in VCD will be able to communicate with Internal Networks in your organisation or may be a different site altogether via Public network and establish a secure IP Sec tunnel. KB is very well documented for IPSEC -->Configuring IPsec VPN within VMware vCloud Air to a remote network (2051370) | VMware KB . Let me know if you have any further queries