Its probably best to think of LAN and WAN in terms of their literal sense, and not in terms of address type (i.e., private RFC1918 addresses vs global unicast addresses).
A local area network ( LAN ) is a computer network that interconnects computers within a limited area such as a residence, school, laboratory, university campus or office building
A wide area network ( WAN ) is a telecommunications network that extends over a large geographical area for the primary purpose of computer networking.
A LAN is a network that you own & control. The WAN are the networks outside of your organization which interconnect you to the wider internet.
Consul can be used with any IP address. It does not differentiate between public or private addresses. In fact there is no technical difference between the two other than the fact that the Internet community has agreed by policy not to route IPv4 “private” (and to some extent IPv6) addresses across organizational boundaries, which restricts them to a local site.
You can configure Consul to bind to your public IP address. As you’ve highlighted, the primary concern is establishing security at your network perimeter. I would recommend only allowing connectivity to Consul’s ports from trusted IP ranges. Everything else should be denied at your perimeter.
Generally Consul is deployed on dedicated server nodes. However, the decision will largely depend on the scale of your deployment & performance requirements. I recommend reviewing https://www.consul.io/docs/install/performance.html to gain a better understanding of Consul’s CPU, memory, and disk requirements.
Hope this helps.