The external option does not have to be directly accessible via the Internet. You can still put an application gateway (WAF) or Azure firewall in front of the ASE as a frontend to the public IP address of your ASE as per your diagram. The ILB option would be using a private IP address on the ASE instead but still requires the WAF/Firewall in front of it.
https://learn.microsoft.com/en-us/azure/app-service/environment/networking#network-routing