Two network controllers for public and internal access

I’m looking to have a publicly accessible network controller alongside a controller which lives in a nearly airgapped network. The network controller within the private network has external access, but no other devices do. Ideally, I would like devices to be able to connect to either controller depending on whether they are within the private net or not and all devices should be able to talk to one another.

Everything I see about network controllers leads me to believe you can only have one active on a network at a time. Instead of that, could I run two separate networks, connect them to each other, and configure client devices to attempt to connect to both?

I think that is the right path, but wanted to get input from the community to see if there are better options.