I sort of just answered this on your other post I think...
I assume you want secure, ubiquitous connectivity from anywhere in the world. To do this you'll need to deploy the controller and one router (at least) on the internet with public IPs and with "allow" firewall rules, allowing clients to connect to the controller and to the router.... This is what is shown in the diagram.
They need outbound access to the internet - yes but outbound only. Otherwise the private routers couldn't connect to the public routers. But the private routers, are private. DENY ALL inbound traffic, no public ports open.
Nearly the same answer as for routers. It needs outbound internet access to the controller, but it does not necessarily need outbound access to the router. It COULD access the private router in private address space and if that private router was linked to the public router, then the service could be accessed.