I recommend you either have an all private setup or an all public setup. Not in betweens.
Generally you want everything private and if you need any data exposed to the outside you just expose the data endpoint on a public IP. Example, run all your spark jobs and store the data in S3. Then you enable S3 public access on the bucket. Using private IPs is generally more secure.
Regarding the --advertise-ip parameter on the mesos master. That's for the mesos slaves to find the mesos master. The issue there spark doesn't support a public, private combination so you'll have to do one or the other. You can run your spark workloads on mesos machines that connect to public IPs but that means that you'll have to have an accessible zookeeper, etc for those machines.
