Remote access according IEC62443 Architecture

According to Cybersecurity IEC62443, Remote Access shall be placed in a DMZ (Level 3.5), whereas SCADA system shall be on the control LAN (level 3) separated by firewall. Some SCADA systems have webserver separated from core modules with local clients, but in Ignition the Gateway basically has all modules in the same gateway.
I know that Ignition can bridge 2 networks (corporate - control) using dual NIC and security zones, but from what I’ve read using dual-home machine isn’t the most secure architecture and I am not sure if it would comply IEC.
I was wondering if I shall add an additional gateway server with Vision module just for DMZ and use distributed tags.
Any suggestion?

For what it’s worth, I can say that setup works, we do almost that exact setup for hosting read-only mobile clients who connect over VPN. There’s a Vision module Gateway setup on the corporate IT network, and our control Gateway gives it read-only tag access across the firewall using security zones. Works great to keep all those remote devices off my control network!

Thanks a lot for the answer!