Putting myself in a customer perspective, with presumption that customer has solid technical competence.
If you have multiple offices, you should confirm that L2VPN product you're offered is multipoint, any-to-any solution, like VPLS. Then ask how many MAC addresses can be in each sites, how are bcast/mcast/unknown unicast limited. If there are no limitation, it likely is not a good news, then it might mean if some other customer fills MAC table, you'll suffer as well.
It would be prudent to test that limits are enforced.
I would shy away from getting Internet access in L2VPN or L3VPN, it will probably contain several SPOFs as implemented by operator, you might be more comfortable controlling those SPOFs yourself, so you don't have to wait for operator to fix something while all your offices are without Internet.
Having said that, both L2VPN and L3VPN commonly are provided with Internet access. In L2VPN (particularly ELAN/VPLS) it's actually very easy, provided you're using routable IP addresses, as then operator will just drop in IRB interfaces in the L2VPN instance acting as your default-gw inside the operator network, HSRP/VRRP if needed.
In L3VPN Internet Access product probably assumes RFC1918 addresses and there likely is no ability to order direct INET connection to each site, from closest PE. Only option likely offered is centralized firewall, which may or may not contain large amount of SPOFs.
In either case, please be sure you understand how the INET access is implemented and if you're ready to carry the risks. If not, just order additional INET access to one or more sites and handle INET yourself, which I'd prefer to do anyway.
I have no comment on WAAS, I've never used them, but can understand how they might be useful in slow-speed accesses using badly designed applications.
If encryption is not mandated by regulatory authority, I would not do it personally, it's just more things to cause problems, require maintenance and increase cost of CE.
I would however acquire actively knowledge what applications we're using internally which of them are using encryption, which can be migrated to encryption and which cannot use encryption and device long-term plan to move all applications to encryption.
Security should not have higher cost than the risk carried in the breach of security.
I'm not sure I understand bonus point question, I would certainly not put a firewall between my CE and operator PE. States should be kept at last possible moment. I personally would only want FW in front of human LANs, where guaranteeing software hygine is difficulty. I would not put FW in front of servers, because it'll dilute my investments in availability and performance. Enterprise world has too much love for FWs.
Best Answer
This is a very broad question and you need to do some more background reading, but quick answers to your questions:
L2 MPLS VPN – forwards based on the L2 address of the L2 PDU. The L2 PDU is encapsulated in the transport protocol (MPLS). The VPN can provide point-to-point (AToM) or LAN type multipoint service (VPLS). Something to remember about these types of VPN is that L2 forwarding information is learned though the data plane (for VPLS), similar to standard switch MAC learning. The control plane does not get involved in distributing L2 forwarding information. This means traffic from unknown MAC addresses is initially flooded, until return traffic is received across the pseudowire and the destination MAC is learned. Point-to-point L2 VPNs don't need to learn MAC information as they just forward out of the other port/pseudowire (they only have two interfaces per device).
L3 MPLS VPN – forwards based on the L3 address of the L3 PDU. The L3 PDU is encapsulated in the transport protocol (MPLS). With MPLS VPN, MP-BGP is used to distribute L3 forwarding information between sites for routes within the VPN.
EVPN – Another form of multipoint L2 VPN (LAN type service). Can use MPLS or VXLAN for transport. The important part that EVPN adds to L2 VPN is the distribution of L2 forwarding information between sites (through MP-BGP with new EVPN address family). It doesn’t have to rely on data plane learning, so can cut down on flooding between sites. In addition, the EVPN address family can also transport L2 to L3 address mappings, allowing sites to synchronise L2 to L3 mapping (ARP), cutting down on ARP broadcast.
DCI – You can use L2 VPN (AToM for two sites, VPLS for two or more sites) or EVPN to achieve DCI as you need to interconnect the sites at L2. EVPN is more efficient and reduces the amount of L2 flooding and ARP traffic between sites, so if your hardware supports it, it may be the better choice.