I need to set up a remote access point, inside my customer's LAN and firewall, with transparent (no NAT, etc) WiFi access to a WIndows Server instance on Amazon Web Services. The only outbound connection allowable from the access point is to the Amazon instance. No inbound connections from the internet to the access point will be possible, as the access point will be on a NATed address inside the customer LAN.
Traffic from the WiFi clients must all be confined to the IPSEC tunnel between the access point and the Amazon instance.
I prefer that the remote WiFi clients have access to only specific ports on the Windows server (but that is not an absolute requirement). The WiFi access point will be unreachable from the internet, and must therefore initiate the connection to the AWS server. The server will have an IPv4 address on the internet.