limit source inbound connections - allow only inbound AWS connections

Hello.

Do you mean you want to restrict traffic from "https://pleio.io" to local ERP server?
What is the infrastructure configuration of "https://pleio.io"?
If you are using EC2 or ECS hosted on a VPC, you can fix the public IP address by using a NAT Gateway.
If you can fix the public IP address, you should be able to restrict the IP address on the local ERP server side.
https://docs.aws.amazon.com/vpc/latest/userguide/nat-gateway-basics.html

Yes, it is possible to improve the security of this setup by restricting the ERP server to accept incoming connections only from specific AWS IP ranges. AWS publishes its IP ranges in a JSON file that can be regularly updated and integrated into firewall rules or Apache server configurations to allow only these specific IP addresses (AWS IP Address Ranges). Since a static VPN is not an option, another security enhancement would be to implement mutual TLS (mTLS), which ensures that both the client and server authenticate each other using certificates, providing a strong layer of trust (mTLS Overview. Additionally, you can improve security by using IP whitelisting on the Windows firewall, limiting the accessible port strictly to this export service, and enforcing HTTPS with strong TLS configurations on the Apache server (Apache SSL Configuration. Combining these measures will significantly strengthen the security posture of the connection even without a VPN.

I hope this is what you are looking for.