Private Route from Software VPN to ALB using Static, Public IP

We're trying to figure out the most efficient way to replicate our application and networking on AWS are getting stuck on a networking requirement. Here's the general layout:

• Our application will be deployed in ECS (Fargate)
• We'll deploy an instance of the application + ALB for each client
• We'll use a software VPN (AWS VPNs are too expensive, but I don't think they change anything)
• We need to privately route traffic from the VPN to each client's instance of the application
• We prefer to put clients in their own VPCs and use VPC Peers but we could relax this requirement if it were fatal.

Not only do we want/need a Static IP for VPN (and VPC Peer) routing, but we have a client that requires a publicly routable IP address as the destination for our VPN communication. ALBs don't support static IPs (EIP or otherwise) and it doesn't look like either of the suggested workarounds (https://aws.amazon.com/blogs/networking-and-content-delivery/using-static-ip-addresses-for-application-load-balancers/) will work for us. Specifically, from what I've read:

• We can put an NLB in front of the ALB to get a Static IP, but we can only associate an EIP if the NLB is internet-facing.
• The Global Accelerator provides static IPs, but they also appear to be designed to be internet-routable.

In both cases, it doesn't sound like these addresses are internally routable. Am I wrong? Is there another built-in way to achieve our requirement?

Edited by: Clayton D. on Mar 30, 2020 12:59 PM