Network architecture for remote sites via AT&T cellular

I need help designing system architecture for a client with dozens of remote sites that are accessible via AT&T cellular coverage. Presently set up on Sensaphone SCADA ( via a Sentinel Cellular module at some of the sites. I'd like to propose a wholesale change to Ignition, but I don't know how to specify the network architecture.

Welcome to the forums,
this might help you get a better idea of architecture types.
Ignition System Architectures Video at Inductive University

I have 100 remote sites dialing up to Ignition in AWS with OpenVPN.

Install OpenVPN server on the same network/subnet as the Ignition server. UDP is preferred.

Install a client certificate at each router at the remote sites.

For me, I am mostly polling at 10 or 20 seconds, so latency is not a big concern.

We've set up all of the remote sites with Ignition Edge w/Panel, Compute, and IIoT modules, then have MQTT broker in the cloud (using EMQx for the broker) and Ignition Perspective Unlimited with MQTT Engine and Historian in the cloud. This allows for low bandwidth across the modems and store/forward for historical data for the centralized historian. Each system has the local Edge system running so that anyone on-site can have local control as well even if the cellular connection is down.

For the connection to the cloud, while each site doens't have any firewall ports open, we have Tailscale running on each system so we've got a mesh network as well as allowing the systems to connect to MQTT with SSL/TLS encrypted connections. Tailscale allows me to remote into the units without using a traditional VPN and provides a secondary connection for MQTT data just in case our reverse proxy in the cloud goes down (then the Edge PC can connect directly to the MQTT broker over Tailscale).