This works when each user is given a VPN connection to the server but we don’t want to give everyone VPN accounts. We don’t want everyone to have that type of connectivity to our infrastructure just accessibility through Ignition screens which we can control.
A VPN is an additional layer of security that ensures that an adversary has to break not only your application's security (which may be comparatively weak due to its low user count), but also the encryption of the VPN (which if you use an established product has a massive user base). You can't replace the VPN with anything on the application level and get the same benefits, so you either want to give up on it completely or focus your efforts on identifying if there is a suitable VPN set up that would give you those protections without being cumbersome to use. In my opinion a public gateway is never an option for anything mission critical or could ever be connected up to our internal networks and expose us to malware.
We bring our users into a central virtual router via a VPN and then give them routes and ACLs for various sites as required. They get one pane of glass and access to as few or as many sites as they need to. None of them get access to our internal applications. You might want to consider something similar. I haven't investigated the carrier VPNs @dcamp1 is talking about, but you can achieve the same thing with an AWS VM with routing software installed on it. I recommend using an established IT company for VPN work rather than trying to roll your own (though this might not be how everyone looks at it).