About this "Master <-> client comms is required for any policy that has ALL_LOCAL_DRIVES in Backup Selection as well as for any user/client initiated backup or restore, including database backups and restores."
I have clients in a DMZ across a WAN where the only bridge between the master and the clients is the media server. The backup policy uses ALL_LOCAL_DRIVES. What's happening for me is that the master kicks off the policy, opens connections to the media server for job control and cataloging file meta-data; but the media server is the only host that communicates with the client and sends the data off to the storage server.
It is true that in this case, the client cannot perform any operations and we only perform flat file OS backups. Everything is controlled from the master. This has worked from NBU 5.0 up to 7.6.1.2. I think we're even using this at a site with 7.7.1, but I couldn't find a specific client to validate against since I'm not the prime for that master.
You could use a simliar strategy treating each VPC as its own DMZ. One master server in the primary VPC or on-prem, and one media server with MSDP storage (or whatever storage you choose) in each of the VPCs to back up the hosts in its VPC.