[AWS] When building a bastion server, I would like to control the outbound (communication from inside to outside) by domain (FQDN), but I do not know how to realize it (configuration), so please tell me.

Services I want to control: 80/443/22 ports

After investigating, it seems that access control can only be performed by specifying the IP address in VPC and network ACL, but how can it be constructed?

I think that AWS WAF is used in the place where I think this is the most, but can this be used for access control in the outbound domain of the bastion server?

Also, is Route 53 required when controlling a domain using AWS WAF?
Is it possible to control access in a domain by itself?

EC2: WindowsServer->80/443/22->VPC->AWS WAF? ->Internet

-I want to control access to both inbound and outbound on the bastion server.
-For outbound, I want to control access by domain (FQDN)
(Because the IP address range of the connection destination site is too large or the IP is changed irregularly)
* Example: AWS server without fixed IP/Windows Update of MS/Pattern update of Security software, etc.

If i like, I would appreciate it if you could tell me based on the simple structure.