You will need either a tunnel to connect both sites, or you can an AP connect through a public IP address using NAT. The AP will register at the WLC, get the image, config, etc. Afterwards, you can set the AP mode to Flexconnect, and configure your WLAN as FlexConnect Local Switching. This way, only control traffic like associations, authentications will go over WAN to the WLC and the data traffic stays local to the AP site.

Check the below statments from this link https://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/69561-wlc-faq.html

You can place the LAP under NAT. On the AP side, you can have any type of NAT configured.

But on the WLC side, you can have only 1:1 (Static NAT) configured and the external NAT IP address configured on dynamic AP management interface (only for Cisco 5500 Series Controllers). PAT cannot be configured on the WLC side because LAPs cannot respond to WLCs if the ports are translated to ports other than 5246 or 5247, which are meant for control and data messages.

Note: Select the Enable NAT Address check box and enter the external NAT IP address if you want to be able to deploy your Cisco 5500 Series Controller behind a router or other gateway device that is using one-to-one mapping network address translation (NAT). NAT allows a device, such as a router, to act as an agent between the Internet (public) and a local network (private). In this case, it maps the controller's intranet IP addresses to a corresponding external address. The controller's dynamic AP-manager interface must be configured with the external NAT IP address so that the controller can send the correct IP address in the Discovery Response.