You need to add the port into the AWS security group (look at this post and search for ‘Basic Security Group’ Deploying FusionHub on Amazon Web Services (AWS)) then add it on the Fusionhub under port forwarding with a destination of the internal LAN IP of the encoder on the LAN of the remote HD4.
BY adding it to the security group you are allowing traffic on the custom port to reach the Fusionhub, then by adding the port forwarding on the Fusionhub that traffic gets redirected over the Speedfusion VPN to the LAN device on the remote HD4.
Fusionhub should be in NAT mode. HD4 should be NAT too.
No. Leave them as default NAT. There i sno Port forwarding config required on the HD4.