Wired Intelligent Edge

We are deploying some AP's in a remote location from our primary data center and controller networks.  We have a set of VLAN's configured based on the various needs of our business within a small campus LAN.  For the sake of the question,  let's say VLAN 10,20,30 with (3) different subnets.  We also have a seperate Controller > AP Management VLAN configured to allow the AP's to grab DHCP addresses and communicate to the Controllers via options within the DHCP scope.  Once the AP's get the DHCP address,  communicate and configure themselves via the Controllers how do the AP's traffic the client data to/from the devices?  Does the actualy mobile device traffic pass thru the Controllers or am I thinking about this all wrong?  From what I understand,  the traffic is ecnrypted but I'm just unclear as to how it actually flows to and from the internet?  Any insight would be greatly helpful.

The default and recommended forwarding mode for controller based wireless networks is tunnel mode. In this mode, you are correct ... wireless traffic from the client is received by the AP, and tunneled up to the controller for processing. In tunnel mode, the AP does not decrypt the traffic, instead it forwards the original 802.11 encrypted payload up to the controller for processing. The controller then handles encryption/decryption, and then forwarding of the frame at either layer 2 or layer 3, depending on the configuration.

You might also take a look at this thread, for more details on the different forwarding modes available: https://community.arubanetworks.com/t5/Wireless-Access/Forward-mode-queries/td-p/413728