Hi,
Do I need Mikrotik boards on both sides in order to build a tunnel?
Could I set tunnels from branches to a central server located in AWS or Azure?
I want to have all traffic from branches going through the central server before going to the Internet because we want to control the traffic from a centralized location.
I have installed a Mikrotik CHR router on Azure and connected to this CHR → L2TP and EoIP over that L2TP. It worked.
Just clarification of previous post - you don’t need RouterBoard (physical device), but you need a RouterOS on both ends. Thats because EoIP is proprietary extension of GRE and as far as I know, nobody else supports it except Mikrotik.
RouterOS can be either on physical device (RouterBoard) or on virtual one (CHR). CHR is actually very easy to install on AWS because it comes as one of images straight from marketplace: https://aws.amazon.com/marketplace/pp/B01E00PU50
As mentioned, if you send your EoIP over internet, you might like to secure it (because the protocol itself has no encryption - it is just encapsulation). You can either use built-in support for IPSec (you set it up in EoIP interface and it dynamically creates IPSec policy and peers based on tunnel’s IP addresses, so the traffic gets encrypted) or you can use practically any tunnel/vpn/encryption you would like. As long as you have protected IP channel between two points, you can send your EoIP through it 
For the record, there’s something for Linux & friends (e.g. GitHub - Nat-Lab/eoip: EoIP/EoIPv6 for *nix.), but I didn’t test it.