Zero Trust Tunnel route to MongoDB Atlas Cluster (with SRV)

We have a Dev/Test Cluster in MongoDB Atlas (hosted on AWS). We usually connect from our HQ thanks to the IP allowlist feature.

We also have an EC2 with cloudflared up and running, and It is working like a charm to connect to VPC-bound resources (for example RDS instances).

We now would like to use the same EC2 to route traffic from the developer’s machines to <mycluster_name> through the Tunnel. This is because the EC2 uses an AWS NAT Gateway holding a static IP Address (x.x.y.y) that we can allowlist in MongoDB Atlas.

Basically, the “packets route” would be:
developer machine -> Tunnel -> EC2 -> NAT Gateway -> MongoDB Atlas
and It should be “triggered” whenever a client attempts to connect to *

I spent the whole morning reading the documentation and running tests (mainly configuring “Applications”), but none worked and I’m a 'bit confused. Help please!