OMG I figured it out. It was actually my last comment that got me thinking in the right direction. The problem was that I was using the EC2 public IP address to point the tunnel to. EC2 also has an internal private IP address. Switched the tunnel to point to that, and it works! I felt like such a dummy when I thought about it. The tunnel is trying to hit the app internally. Why would it need to go out to the internet and retrieve a firewalled public address? Seems so obvious now.