I think I might have answered my own question from another post…
If we add a peer on a server behind the firewall with access to the db server and setup a tunnel, it sounds like we can use the tunnel in reverse from within the instance in fly…
Will give that a test and see how we go.