So, I am unsure where to suggest updates to the tailscale documentation.
However, this article here,
Fails to mention a critical thing: Open up port UDP 41641 for incoming traffic to the tailscale node, i.e. add a rule to its security group.
Without it, the node won’t be able to make direct connections through its external interface which is the whole point of the excercise.
Cheers!