As you know when deploying CloudGuard in AWS, you must turn off src/dst check. When dealing with RDS instances you cannot turn this option off. It looks like the only way a server behind a CloudGuard gateway can access an RDS instance on a different subnet is to create a NAT rule nat'ing the src IP to that of an IP on the same subnet as the RDS instance.
Is this true? Or is there another way?