Connecting Google Cloud Functions to MongoDB Atlas through private endpoints

I have spent two full weeks reading documentation, and I still can't connect Google Cloud Functions to MongoDB Atlas through private endpoints.

The error I get is a timeout error (Unhandled error MongoServerSelectionError: Server selection timed out after 30000 ms), that gets solved if I whitelist 0.0.0.0/0. Needless to say, I don't want to whitelist any IPs. Otherwise I wouldn't be setting up private endpoints in the first place.

On MongoDB everything looks fine:

On the GCP side, I have managed to do the following:

• I have set up a VPC network
• I have created two VPC subnets in that network, that do not overlap: the first one has mask /24, to hold the 50 endpoints, and another one with mask /28 to hold the connectors
• I have created the Serverless VPC access on the /28 subnet in order to do the "load balancing" with an e2-micro instance.
• I have adapted my Cloud Run Functions v2, in order to use the connector by adding the last two lines below, where the CONNECTOR constant is the name of the Serverless VPC access:

onCall({    cors: true,    timeoutSeconds: TIMEOUT,    region: [REGION],    secrets: [URI],    vpcConnector: CONNECTOR,    vpcConnectorEgressSettings: "PRIVATE_RANGES_ONLY"  },

• I have set up the endpoints successfully by doing gcloud compute addresses create... and gcloud compute forwarding-rules create... and I can see my 50 endpoints in the list of IP addresses in my subnet, also under Load Balancing\Frontends and under Private Service Connect (as the pictures below show) and they look healthy and consistent with the rest of the GCP and MongoDB setup.

• As far as the firewall is concerned, I have created temporary rules with top priority allowing all access into and out of my subnets, using all protocols and enabling logs, in order to inspect what was happening. When I run my function I get logs that confirm that the request can access my connector subnet, but nothing happens from them on.

connection: {dest_ip: "10.1.0.2"dest_port: 667protocol: 6src_ip: "35.191.206.176"src_port: 56256}

• As far as Routing is concerned, I only have default routes, one for each subnet, with the Destination IP range the same as the subnet, and the Next hop being my VPC network. I suspect this might be the step I'm missing. Either this or a custom firewall rule.
• I have nothing under Cloud NAT, Cloud DNS, and many other services that I consider unnecessary for what I'm trying to do.
• As I have set up a Private Service Connect, I understand there's no need to set up a VPN anymore (contrary to what this answer suggests), and the question of transitivity was resolved (acccording to this article).

I have obviously made sure that everything's on the same region ([us-central1]) and I don't think I am making any schoolboy errors. I am particularly hesitant about Routing and Firewall, but the documentation that focuses on Private Service Connect doesn't place any emphasis there. Any help will be greatly appreciated.

Request --> Connector Subnet --X--> Endpoint Subnet --> Forwarding Rules --> MongoDB Endpoints