The steps of the process are:
This is all good and you should set your service this way (private access). But for reasons I am not going to cover here the RDS service I was trying to use had -only- a public facing endpoint. That introduced a few difficulties when trying to set this up.
When you configure an RDS service in AWS it asks you if you want it to be public or private. If you select public, the RDS endpoint will be expose via a public IP. You won't have access (as far as I can tell) to the internal RDS subnet address. How do you route the traffic then? First of all, think about the reason why you are exposing this service publicly. Probably it is a better idea to make it private. Then, you can just follow the Tailscale document. But if you make the service public...
The way to connect the service to your tailnet is to advertise a single host when you add (up) your node to the tailnet:
$ sudo tailscale up --advertise-routes=220.127.116.11/32 --accept-dns=false
When you make the RDS service public, the dns endpoint maps to a public ip, when you make it private, it maps to a private IP. Makes sense but I wanted to highlight that.
Make sure you check your tailnet ACL to allow traffic between whatever nodes you want access to the RDS service and the routing node.
And that's it. Tailscale is a fantastic piece of technology and I will definitely be writing more about it in the future.