Jitsi doesn't work with more than 2 participants when Jitsi works on EC2 in private network via AWS NAT Gateway

Hello,
Our Jitsi doesn’t work with more than 2 participants when Jitsi works on EC2 in private network via AWS NAT Gateway (when AWS EC2 behind NAT and doesn’t have a Public IP)

We have private and public subnets in AWS:
Private - EC2 instances without public IP and internet access via NAT Gateway
Public - EC2 instances with own public IP

For example:
EC2 instance is a EKS worker-node in private network with local ip: 172.25.25.25 (It could be different because we have scalable infrastructure), internet access via NAT Gateway with public IP 52.25.25.52
route53 jitsi.example.com which points to Classic LoadBalancer with 3 public IPs and EKS HAProxy Ingress -
In this case jitsi doesn’t work with more than 2 participants

I’ve tried:

  1. Disable DISABLE_AWS_HARVESTER = true
    Despite that I see in JVB logs that AWS discovery works and discovers our NAT Gateway Public IP
  2. Remove STUN_MAPPING_HARVESTER_ADDRESSES = meet-jit-si-turnrelay.jitsi.net: 443
  3. Set NAT_HARVESTER_PUBLIC_ADDRESS = one_of_AWS_loadbalancer_IP
  4. Allow All traffic on LB and EC2 Security Groups for testing

If Jitsi works on EC2 in public network with own Public IP AWS Harverster works correctly, discovers Private and Public IPs of EC2 and Jitsi works fine

Q:
It isn’t sutible for us to hardcode private IP in NAT_HARVESTER_LOCAL_ADDRESS and NAT_HARVESTER_PUBLIC_ADDRESS because we have scalable infrustructure and dynamic count of ec2 instances with dynamic IPs
Should we use these settings
NAT_HARVESTER_LOCAL_ADDRESS = 172.25.25.25
NAT_HARVESTER_PUBLIC_ADDRESS - should it be IP of NAT Gateway or IP of LoadBalancer
if we disabled DISABLE_AWS_HARVESTER = true

Q:
Is it possible to add CNAME, Aliase, or several IPs of our LoadBalancer to NAT_HARVESTER_PUBLIC_ADDRESS setting?

Q:
We use HAproxy Ingress Controller to have an ability to configure sticks by room, but HAproxy ingress based on classic loadbalancer which cannot be configured with UDP listener
Do we need to configure only TCP 4443 port for JVB in this case?