Cloudflare tunnel only requires outbound port opened, check if you’ve allowed all outbound ports in EC2 security group (the default VPC should have this already).
Otherwise it’s probably a misconfiguration reaching the IP/port of the cloudflared service on the EC2. Have you tried checking cloudflared logs? Does your tunnel status show up as healthy?
Yeah. I guess we could fetch all image ids from the database excluding those uploaded to our local instance, and loop them through the DELETE /image/delete/{delete_token}/{file} API. But I’ve no idea how to get the delete_token, seems like it’s available only during image upload.
There is an API DELETE /internal/variants in pictrs to clear out variants of generated images. However it only cleared out a few megabytes in our case.