SSL encryption with CNAME redirect

I think you're confusing terms a little bit. A CNAME is not a redirect per se. It's just a record type in DNS, also known as a DNS alias. The DNS protocol is ultimately about mapping names to IP addresses. The most common record type is a "A" record which is a one-way mapping of Name to IP. The CNAME record instead is a one way mapping of Name1 to Name2.

In your case, the CNAME record tells clients requesting the IP "mysite.com" to instead request the IP for "1234.cloud.com". So the client then requests the IP for 1234.cloud.com, gets its IP (10.10.10.10 for example) and continues connecting. This is all done on the network stack of the client. The web browser doesn't know anything about this exchange. All it knows is that the network stack says "mysite.com" maps to "10.10.10.10".

Your cloud server is the one that will host both the site and the SSL certificate (unless you have a load balancer in front of the cloud server). No servers from your company are involved except the DNS servers that are authoritative for your company's DNS zone, mysite.com.

The only way to ensure the communication is encrypted between clients and your cloud server is to disable non-HTTPS requests on the cloud server.