Mysql instances should also have a private network
Managed mysql should have an internal ip address on the private network.
There are some technical reasons why this is not possible currently, but we hope we can do it in the future, it’s a popular request.
It is a little terrifying that every mysql instance has a public ip, and thus can be targeted directly for a DDoS attack. Also it negates the value of a bastion host as a central place for external access and audit when all traffic to cloud sql is routed directly via a public ip.
Of course I'm just a small fish but this discovery abruptly halted my migration off AWS, but I would eagerly start again if this feature came around.
In the interim it would be great if there were some details of why Cloud SQL is the outlier, where most other services in regions around the world are on your private network...but not cloud sql.