Managed SSL certificates are now supported in GAE.1 We hope to add them for GCLB endpoints at a future date.fxer commented
To help with search engine mojo, this is what AWS implemented with Amazon Certificate Manager in January 2016
There are some technical reasons why this is not possible currently, but we hope we can do it in the future, it’s a popular request.fxer commented
It is a little terrifying that every mysql instance has a public ip, and thus can be targeted directly for a DDoS attack. Also it negates the value of a bastion host as a central place for external access and audit when all traffic to cloud sql is routed directly via a public ip.
Of course I'm just a small fish but this discovery abruptly halted my migration off AWS, but I would eagerly start again if this feature came around.
In the interim it would be great if there were some details of why Cloud SQL is the outlier, where most other services in regions around the world are on your private network...but not cloud sql.