Better way to connect to Cloud SQL in a Managed Instance Group

For a Managed Instance Group setup connecting to a Cloud SQL instance is there a better way (something like an egress IP for the group via a LB) that i can use to connect to Cloud SQL or is installing Cloud SQL proxy on each of the compute instances (that are part of the MIG setup) the only solution?

you probably have a couple options, each with varying degrees of security (assuming these are all private network communications):

  1. Cloud SQL proxy as part of the image for the MIG is probably a decent solution - I’d also suggest ensure you have TLS enforced, and use client certificates
    a. I would just make sure to secure access to that image such that unwanted usage of the image is limited
  2. Apply Network Tags to MIG; create Firewall Rule as an egress allow that has the source as the Network Tag, with the destination being the Cloud SQL instance
    a. This could be insecure because would allow any instance with that Network Tag to at least TCP connect to the instance (hopefully strong auth prevents unwanted access)
  3. Put the MIG into its own subnet; create Firewall Rule to allow access only from that subnet
    a. As with Network Tags, other instances can use this subnet, unless you have your projects/networks/organization-policies configured to restrict this