Hi and thanks for reading

Networking isn't also my specialty (and what I like) but we need it.

The issue with a VPN is that you need to create the VPN in the same VPC as the Cloud SQL private IP connection.

It's an issue, because in some pretty serious company (where I worked in as consultant) they often have a HUB project where all the external connexion land (interconnect or VPN) and then SPOKE project peered with the HUB project.

The issue with that is the VPC peering transitivity, which is impossible in Google Cloud (for now, I hope that will change in the future);

So, again, your VPN connexion is possible, only if it lands in the same VPC as y our Cloud SQL; that is pretty impossible if you have 2+ projects and/or several environments.