Thanks for your feedback and I'm happy to listen that my article helped you!

About SSH, I didn't notice that side effect, but I'm also not a network/ssh expert, so, I trust you about that point.

About the bastion, yes, I think you can run all the time the Cloud SQL proxy and let the user using it. Here it's only an example of the architecture and the workaround to solve access issues. A way to illustrate the situation in a practical way.

However, you can improve or redesign it according to your constraint.

Or use Cloud Workstation to work directly in the cloud and avoid that network accessibility issue.