We have a VPN tunnel from the office to the Google Cloud. It's working correctly, we are able to hit VMs and containers (kubernetes).
The problem is that the SQL instance can't be accessed using this tunnel. You can jump through a VM instance but you can't connect directly. Apparently the problem is that the SQL instances are not directly connected to a VPC subnet. We tried forcing the route on the "Cloud Router" for the VPC but that didn't work. We tried adding an "allow-all" firewall rule for all the VPC range, it wasn't that either.
Any idea on how to reach the SQL instances through the VPN tunnel?
You cannot access a Cloud SQL instance on its private IP addresses from another network using a Cloud VPN tunnel, instance based VPN, or Cloud Interconnect. This limit applies to both on-premises networks and other VPC networks.
There is a feature request to get this implemented2.
My suggestion is to use Cloud SQL Proxy3, so the on-prem communicates with the proxy with the standard database protocol used by your database and then the proxy uses a secure tunnel to communicate with its companion process running on the server.