By default, GCP SQL instances offer encryption in transit, with support for TLS, but insecure connections are still accepted. On an unsecured network, such as a public network, the risk of traffic being intercepted is high. When the data isn't encrypted, an attacker can intercept it and read confidential information.

When creating a GCP SQL instance, a public IP address is automatically assigned to it and connections to the SQL instance from public networks can be authorized.

TLS is automatically used when connecting to SQL instances through:

* The https://cloud.google.com/sql/docs/mysql/connect-admin-proxy[Cloud SQL Auth proxy].
* The https://cloud.google.com/sql/docs/mysql/connect-overview#languages[Java Socket Library].
* The built-in mechanisms in the https://cloud.google.com/appengine/docs[App Engine] environments.