The security center findings are there so you can understand and monitor your project's security stance. Only you can evaluate which of the findings are important to your organization. Only you can decide what actions to take to improve your security.
If you are very sure that all servers connecting to your SQL servers are private and all the connections to those servers are also private then you might be willing
to avoid the cost of SSL connections to your SQL servers.
Many security experts suggest defense in depth strategies where you deploy multiple
layers of security. In that case you would want all connections even those originating from internal servers to use SSL connections.
As you can see in the documentation, it’s recommended enforcing SSL/TLS connections when using public IPs, so the data is secure during transmission. If your data isn't encrypted, anyone can examine your packets and read confidential information. If for example, because of a vulnerability with any service in your network will let someone to penetrate it, this will also allow examining your packets in case you have a not encrypted connection, and that’s why the process and the recommendation are the same for private IPs. If you don’t enforce encryption connection, you will never be sure that all the internal communications are happening over https.
Since Cloud SQL can manage the certificates and SSL configuration for you the management cost for enforcing SSL connections is reduced. The performance hit is still there.
