Best Approach for Connecting MySQL (Behind VPN) to Retool – SSH Tunnel vs. Exposing Retool Cloud IPs

We are trying to connect to a MySQL server that is protected by a VPN and want to periodically pull data from there into the Retool database.

In the Resources tab in Retool, we see an option to connect to MySQL using SSH tunneling. To facilitate this, we have set up a bastion host.
Our main question: Is using an SSH tunnel via a bastion host the best approach, or would it be better to expose our MySQL server to Retool Cloud IPs?