We are trying to connect to a MySQL server that is protected by a VPN and want to periodically pull data from there into the Retool database.
In the Resources tab in Retool, we see an option to connect to MySQL using SSH tunneling. To facilitate this, we have set up a bastion host.
Our main question: Is using an SSH tunnel via a bastion host the best approach, or would it be better to expose our MySQL server to Retool Cloud IPs?
Hey @toki13! Welcome to the community. 
Between the two options, SSH tunneling is generally the better, more secure option. You can apply fairly robust security rules - including IP allowlisting - on top of the more robust data encryption.
@Darren Thanks for the response!
Regarding the IP whitelisting that Retool currently offers, in what context is it typically used? For example, is it meant for direct database connections or other specific scenarios?
For databases or other resources that already have a public endpoint, I definitely recommend configuring an IP allowlist. 
To be clear, though, it's possible to configure SSH tunneling while also adding an IP allowlist to your bastion host, which I recommend doing.