Backend service APIs are implemented in NodeJS using NestJS framework.
All APIs are protected with an id token sent from the frontend. Integrity and authenticity of the token is verified in the backend and the users uid is retrieved.
Database in Cloud SQL is setup so that the only authorized network that access it, is the IP of the VM where the backend service APIs are implemented. All communications from VM to database are SSL encrypted.