diff --git a/helm/prenet-values.yaml b/helm/prenet-values.yaml
index 541a92e5..ed6ac22e 100644
--- a/helm/prenet-values.yaml
+++ b/helm/prenet-values.yaml
@@ -35,6 +35,8 @@ persistence:
    storageClass: ""
    size: 20Gi
 
+# externalServiceAccount: "prenet"
+
 extraEnvVars:
    - name: LOG_LEVEL
      value: "DEBUG"
diff --git a/helm/templates/statefulset.yaml b/helm/templates/statefulset.yaml
index 8e4ae8ad..e45d156a 100644
--- a/helm/templates/statefulset.yaml
+++ b/helm/templates/statefulset.yaml
@@ -34,6 +34,9 @@ spec:
         {{- end }}
       {{- end }}
     spec:
+      {{- if .Values.externalServiceAccount}}
+      serviceAccount: {{ .Values.externalServiceAccount }}
+      {{- end }}
       {{- if .Values.affinity }}
       affinity: {{- include "polybase.render" (dict "value" .Values.affinity "context" $) | nindent 8 }}
       {{- else }}
@@ -165,6 +168,30 @@ spec:
             {{- if .Values.extraVolumeMounts }}
             {{- include "polybase.render" (dict "value" .Values.extraVolumeMounts "context" $) | nindent 12 }}
             {{- end }}
+            
+        #cloud-sql-proxy
+        {{- if .Values.cloudsql.enabled }}
+        - name: {{ include "polybase.name" . }}-sql-proxy
+          args:
+          {{- if .Values.cloudsql.credentialFile }}
+          - --credentials-file={{ .Values.cloudsql.credentialFile }}
+          {{- end }}
+          {{- if .Values.cloudsql.usePrivateIP }}
+          - --private-ip
+          {{- end }}
+          - --max-sigterm-delay={{ .Values.cloudsql.timeout | default "30s" }}
+          - "polybase-{{ .Values.env }}:{{ .Values.cloudsql.region }}:{{ .Values.cloudsql.db_instance }}"
+          image: {{ .Values.cloudsql.image }}:{{ .Values.cloudsql.tag }}
+          imagePullPolicy: IfNotPresent
+          securityContext:
+            {{- toYaml .Values.cloudsql.securityContext | nindent 12 }}
+          resources:
+            {{- toYaml .Values.cloudsql.resources | nindent 12 }}
+          {{- if .Values.cloudsql.volumesFromSecrets }}
+          volumeMounts:
+            {{ include "secret.container.mounts" .Values.cloudsql | indent 12 }}
+          {{- end }}
+        {{- end }}
       volumes:
       - name: scripts-vol
         configMap:
diff --git a/helm/values.yaml b/helm/values.yaml
index 78c9f46f..9d9861dc 100644
--- a/helm/values.yaml
+++ b/helm/values.yaml
@@ -234,8 +234,30 @@ serviceAccount:
   ##
   automountServiceAccountToken: true
 
-## @section Traffic Exposure Parameters
-##
+## @section Cloud SQL Proxy
+cloudsql:
+  enabled: false
+  usePrivateIP: true
+  resources:
+    limits:
+      cpu: 500m
+      memory: 500Mi
+    requests:
+      cpu: 100m
+      memory: 100Mi
+  securityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+      - ALL
+    privileged: false
+    readOnlyRootFilesystem: true
+  image: gcr.io/cloud-sql-connectors/cloud-sql-proxy
+  tag: "2.6.0"
+  region: us-central1
+  db_instance: polybase
+  credentialFile: "/path/to/credentials.json"
+  volumesFromSecrets: []
 
 ## Polybase service parameters
 ##