App Engine Flexible runs on GCE instances, which all have internal IPs. So you can just firewall off external traffic but allow internal, which is the default anyway.
Global GCE instances within your project, yes. Not every GCE instance everywhere, that would not be very helpful :)
If you wanted to have some instances that couldn't talk to your database, easiest thing to do is probably throw them in a separate project or create a new subnet that you firewall off and create your non-App Engine instances in that subnet.