If you have a mysql user that you want to be only accessible from some IPs, instead of all IPs using the % like you said, you can do it like this:
GRANT ALL PRIVILEGES ON database_name.* TO 'username'@'85.85.85.85' IDENTIFIED BY 'password';
GRANT ALL PRIVILEGES ON database_name.* TO 'username'@'84.84.84.84' IDENTIFIED BY 'password';
That allows the “username” with the “password” to be accessible only from 85.85.85.85 and 84.84.84.84.
To add another layer of security yes you should also use the firewall for it to be sure.
Bind-address is where the MySQL server will listen to connections. If it’s 127.0.0.1 it will only listen to local connections, if it is commented then it’s the same as having:
bind-address=0.0.0.0
This will listen to all the IP addresses associated with the server.
So for example if your server has the following IPs:
123.123.123.123
456.456.456.456
789.789.789.789
If you have bind-address commented, it will listen for connections coming from all of those IPs. If you setup:
bind-address=456.456.456.456
It will only listen for connections coming through that IP, any connection coming from the other IPs is rejected.