Is it safe to open port 3306 in Firewall for external MySQL Connection

Generally restricting MySQL access to an ip address is a good idea. There can be some security concerns but a good firewall should mitigate some of them. They would have to create an additional MySQL user for you since MySQL does not allow multiple hosts (unless there's a wildcard) per user. You could request multiple users, one for each host that you are connecting from or even do partial hosts (eg. %.google.com).

An alternative solution is to create a ssh tunnel from your machine so that you can connect locally.

Here's a good article on how you can create a ssh tunnel with MySQL.

http://www.howtogeek.com/howto/ubuntu/access-your-mysql-server-remotely-over-ssh/

DO NOT open 3306.

Instead, do what every other server does: Open port 22 for secure ssh connection, then once logged on, connect locally to mysql.

The secure approach is to close the port but if your server is a shared server with other clients using the same server, the ISP may not be willing to close the port. I have this exact issue with MySQL on my ISP. In my case, they've told me that "this does not represent a security risk for your account, because despite the fact that these ports are open, no one can connect with your credentials (unless they are stolen) while remote MySQL connections are turned off."

So if you have hard, secure passwords and remote connections off from the control panels and the server privileges are locked down, you're somewhat "safe" but not 100% "secure".

If the application is mission critical or contains sensitive data, I would move to a dedicated server if needed and absolutely close the port.