'Google Cloud Platform - Pub/Sub push to private (VPN) on-premise listeners?

Official documentation for Pub/Sub service states that Push is available to listeners that are available on public network:

An HTTPS server with non-self-signed certificate accessible on the public web.

That sounds pretty clear - but I wonder if I haven't miss something. Is it in any way possible to have Pub/Sub service push messages to on-premise machines, that are not on public internet?

google-cloud-platformgoogle-cloud-pubsubgoogle-vpc


Solution 1:[1]

You should be able to achieve this with cloud Nat

  • Reserve a static IP
  • Link your DNS with this IP
  • Create a subnet
  • Create a route from this subnet to your VPN
  • Create a Nat with your external IP and which forward request to your subnet
  • Deploy an OnPrem webserver (apache, nginx) with valid certificate for your DNS
  • Update your OnPrem route for reaching your webserver and don't forget to route the flow back!

Solution 2:[2]

Is it in any way possible to have Pub/Sub service push messages to on-premise machines, that are not on public internet?

Not easily, if at all. You might be able to use a Reverse Proxy. This introduces several layers to manage: proxy configuration, proxy compute instance, SSL Certificates, VPC routing, on-prem router, etc. See guillaume blaquiere's answer.

On-prem resource can reach Pub/Sub via public Internet or via VPN to private.googleapis.com but Pub/Sub cannot connect to on-prem or VPC resources configured with private IP addresses.

Solution 3:[3]

Cloud Pub/Sub push subscriptions require a publicly accessible HTTPS endpoint. If you want to reach on-premise machines, that would have to be done via a proxy/router accessible via the public internet (as others have mentioned). Cloud Pub/Sub does not currently support VPC for push subscriptions.

Please see the note section under https://cloud.google.com/pubsub/docs/push

Solution 4:[4]

Previous answers are outdated. You can use restricted Virtual IP with Private Google Access to provide a private network route for requests to Google Cloud services without exposing the requests to the internet.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 guillaume blaquiere
Solution 2 John Hanley
Solution 3 Qiqi Wu
Solution 4 Sébastien Lorion

Related Questions

How to use use Firestore document field's HashMap key value and populate recyclerview?

how to keep GKE cluster nodes in different regions?

Google Cloud TTS API for M1 Mac

Is it possible to render a video from AfterEffects in a Google Collaboratory notebook?

Allow-IAP Firewall Rule created in default VPC in GCP getting reflected in other VPC as well

Attribute Error when importing SpeechClient from google.cloud.speech

GCP Cost billing data

What is the difference between gcloud and gsutil?

Volume not persistent in Google Cloud

Permission Denied when trying to write on a TPU VM foler

Google Cloud Free Tier will start charging for static or ephemeral IP Address?

How to create a empty folder in google storage(bucket) using gsutil command?

How can size of the root disk in Google Compute Engine be increased?

Cannot switch Firestore from Datastore to native mode on GCP

action console simulator is not working and I cannot release my project