Reputation: 15985
Cross project push pub sub and firewall rules
I have a project, call it Project A. I have created a subscription to a Pub/Sub topic owned by Project B. This subscription is configured to deliver push notifications to my endpoint. I would like to create some firewall rules to restrict access to the instances handling the pub/sub notifications so that only Google can access the instances when delivering the notifications. I don't want any other inbound traffic to the hosts. How can I do this?
Upvotes: 1
Views: 1811
Answers (1)
Reputation: 3443
I don't think that's possible. From https://cloud.google.com/pubsub/docs/subscriber#pubsub-pull-messages-csharp
Currently the only supported endpoint is an HTTPS server that can accept Webhook delivery. Note that the HTTPS URL for the Webhook must be accessible from the public web. The receiving endpoint may be decoupled from the Pub/Sub subscription; so messages from multiple subscriptions may be sent to a single endpoint.
To answer the larger question which may be relevant to you:
How do I prevent attackers from posting bogus messages to my endpoint?
The answer to that question is to share a secret between Project A and Project B, and include an artifact of that secret in the message attributes. Sign the message with a private key and include the signature in the attributes. Then, the endpoint receives the message and verifies the signature against a public key.
Upvotes: 1
Related Questions
- Can I use Google Cloud Pub/Sub across different Google Cloud projects?
- Acces Google Pub/Sub from outside of GCP
- Flow control pub/sub on global basis in client library
- Setting up pub/sub subscription across different project?
- GCP Pub/Sub: Life of a Message
- gcp pub/sub push endpoint with key
- GCP PUB/SUB allow different projects to publish to a topic
- Configuring Pub/Sub for Restful API
- Google Pubsub subscriber that does a http PUSH to a cloud function (in same project or another project)
- Google Pub/Sub: push to compute engine