google-cloud-platform google-cloud-pubsub google-cloud-networking google-vpc

How to use PubSub Push subscriptions with VPC Service Controls?

Google Cloud VPC Service Control limitations mentioned here states:

In projects protected by a service perimeter, new push subscriptions cannot be created.
Pub/Sub push subscriptions created prior to the service perimeter will not be blocked.

Questions

1. Does this mean that in order to use PubSub Push subscriptions with VPC Service control one has to:

Create a push subscription first and then
Define the VPC service perimeter

2. Is this a Google recommended secure way to create use PubSub push subscriptions with VPC Service control?

3. Or is Google recommendation to completely avoid using PubSub push subscriptions with VPC Service Control?

Solution

In your perimeter, you need to manage all the communication. An external push is an unmanaged event and not compliant with the VPC SC.

That's why, you can't create a push subscription when the perimeter is set: it's not secure.

However, to not break your current project and architecture, Google doesn't delete/deactivate the existing push subscriptions that continue to work as before.

So now, because you need to manage all the connexion of your VPC SC, the correct pattern is to use a pull subscription to initiate a communication from the VPC SC to PubSub subscription and then to get the message inside the perimeter.