Cross project push pub sub and firewall rules

Question

I have a project, call it Project A. I have created a subscription to a Pub/Sub topic owned by Project B. This subscription is configured to deliver push notifications to my endpoint. I would like to create some firewall rules to restrict access to the instances handling the pub/sub notifications so that only Google can access the instances when delivering the notifications. I don't want any other inbound traffic to the hosts. How can I do this?

Answer 1

I don't think that's possible. From https://cloud.google.com/pubsub/docs/subscriber#pubsub-pull-messages-csharp

Currently the only supported endpoint is an HTTPS server that can accept Webhook delivery. Note that the HTTPS URL for the Webhook must be accessible from the public web. The receiving endpoint may be decoupled from the Pub/Sub subscription; so messages from multiple subscriptions may be sent to a single endpoint.

To answer the larger question which may be relevant to you:

How do I prevent attackers from posting bogus messages to my endpoint?

The answer to that question is to share a secret between Project A and Project B, and include an artifact of that secret in the message attributes. Sign the message with a private key and include the signature in the attributes. Then, the endpoint receives the message and verifies the signature against a public key.