Connecting to gcp pubsub from pcf app deployed on-prem

[happy soul]

Hello,

I have a publisher spring boot app deployed to PCF.  The service connects to gcp pub/sub and publishes message to pub/sub topic. After deploying the service, while accessing the service, getting and error below.

"com.google.api.gax.rpc.UnavailableException: io.grpc.StatusRuntimeException: UNAVAILABLE: ioException"

The issue was fixed after whitelisting the pubsub ip address in pcf Application Security Group and restarting the app.

Can someone please help why we need to whitelist the ips in pcf to access gcp pub/sub.

If required, what is the guarantee that the gcp pub/sub ip addresses don't change in future?

[Jose Gutierrez Paliza]

Ip Whitelisting is not a security control and is hard to do at Google, it is better to avoid it. 

What you can do instead of IP Whitelisting is to use a strong mutual authentication. For example TLS Mutual Auth or application layer security.