Troubleshooting a push subscription

Push subscribers are a type of Pub/Sub subscriber where messages are sent from Pub/Sub to a user-specified HTTPS endpoint. The user acknowledges a pushed message by returning an HTTP 200 response to the push server's request. This document provides some common troubleshooting tips for Pub/Sub push subscriptions. Read more about push subscriptions in the Push subscriber guide.

To effectively monitor your Pub/Sub subscription, it is recommended to first look at the delivery latency health score (subscription/delivery_latency_health_score) to check which factors could be contributing to an unexpected latency.

Failing or slow push endpoints

If the endpoint returns an error response code, then the message delivery is considered to have failed and is retried later. This can potentially lead to the endpoint receiving duplicate messages.

There are multiple metrics that you can use to monitor push subscriptions. The subscription/push_request_count metric in Cloud Metrics categorizes responses from the push endpoint by response_code and response_class. The responses are useful for the identification of potential endpoint malfunctions. If this metric has data with a response_class other than ack, this indicates that the push endpoint is returning errors to Pub/Sub. Some of the most common errors include:

  • A deadline_exceeded response class indicates that the push endpoint didn't respond within the required acknowledgment (ack) deadline. The subscription/push_request_latencies metric helps to track push ack latency.

  • An invalid response class indicates that the endpoint sent back a response that Pub/Sub couldn't understand or process correctly.

  • A remote_server_4xx response class usually indicates authentication or permission issues. These are HTTP response codes returned by the endpoint, so look at the scenarios under which this response code is returned. If authentication is enabled, confirm your account has the right permission on the endpoint. Learn more about how authentication works in push subscriptions.

  • A remote_server_5xx response class indicates a server-side problem on the endpoint side. The endpoint is unable to process the request. This might be due to an ongoing maintenance or outage. Review the status of the server hosting the endpoint.

  • An unreachable response class indicates that the endpoint server cannot be reached at all. Verify the endpoint URL for typos.

Learn more about the most common error codes of the Pub/Sub API.

Restrictions on push subscriptions inside a VPC-SC perimeter

If VPC Service Controls (VPC-SC) protection is enabled in a project, there are limitations on creating push subscriptions. Existing push subscriptions continue to work, but when you create a new push subscription, you see the error: Request is prohibited by organization's policy. Specifically, new push subscriptions can only be created if the push endpoint is a Cloud Run service using the default URL. For more details and specific limitations, see Pub/Sub documentation and VPC-SC documentation.