This chapter covers Cloud Pub/Sub, a fully managed asynchronous messaging service that decouples services and enables event-driven architectures. For the ACE exam, Pub/Sub appears in approximately 5-8% of questions, often integrated with Cloud Functions, Dataflow, or as a trigger for other services. You must understand its core components, delivery guarantees, subscription types, and how to configure and monitor it. This chapter provides the depth needed to answer scenario-based questions about message ordering, exactly-once delivery, and pull vs. push subscriptions.
Jump to a section
Cloud Pub/Sub is like a highly automated post office system that handles millions of messages between senders and receivers who never need to know each other's addresses. Imagine a publisher as a person dropping a postcard into a mailbox. The postcard goes to a central sorting facility (the topic), where it is stamped with a unique tracking ID and stored in a secure bin. Subscribers are like businesses that have standing orders for certain types of mail—they don't need to know who sent it, only that they want to receive it. The post office holds the message until the subscriber picks it up, even if the subscriber's truck is delayed. If the subscriber fails to confirm receipt (acknowledge), the post office keeps the message and tries again later. The system guarantees that each message is delivered at least once, just as a registered letter must be signed for. Publishers can send millions of postcards per second, and the post office scales automatically. Subscribers can be added or removed without notifying the sender. This decoupling is the core value: the sender never waits for the receiver, and the receiver can process messages at its own pace.
What is Cloud Pub/Sub?
Cloud Pub/Sub is a fully managed, real-time messaging service that allows you to send and receive messages between independent applications. It provides asynchronous communication, meaning the sender (publisher) does not wait for the receiver (subscriber) to process the message. This decoupling is essential for building scalable, reliable systems.
Core Components
Topic: A named resource to which messages are sent by publishers. Topics are created in a GCP project and are globally unique within the project. Example: projects/my-project/topics/order-created.
Subscription: A named resource representing the stream of messages from a single topic to be delivered to a subscribing application. A subscription can be pull or push.
Message: A combination of data (payload) and attributes. The payload is a byte string (up to 10 MB). Attributes are key-value pairs (up to 100 per message) used for filtering or metadata.
Publisher: An application that sends messages to a topic.
Subscriber: An application that receives messages via a subscription.
How It Works
Publishing: A publisher creates a message and sends it to a topic. The Pub/Sub service assigns a unique message ID, stores the message durably across multiple zones, and acknowledges receipt to the publisher.
Delivery: The service pushes messages to push subscribers (via HTTP POST) or holds them for pull subscribers to fetch. Each subscription receives every message published to the topic (unless filtered).
Acknowledgment: After a subscriber processes a message, it sends an acknowledgment (ACK). If the subscriber fails to ACK within the ackDeadline (default 10 seconds, max 600 seconds), the message becomes available for redelivery.
Retention: Unacknowledged messages are retained for the message retention duration (default 7 days, configurable 10 minutes to 7 days). After that, they are deleted.
Delivery Guarantees
At-Least-Once Delivery: Pub/Sub guarantees that every message published to a topic is delivered to every subscription at least once. Duplicates can occur due to redelivery on timeout.
Exactly-Once Processing (for push subscriptions): As of 2023, Pub/Sub supports exactly-once delivery for push subscriptions using the exactly-once delivery feature, which requires subscriber acknowledgment and prevents duplicates.
Ordering: By default, messages are unordered. To preserve order, you must enable message ordering on the subscription and assign ordering keys to messages. Messages with the same ordering key are delivered in order.
Subscription Types
- Pull Subscription: The subscriber initiates requests to fetch messages. Two sub-types:
- Streaming Pull: Uses a bidirectional gRPC stream for low-latency delivery. Recommended for high-throughput scenarios.
- Synchronous Pull: The subscriber sends individual Pull requests via HTTP or gRPC. Suitable for low-throughput or legacy systems.
- Push Subscription: Pub/Sub sends messages to a webhook endpoint (HTTPS). The endpoint must respond with a 200 OK within the ackDeadline. Push is ideal for Cloud Functions or App Engine.
Message Flow and Acknowledgment Deadlines
When a subscriber receives a message, it must ACK within the ackDeadline. If it does not, the message is resent. The default ackDeadline is 10 seconds, but you can modify it per subscription (10 to 600 seconds). For pull subscribers, you can also extend the deadline by sending ModifyAckDeadline requests while processing.
Filtering
Subscriptions can filter messages based on attributes. For example, a subscription might only receive messages where event_type = 'order_placed'. Filtering reduces the number of messages delivered to subscribers.
Dead Letter Queues (DLQ)
If a message repeatedly fails to be processed (e.g., subscriber errors), it can be moved to a dead letter topic after exceeding a maximum number of delivery attempts (default 5, configurable 5-100). This prevents poison messages from blocking the subscription.
Snapshots and Seek
You can create a snapshot of a subscription's state (acknowledged/unacknowledged messages) and later seek to that snapshot to replay messages. Useful for debugging or reprocessing.
IAM Roles
roles/pubsub.publisher: Allows publishing to topics.
roles/pubsub.subscriber: Allows subscribing to subscriptions.
roles/pubsub.viewer: Read-only access.
roles/pubsub.admin: Full management.
Common CLI Commands
# Create a topic
gcloud pubsub topics create my-topic
# Create a pull subscription
gcloud pubsub subscriptions create my-sub --topic=my-topic
# Publish a message
gcloud pubsub topics publish my-topic --message="Hello" --attribute="key=value"
# Pull messages
gcloud pubsub subscriptions pull my-sub --auto-ack
# Create a push subscription
gcloud pubsub subscriptions create my-push-sub --topic=my-topic --push-endpoint=https://example.com/push
# Enable exactly-once delivery on a push subscription
gcloud pubsub subscriptions update my-push-sub --enable-exactly-once-delivery
# Set ack deadline
gcloud pubsub subscriptions update my-sub --ack-deadline=60
# Set message retention duration
gcloud pubsub topics update my-topic --message-retention-duration=2dIntegration with Other Services
Cloud Functions: A Pub/Sub topic can trigger a Cloud Function. The function receives the message payload and acknowledges automatically.
Dataflow: Pub/Sub can be a source or sink for streaming pipelines.
Cloud Scheduler: Can publish messages to a topic on a schedule.
Cloud Logging: Audit logs record all Pub/Sub operations.
Performance and Limits
Publish throughput: Up to 200 MB/s per project (configurable via quota increase).
Message size: Max 10 MB.
Subscription count: Up to 10,000 per topic.
Retention duration: Min 10 minutes, max 7 days.
Ack deadline: Min 10 seconds, max 600 seconds.
Ordering keys: Up to 10,000 per subscription.
Monitoring
Use Cloud Monitoring metrics:
- pubsub.googleapis.com/subscription/num_undelivered_messages
- pubsub.googleapis.com/subscription/ack_message_count
- pubsub.googleapis.com/topic/publish_request_count
Alerts can be set for backlog growth or high publish latency.
Create a Topic
A topic is the central hub for messages. In the GCP Console, navigate to Pub/Sub > Topics and click Create Topic. Provide a unique name like 'order-events'. Optionally configure encryption with CMEK. The topic resource is created with a URI like `projects/my-project/topics/order-events`. You can also create via CLI: `gcloud pubsub topics create order-events`. No IAM is configured by default; only project owners can publish. You must grant `roles/pubsub.publisher` to service accounts or users.
Create a Subscription
Subscriptions define how messages are delivered. For a push subscription, specify an HTTPS endpoint (e.g., Cloud Function URL). For pull, select 'Pull' type. Set the ackDeadline (default 10s). Enable message ordering if needed. Use CLI: `gcloud pubsub subscriptions create order-sub --topic=order-events --ack-deadline=30`. The subscription is now bound to the topic and will receive all messages published after creation (no retroactive delivery).
Publish a Message
The publisher sends a message to the topic. The message contains a base64-encoded data field and optional attributes. Pub/Sub immediately assigns a unique message ID and stores the message redundantly. The publish request returns the message ID. For high throughput, use client libraries (Java, Python, Go, etc.) which batch messages automatically. Example Python: `publisher.publish(topic_path, data=b'Hello', event_type='order')`.
Pull and Acknowledge Messages
A pull subscriber calls `Pull` (synchronous) or uses streaming pull. Messages are delivered with an ack ID. The subscriber processes the message and sends an ACK using the ack ID. If the subscriber fails to ACK within the ackDeadline, the message becomes available for redelivery. Streaming pull maintains a long-lived gRPC connection for low latency. Use CLI: `gcloud pubsub subscriptions pull order-sub --auto-ack` to pull and immediately ACK.
Monitor and Scale
Monitor backlog via Cloud Monitoring. If `num_undelivered_messages` grows, add more subscribers (pull) or increase push endpoint capacity. For push, Pub/Sub automatically retries with exponential backoff (up to 30 minutes between retries). For pull, distribute load by creating multiple subscribers (each gets a subset of messages). Use IAM to control access. Set up alerts for message expiration (retention exceeded) or high publish latency.
Real-World Scenario 1: E-commerce Order Processing
An online retailer uses Pub/Sub to decouple the order placement service from downstream processors (inventory, shipping, billing). When a customer places an order, the order service publishes a message to orders topic with attributes like event_type=order_placed and user_id. Three subscriptions exist: inventory-sub (push to a Cloud Function that deducts stock), shipping-sub (pull by a Compute Engine worker that generates labels), and billing-sub (push to a Cloud Run service that charges the customer). The system processes thousands of orders per second. The challenge: the billing service sometimes fails (e.g., payment gateway timeout). Without a DLQ, the same message would be retried indefinitely, blocking other messages. By configuring a dead letter topic (orders-dlq) with max delivery attempts of 5, failed messages are moved aside, allowing the subscription to continue processing. The operations team monitors the DLQ and reprocesses failed messages after fixing the issue.
Real-World Scenario 2: Real-Time Analytics Pipeline
A media company ingests clickstream data from millions of users. Each click event is published to a clicks topic. A Dataflow streaming pipeline reads from a pull subscription, aggregates data in 1-minute windows, and writes to BigQuery. The pipeline uses exactly-once sinks to avoid duplicates. The Pub/Sub subscription has a message retention of 1 day to allow for reprocessing if the pipeline fails. The team uses Cloud Monitoring to alert if the subscription backlog exceeds 10 million messages. They also use ordering keys (user session ID) to ensure events from the same session are processed in order. Misconfiguration: initially, they used a 10-second ack deadline, but the Dataflow windowing caused processing delays. They increased it to 300 seconds to prevent premature redelivery.
Real-World Scenario 3: IoT Device Telemetry
A smart building company collects sensor data from thousands of IoT devices. Each device publishes to a sensors topic using the MQTT bridge (IoT Core, now deprecated, but similar). A push subscription sends data to a Cloud Function that stores readings in Firestore. The push endpoint must be a public HTTPS URL with a valid SSL certificate. The team uses message filtering to create separate subscriptions for temperature vs. humidity sensors (using attributes). They set a short ack deadline (10s) because the Cloud Function runs quickly. For devices with intermittent connectivity, they use a pull subscription with a longer retention (7 days) to ensure no data loss. Common mistake: forgetting to enable message ordering for time-series data, causing out-of-order writes.
ACE Exam Focus: Cloud Pub/Sub
Objective Codes: 3.3 (Deploy and Implement networking and data services). The exam tests your ability to choose the right messaging pattern, configure subscriptions, and understand delivery guarantees.
Common Wrong Answers: 1. "Pub/Sub guarantees exactly-once delivery for all subscription types." This is false. Exactly-once is only available for push subscriptions (with the feature enabled) and for pull subscriptions using streaming pull with exactly-once delivery (beta). The default is at-least-once. Candidates often confuse this with SQS or other services. 2. "Messages are delivered in order by default." False. Ordering must be explicitly enabled on the subscription and messages must have ordering keys. Without ordering, messages may be delivered out of order, especially with multiple subscribers. 3. "You can publish messages directly to a subscription." False. Publishers send to topics; subscriptions receive from topics. You cannot publish to a subscription. 4. "A push subscription requires a public HTTPS endpoint with a valid SSL certificate." True, but candidates may think HTTP is acceptable. The endpoint must be HTTPS and accessible from the internet.
Specific Numbers and Terms:
Maximum message size: 10 MB.
Default ack deadline: 10 seconds.
Maximum ack deadline: 600 seconds.
Message retention: 10 minutes to 7 days (default 7 days).
Maximum delivery attempts for DLQ: 5-100 (default 5).
Topic and subscription names must be unique within a project.
Pull subscribers use projects/{project}/subscriptions/{sub} format.
Edge Cases:
If a push endpoint returns a non-200 response, Pub/Sub retries with exponential backoff up to 30 minutes.
If you delete a topic, its subscriptions are also deleted.
You cannot change a subscription's topic after creation.
Snapshots can be used to replay messages, but they are not retroactive (only capture state at creation time).
How to Eliminate Wrong Answers:
If the question mentions "exactly-once", look for keywords like "push subscription" or "exactly-once delivery enabled". If not, assume at-least-once.
If the question asks about ordering, check if ordering keys and ordering on subscription are mentioned. If not, assume unordered.
If the question involves high throughput, prefer pull subscriptions (streaming pull) over push, as push has per-endpoint limits.
If the question involves a Cloud Function trigger, it must be a push subscription with an HTTPS endpoint (the Cloud Function URL).
Pub/Sub provides at-least-once delivery by default; exactly-once is available for push subscriptions with the feature enabled.
Message ordering requires enabling ordering on the subscription and assigning ordering keys to messages.
Maximum message size is 10 MB; retention period is 10 minutes to 7 days.
Default ack deadline is 10 seconds; maximum is 600 seconds.
Dead letter topics can be configured to handle poison messages after a configurable number of delivery attempts (5-100).
Push subscriptions require a public HTTPS endpoint; pull subscriptions can be used within a VPC.
Streaming pull is recommended for high-throughput pull subscribers.
Snapshots allow replaying messages from a point in time, but must be created before messages expire.
These come up on the exam all the time. Here's how to tell them apart.
Pull Subscription
Subscriber initiates requests to fetch messages.
Supports streaming pull (gRPC) for low latency.
Can be used from within a VPC without public endpoint.
Better for high throughput and batch processing.
Requires managing ack deadlines and message processing.
Push Subscription
Pub/Sub sends messages to a webhook endpoint.
Endpoint must be HTTPS and publicly accessible.
Ideal for serverless triggers (Cloud Functions, Cloud Run).
Automatic retry with exponential backoff on failure.
Limited to 300 requests per second per endpoint (default).
Mistake
Pub/Sub guarantees exactly-once delivery for all message types.
Correct
Only push subscriptions with exactly-once delivery enabled provide exactly-once. Pull subscriptions default to at-least-once. Exactly-once for pull is in beta.
Mistake
Messages are delivered in the order they were published.
Correct
Ordering is not guaranteed unless message ordering is enabled on the subscription and messages have ordering keys. Without it, messages can be delivered out of order.
Mistake
You can publish messages directly to a subscription.
Correct
Publishing is always to a topic. Subscriptions receive messages from topics. There is no direct publish-to-subscription API.
Mistake
A push subscription endpoint can be an internal IP address.
Correct
Push endpoints must be publicly accessible HTTPS URLs. They cannot be internal IPs or private VPC endpoints. For private delivery, use pull subscriptions.
Mistake
Messages are automatically deleted after being acknowledged.
Correct
Acknowledged messages are deleted from the subscription backlog, but they remain in the topic's retention store until the retention period expires. They can be replayed via snapshots if created before deletion.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Exactly-once delivery is available for push subscriptions. When creating or updating a push subscription, set the `--enable-exactly-once-delivery` flag. For pull subscriptions, exactly-once is in beta and can be enabled via `gcloud pubsub subscriptions update my-sub --enable-exactly-once-delivery`. Note that this feature prevents duplicates but requires the subscriber to properly acknowledge messages.
Pub/Sub retries the delivery with exponential backoff, starting at 1 second and increasing up to 30 minutes. The message remains unacknowledged and will be retried until the retention period expires or it is moved to a dead letter topic if configured.
No, the maximum message size is 10 MB (including attributes). For larger payloads, you can store the data in Cloud Storage and include a reference link in the message.
Enable message ordering on the subscription and assign an ordering key to each message when publishing. Messages with the same ordering key are delivered in order within a single subscription. Ensure you have only one subscriber per key for strict ordering.
A snapshot captures the state of a subscription (which messages are acknowledged and unacknowledged) at a point in time. Seek allows you to reset a subscription to a snapshot, effectively replaying messages from that point. Snapshots are retained for 7 days by default.
Yes, you can configure cross-project access by granting the appropriate IAM roles on the topic or subscription from the source project to the service account in the destination project.
Use Cloud Monitoring metric `pubsub.googleapis.com/subscription/num_undelivered_messages`. Set up an alert to notify when the backlog exceeds a threshold, indicating that subscribers are falling behind.
You've just covered Cloud Pub/Sub Patterns — now see how well it sticks with free ACE practice questions. Full explanations included, no account needed.
Done with this chapter?