Official documentation for Pub/Sub service states that Push is available to listeners that are available on public network:
An HTTPS server with non-self-signed certificate accessible on the public web.
That sounds pretty clear - but I wonder if I haven't miss something. Is it in any way possible to have Pub/Sub service push messages to on-premise machines, that are not on public internet?
You should be able to achieve this with cloud Nat
Is it in any way possible to have Pub/Sub service push messages to on-premise machines, that are not on public internet?
Not easily, if at all. You might be able to use a Reverse Proxy. This introduces several layers to manage: proxy configuration, proxy compute instance, SSL Certificates, VPC routing, on-prem router, etc. See guillaume blaquiere's answer.
On-prem resource can reach Pub/Sub via public Internet or via VPN to private.googleapis.com but Pub/Sub cannot connect to on-prem or VPC resources configured with private IP addresses.
Cloud Pub/Sub push subscriptions require a publicly accessible HTTPS endpoint. If you want to reach on-premise machines, that would have to be done via a proxy/router accessible via the public internet (as others have mentioned). Cloud Pub/Sub does not currently support VPC for push subscriptions.
Please see the note section under https://cloud.google.com/pubsub/docs/push
Previous answers are outdated. You can use restricted Virtual IP with Private Google Access to provide a private network route for requests to Google Cloud services without exposing the requests to the internet.
