Access connector creation fails or in error state

Problem

When trying to create a serverless Virtual Private Cloud access connector, it fails with the following error: 
An internal error occurred: Failed to create a VPC Access connector. Please delete the connector manually.

An internal error occurred: VPC Access connector failed to get healthy. Please check quotas, logs and org policies and recreate.

The connector has the following state in the Cloud console:

Connector is in a bad state, manual deletion recommended.

Environment

  • Serverless Virtual Private Cloud access

Solution

  1. Create the connector using a name no longer than 25 characters.
    • Check if the name exceeds 25 characters or includes a hyphen. Although the console User interface does not allow more than 25 characters, you may exceed this limit via gcloud CLI or the REST API's.
  2. Ensure the Serverless VPC Access image from the console's internal project projects/serverless-vpc-access-images is trusted for use in your project where the VPC connector lies:
    • This could be done by adding the Serverless Image Project: projects/serverless-vpc-access-images to the list of allowed values in the Restriction: constraints/compute.trustedImageProjects. Refer to Set image access constraints for more information.
  3. If the connector was previously working but is now showing an error such as the one below change the machine type to a different size and change it back to the previous size.   
    Connector is in a bad state, manual deletion recommended.

Cause

  • The auto generated firewall rule names can become too long and are only visible internally, causing the resource creation to fail in the Deployment Manager, and the connector to be marked unhealthy, however it does not inform the user.
    • Serverless Virtual Private Cloud Connector creates Google Compute Engine VMs which act as the proxy between the calling application and resources in the Virtual Private Cloud network. 
    • The connector resource also creates a few firewall rules to allow traffic through the proxy VMs, and the rules have a naming convention similar to aet-REGION-CONNECTOR_NAME-FW_RULE_NAME (e.g. aet-uscentral1-test-fwr1).
    • As per the naming convention for Google Compute Engine resources, the resource name must not exceed 63 characters in length. Creating a serverless Virtual Private Cloud connector with a name longer than 25 characters would result in the creation of an implied firewall rule name longer than 63 characters thereby causing failure in resource creation.
  • If an organizational policy constraint constraints/compute.trustedImageProjects does not have an allow on the Serverless Image Project  projects/serverless-vpc-access-images  the creation of Virtual Private Cloud Serverless access connector fails with the below error: 
    An internal error occurred: VPC Access connector failed to get healthy. Please check quotas, logs and org policies and recreate.