stackoom
  简体   繁体   中英

VPC Access connector failed to get healthy

 原文  2022-11-24 15:12:31       google-cloud-platform

Question

I am getting below error while trying to create VPC Access connector in GCP region us-central1 :

An internal error occurred: VPC Access connector failed to get healthy. Please check GCE quotas, logs and org policies and recreate.

I also tried to create the VPC access connector in region us-east1 but got the same issue.

I tried searching for existing bugs on gcp issues portal but could not find this issue.

I have tried to follow image access constraint but I don't have an organisation so I am unable to edit the required policy.

2 answers

solution1
 1  2022-11-24 20:17:09

It can be an internal IP su.net assignment issue. This su.net must be used exclusively by the connector per the documentation

Every VPC connector requires its own /28 su.net to place connector instances on; this su.net must not have any other resources on it other than the VPC connector. If you don't use Shared VPC, you can either create a su.net for the connector to use, or specify an unused custom IP range for the connector to create a su.net for its use. If you choose the custom IP range, the su.net that is created is hidden and cannot be used in firewall rules and NAT configurations.

Or it can also be that you are missing the required image access constraint. In this case, you may follow this step by step guide in seting image access constraints

  1. Go to the Organization policies page.
  2. In the policies list, click Define trusted image projects.
  3. Click Edit to customize your existing trusted image constraints.
  4. On the Edit page, select Customize.
  5. In the Policy values drop-down list, select Custom to set the constraint on specific image projects.
  6. In the Policy type drop-down list, specify a value as follows:
    -To restrict the specified image projects, select Deny .
    -To remove restrictions for the specified image projects, select Allow .
  7. In the Custom values field, enter the names of image projects using projects/IMAGE_PROJECT format. Replace IMAGE_PROJECT with the image project you want in this case “serverless-vpc-access-images“ to set constraints on. If you are setting project-level constraints, then they might conflict with the existing constraints set on your organization or folder.
  8. Click New policy value to add multiple image projects.
  9. Click Save to apply the constraint.

Additionally, please make sure that there are no firewall rules on your VPC.network with a priority before 1000 that deny ingress from your connector's IP range.

solution2
 1 ACCPTED  2022-11-28 15:42:00

I am having the same issue. After reading this thread I checked different regions with exactly the same configuration:

Network: Default
Subnet: Custom IP range
IP range: 10.8.0.0/28

I can confirm that changing the area solves the issue. In my case, I proceeded successfully with australia-southeast2 . Basically, when creating a VPC connector in Google Cloud, we have some regions working and some others are not.

It may be a capacity problem over some Google regions.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Serverless VPC access connector is in a bad shape Confusion Around Creating a VPC Access Connector terraform import google_vpc_access_connector.default throws "Error: unknown resource type: google_vpc_access_connector" Unable to create Serverless VPC Access Connector when using SharedVPC How to get network access AWS VPC? Using VPC connector in Cloud Run How to setup vpc connector for firebase cloud functions? Lambda in VPC access RDS whats the difference between VPC Network Access Analyzer and VPC Reachability Analyzer? How to enable Cloud Run using serverless vpc connector to restrict traffic to a specific VPC resource only
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM