An error similar to the following can occur when you try to create a public
GKE cluster:
Constraint constraints/compute.vmExternalIpAccess violated for project
This only affects public GKE clusters, including
GKE Autopilot clusters.
When you create public GKE clusters, the underlying
Compute Engine VMs, which make up the worker nodes of this cluster, have
external IP addresses assigned.
If you configure the organization policy constraint
constraints/compute.vmExternalIpAccess
to Deny All or to restrict external IP addresses to specific VM instances at
the organization, folder, or project level, then the
policy prevents the GKE worker nodes from obtaining external IP
addresses, which results in cluster creation failure.
CLUSTER_NAME: the name of the cluster that wasn't
created.
PROJECT_ID: your project ID.
To resolve this issue, ensure that the effective policy for the constraint
constraints/compute.vmExternalIpAccess is Allow All on the project where you
are trying to create a GKE public cluster. For information on
working with this constraint, see
Restricting external IP addresses to specific VM instances.
After setting the constraint to Allow All, delete the failed cluster and
create a new cluster. This is required because repairing the failed cluster is
not possible.
What's next
If you can't find a solution to your problem in the documentation, see
Get support for further help,
including advice on the following topics:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-26 UTC."],[],[],null,["# Troubleshoot cluster creation\n\n[Autopilot](/kubernetes-engine/docs/concepts/autopilot-overview) [Standard](/kubernetes-engine/docs/concepts/choose-cluster-mode)\n\n*** ** * ** ***\n\nThis page shows you how to resolve issues with creating clusters in\nGoogle Kubernetes Engine (GKE).\n\nFor general issues with a Kubernetes cluster, see\n[Troubleshooting Clusters](https://kubernetes.io/docs/tasks/debug/debug-cluster/)\nin the Kubernetes documentation.\n\nError: Constraint constraints/compute.vmExternalIpAccess violated\n-----------------------------------------------------------------\n\nAn error similar to the following can occur when you try to create a public\nGKE cluster: \n\n Constraint constraints/compute.vmExternalIpAccess violated for project\n\nThis only affects public GKE clusters, including\nGKE Autopilot clusters.\n\nWhen you create public GKE clusters, the underlying\nCompute Engine VMs, which make up the worker nodes of this cluster, have\n[external IP addresses](/compute/docs/ip-addresses#externaladdresses) assigned.\nIf you configure the organization policy constraint\n[`constraints/compute.vmExternalIpAccess`](/resource-manager/docs/organization-policy/org-policy-constraints)\nto `Deny All` or to restrict external IP addresses to specific VM instances at\nthe organization, folder, or project level, then the\npolicy prevents the GKE worker nodes from obtaining external IP\naddresses, which results in cluster creation failure.\n\nTo find the logs of the cluster creation operation, you can review the\n[GKE Cluster Operations Audit Logs](/kubernetes-engine/docs/how-to/audit-logging) using\n[Logs Explorer](/logging/docs/view/logs-explorer-interface) with a search\nquery similar to the following: \n\n resource.type=\"gke_cluster\"\n logName=\"projects/test-last-gke-sa/logs/cloudaudit.googleapis.com%2Factivity\"\n protoPayload.methodName=\"google.container.v1beta1.ClusterManager.CreateCluster\"\n resource.labels.cluster_name=\"\u003cvar translate=\"no\"\u003eCLUSTER_NAME\u003c/var\u003e\"\n resource.labels.project_id=\"\u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e\"\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003e\u003ccode translate=\"no\" dir=\"ltr\"\u003eCLUSTER_NAME\u003c/code\u003e\u003c/var\u003e: the name of the cluster that wasn't created.\n- \u003cvar translate=\"no\"\u003e\u003ccode translate=\"no\" dir=\"ltr\"\u003ePROJECT_ID\u003c/code\u003e\u003c/var\u003e: your project ID.\n\nTo resolve this issue, ensure that the effective policy for the constraint\n`constraints/compute.vmExternalIpAccess` is `Allow All` on the project where you\nare trying to create a GKE public cluster. For information on\nworking with this constraint, see\n[Restricting external IP addresses to specific VM instances](/compute/docs/ip-addresses/configure-static-external-ip-address#disableexternalip).\n\nAfter setting the constraint to `Allow All`, delete the failed cluster and\ncreate a new cluster. This is required because repairing the failed cluster is\nnot possible.\n\nWhat's next\n-----------\n\n- If you can't find a solution to your problem in the documentation, see\n [Get support](/kubernetes-engine/docs/getting-support) for further help,\n including advice on the following topics:\n\n - Opening a support case by contacting [Cloud Customer Care](/support-hub).\n - Getting support from the community by [asking questions on StackOverflow](http://stackoverflow.com/questions/tagged/google-kubernetes-engine) and using the `google-kubernetes-engine` tag to search for similar issues. You can also join the [`#kubernetes-engine` Slack channel](https://googlecloud-community.slack.com/messages/C0B9GKTKJ/) for more community support.\n - Opening bugs or feature requests by using the [public issue tracker](/support/docs/issue-trackers)."]]
