Ok, this might be only my personal interpretation of what is really happening with serverless vpc connectors, as the error report on failed setup is non-existent.

We have a strict rule to use encryption on all disks for all created instances by providing CMEK. Whenever this is not desirable or possible, we have a network tag that can bypass the rule and create an exception. We apply this consistently with anything that requires compute instances, such as VMs and dataproc.

Alas, during the creation of a serverless vpc connector, neither is available as an option. 

This blocks usage of certain patterns, such as calling a memorystore cache from cloud functions or cloud run, as access through vpc connector is required. 

Happy to hear community thoughts on this, or even better guidance about what I might be doing wrong or alternative patterns.

Thank you!