This document lists the quotas and limits that apply to Google Cloud Armor.
A quota restricts how much of a shared Google Cloud resource your Google Cloud project can use, including hardware, software, and network components. Therefore, quotas are a part of a system that does the following:
- Monitors your use or consumption of Google Cloud products and services.
- Restricts your consumption of those resources, for reasons that include ensuring fairness and reducing spikes in usage.
- Maintains configurations that automatically enforce prescribed restrictions.
- Provides a means to request or make changes to the quota.
In most cases, when a quota is exceeded, the system immediately blocks access to the relevant Google resource, and the task that you're trying to perform fails. In most cases, quotas apply to each Google Cloud project and are shared across all applications and IP addresses that use that Google Cloud project.
There are also limits on Google Cloud Armor resources. These limits are unrelated to the quota system. Limits cannot be changed unless otherwise stated.
Quotas
Google Cloud Armor resource quotas are organized according to two criteria:
- The scope of the quota:
- global
- regional
- The type of Google Cloud Armor security policy:
- backend security policy
- edge security policy
- network edge security policy
Global backend security policies and global edge security policies
Global backend security policies and global edge security policies use the following quotas:
| Resource | Quota | Description |
|---|---|---|
| Global security policies | Quota | The limit for this quota defines the maximum number of global backend security policies and global edge security policies of a project. Quota name: Available metrics:
|
| Global security policy rules | Quota | The limit for this quota defines the maximum total number of rules for both global backend security policies and global edge security policies, together, in a project. The usage for this quota counts every rule among all global security policies in a project, regardless of whether a rule uses basic or advanced match conditions. Quota name: Available metrics:
|
| Global security policy rules with advanced match conditions | Quota | The limit for this quota defines the maximum total number of rules with advanced match conditions for both global backend security policies and global edge security policies, together, in a project. Global security policy rules with advanced match conditions also contribute to the usage of the Global security policy rules quota described in the previous row. Quota name: Available metrics:
|
Regional backend security policies
Regional backend security policies use the following quotas:
| Resource | Quota | Description |
|---|---|---|
| Regional backend security policies | Quota | The limit for this quota defines the maximum number of regional backend security policies in each region of a project. Quota name: Available metrics:
|
| Regional backend security policy rules | Quota | The limit for this quota defines the maximum total number of rules for regional backend security policies in each region of a project. The usage for this quota counts every rule of every regional backend security policy in a region of a project, regardless of whether a rule uses basic or advanced match conditions. Quota name: Available metrics:
|
| Regional backend security policy rules with advanced match conditions | Quota | The limit for this quota defines the maximum total number of rules with advanced match conditions for regional backend security policies in each region of a project. Regional backend security policy rules with advanced match conditions also contribute to the usage of the region's Regional backend security policy rules quota described in the previous row. Quota name: Available metrics:
|
Regional network edge security policies
Regional network edge security policies use the following quotas:
| Resource | Quota | Description |
|---|---|---|
| Regional network edge security policies | Quota | The limit for this quota defines the maximum number of regional network edge security policies in each region of a project. Quota name: Available metrics:
|
| Regional network edge security policy rules | Quota | The limit for this quota defines the maximum total number of rules for regional network edge security policies in each region of a project. Quota name: Available metrics:
|
| Regional network edge security policy rule match values | Quota | The limit for this quota defines the maximum total number of attributes
in rules for regional network edge security policies in each region of a
project. The usage for this quota is the sum of
Quota name: Available metrics:
|
Address groups
Google Cloud Armor address groups use the following quotas:
| Resource | Quota | Description |
|---|---|---|
| Cumulative capacity per organization | Quota | The maximum capacity per organization across all address groups in the
organization, including IPv4 and IPv6 IP address ranges.
Consider this limit to be 150,000 ranges, in which an IPv4
address range counts as one range and an IPv6 IP address range
counts as three ranges.For example, if you have 40,000
|
| Cumulative capacity per project | Quota | The maximum capacity per project across all address groups in the
project, including IPv4 and IPv6 IP address ranges.
Consider this limit to be 150,000 ranges, in which an IPv4
address range counts as one range and an IPv6 IP address range
counts as three ranges.For example, if you have 40,000
|
In addition to Google Cloud Armor quotas, products that use Google Cloud Armor have their own quotas. For example, see Cloud Load Balancing quotas and limits.
Google Cloud enforces quotas on resource usage for many reasons. For example, quotas protect the community of Google Cloud users by preventing unforeseen spikes in usage. Google Cloud also offers free trial quotas that provide limited access for projects that are only exploring Google Cloud on a free trial basis.
Not all projects have the same quotas. As your use of Google Cloud expands over time, your quotas might increase accordingly. If you expect a notable upcoming increase in usage, you can proactively request quota adjustments from the Quotas page in the Google Cloud console.
To request additional quota, you must have the serviceusage.quotas.update
permission. This permission is included by default for the following
predefined roles: Owner,
Editor, and Quota Administrator. Plan and request
additional resources at least a week in advance to ensure that there is enough
time to fulfill your request. To request additional quota, see
requesting additional quota.
Limits
Google Cloud Armor has the following limits:
| Item | Limits |
|---|---|
| Number of IP addresses or IP address ranges per rule | 10 |
| Number of subexpressions for each rule with a custom expression | 5 |
| Number of characters for each subexpression in a custom expression | 1024 |
| Number of characters in a custom expression | 2048 |
| Number of regular expression matches for each custom expression | 1 |
Number of requests per second per project across all backends with a Google Cloud Armor security policy This limit is not enforced. Google reserves the right to limit the volume of traffic that can be processed by all security policies on a per-project basis. Direct any requests for QPS increases to your account team. |
20,000 |
| Number of network edge security services per region per project | 1 |
Address groups
Google Cloud Armor address groups have the following limits:
| Internet Protocol version | Maximum capacity of a single address group | Maximum addresses changed by one API command (like add-items) |
|---|---|---|
| IPv4 | 150,000 IPv4 IP address ranges |
50,000 IPv4 IP address ranges |
| IPv6 | 50,000 IPv6 IP address ranges |
20,000 IPv6 IP address ranges |
Manage quotas
Google Cloud Armor enforces quotas on resource usage for various reasons. For example, quotas protect the community of Google Cloud users by preventing unforeseen spikes in usage. Quotas also help users who are exploring Google Cloud with the free tier to stay within their trial.
All projects start with the same quotas, which you can change by requesting additional quota. Some quotas might increase automatically based on your use of a product.
Permissions
To view quotas or request quota increases, Identity and Access Management (IAM) principals need one of the following roles.
| Task | Required role |
|---|---|
| Check quotas for a project | One of the following:
|
| Modify quotas, request additional quota | One of the following:
|
Check your quota
Console
- In the Google Cloud console, go to the Quotas page.
- To search for the quota that you want to update, use the Filter table. If you don't know the name of the quota, use the links on this page instead.
gcloud
Using the Google Cloud CLI, run the following command to
check your quotas. Replace PROJECT_ID with your own project ID.
gcloud compute project-info describe --project PROJECT_ID
To check your used quota in a region, run the following command:
gcloud compute regions describe example-region
Errors when exceeding your quota
If you exceed a quota with a gcloud command,
gcloud outputs a quota exceeded error
message and returns with the exit code 1.
If you exceed a quota with an API request, Google Cloud returns the
following HTTP status code: 413 Request Entity Too Large.
Request additional quota
To increase or decrease most quotas, use the Google Cloud console. For more information, see Request a higher quota.
Console
- In the Google Cloud console, go to the Quotas page.
- On the Quotas page, select the quotas that you want to change.
- At the top of the page, click Edit quotas.
- For Name, enter your name.
- Optional: For Phone, enter a phone number.
- Submit your request. Quota requests take 24 to 48 hours to process.
Resource availability
Each quota represents a maximum number for a particular type of resource that you can create, if that resource is available. It's important to note that quotas don't guarantee resource availability. Even if you have available quota, you can't create a new resource if it is not available.
For example, you might have sufficient quota to create a new regional, external IP address
in the us-central1 region. However, that is not possible if there are no
available external IP addresses in that region. Zonal resource
availability can also affect your ability to create a new resource.
Situations where resources are unavailable in an entire region are rare. However, resources within a zone can be depleted from time to time, typically without impact to the service level agreement (SLA) for the type of resource. For more information, review the relevant SLA for the resource.