Quotas and limits

This document lists the quotas and limits that apply to Google Cloud Armor.

Google Cloud uses quotas to help ensure fairness and reduce spikes in resource use and availability. A quota restricts how much of a Google Cloud resource your Google Cloud project can use. Quotas apply to a range of resource types, including hardware, software, and network components. For example, quotas can restrict the number of API calls to a service, the number of load balancers used concurrently by your project, or the number of projects that you can create. Quotas protect the community of Google Cloud users by preventing the overloading of services. Quotas also help you to manage your own Google Cloud resources.

The Cloud Quotas system does the following:

  • Monitors your consumption of Google Cloud products and services
  • Restricts your consumption of those resources
  • Provides a means to request changes to the quota value

In most cases, when you attempt to consume more of a resource than its quota allows, the system blocks access to the resource, and the task that you're trying to perform fails.

Quotas generally apply at the Google Cloud project level. Your use of a resource in one project doesn't affect your available quota in another project. Within a Google Cloud project, quotas are shared across all applications and IP addresses.

There are also limits on Google Cloud Armor resources. These limits are unrelated to the quota system. Limits cannot be changed unless otherwise stated.

Quotas

Google Cloud Armor resource quotas are organized according to two criteria:

  • The scope of the quota:
    • global
    • regional
  • The type of Google Cloud Armor security policy:
    • backend security policy
    • edge security policy
    • network edge security policy

Global backend security policies and global edge security policies

Google Cloud Armor uses the following per project quotas for global edge security policies, global backend security policies, and rules therein:

Resource Quota Description
Global security policies per project Quota

The limit for this quota defines the maximum number of global edge security policies and global backend security policies, together, in a project.

Quota name: SECURITY_POLICIES

Available metrics:

  • compute.googleapis.com/quota/security_policies/limit
  • compute.googleapis.com/quota/security_policies/usage
  • compute.googleapis.com/quota/security_policies/exceeded
Global security policy rules per project Quota

The limit for this quota defines the maximum total number of rules in both global edge security policies and global backend security policies, together, in a project. The usage for this quota counts the following:

  • Basic rules in global edge security policies
  • Basic rules in global backend security policies
  • Rules with advanced match conditions in global edge security policies
  • Rules with advanced match conditions in global backend security policies

Quota name: SECURITY_POLICY_RULES

Available metrics:

  • compute.googleapis.com/quota/security_policy_rules/limit
  • compute.googleapis.com/quota/security_policy_rules/usage
  • compute.googleapis.com/quota/security_policy_rules/exceeded
Global security policy rules with advanced match conditions per project Quota

The limit for this quota defines the maximum total number of rules with advanced match conditions in both global edge security policies and global backend security policies, together, in a project. The usage for this quota counts the following:

  • Rules with advanced match conditions in global edge security policies
  • Rules with advanced match conditions in global backend security policies

Quota name: SECURITY_POLICY_CEVAL_RULES

Available metrics:

  • compute.googleapis.com/quota/security_policy_ceval_rules/limit
  • compute.googleapis.com/quota/security_policy_ceval_rules/usage
  • compute.googleapis.com/quota/security_policy_ceval_rules/exceeded

Per global security policy quotas for rules with advanced match conditions

Google Cloud Armor uses the following per security policy quotas for rules with advanced match conditions in global edge security policies and global backend security policies:

Resource Quota Description
Rules with advanced match conditions per global edge security policy Quota

The limit for this quota defines the maximum number of rules with advanced match conditions in a specific global edge security policy.

Quota name: SECURITY_POLICY_ADVANCED_RULES_PER_EDGE_SECURITY_POLICY

Available metrics:

  • compute.googleapis.com/quota/advanced_rules_per_edge_security_policy/limit
  • compute.googleapis.com/quota/advanced_rules_per_edge_security_policy/usage
  • compute.googleapis.com/quota/advanced_rules_per_edge_security_policy/exceeded
Rules with advanced match conditions per global backend security policy Quota

The limit for this quota defines the maximum number of rules with advanced match conditions in a specific global backend security policy.

Quota name: SECURITY_POLICY_ADVANCED_RULES_PER_SECURITY_POLICY

Available metrics:

  • compute.googleapis.com/quota/advanced_rules_per_security_policy/limit
  • compute.googleapis.com/quota/advanced_rules_per_security_policy/usage
  • compute.googleapis.com/quota/advanced_rules_per_security_policy/exceeded

Summary of quotas counted for rules in global security policies

The following table shows which quotas are counted for basic rules and rules with advanced match conditions in global security policies:

Rule Usage counted in these quotas
Basic rule in a global edge security policy
  • Global security policy rules per project (SECURITY_POLICY_RULES)
Basic rule in a global backend security policy
  • Global security policy rules per project (SECURITY_POLICY_RULES)
Rule with advanced match conditions in a global edge security policy
  • Global security policy rules per project (SECURITY_POLICY_RULES)
  • Global security policy rules with advanced match conditions per project (SECURITY_POLICY_CEVAL_RULES)
  • Rules with advanced match conditions per global edge security policy (SECURITY_POLICY_ADVANCED_RULES_PER_EDGE_SECURITY_POLICY)
Rule with advanced match conditions in a global backend security policy
  • Global security policy rules per project (SECURITY_POLICY_RULES)
  • Global security policy rules with advanced match conditions per project (SECURITY_POLICY_CEVAL_RULES)
  • Rules with advanced match conditions per global backend security policy (SECURITY_POLICY_ADVANCED_RULES_PER_SECURITY_POLICY)

Regional backend security policies

Google Cloud Armor uses the following per region, per project quotas for regional backend security policies and rules therein:

Resource Quota Description
Regional backend security policies per region, per project Quota

The limit for this quota defines the maximum number of regional backend security policies in a region of a project.

Quota name: SECURITY_POLICIES_PER_REGION

Available metrics:

  • compute.googleapis.com/quota/regional_security_policies/limit
  • compute.googleapis.com/quota/regional_security_policies/usage
  • compute.googleapis.com/quota/regional_security_policies/exceeded
Regional backend security policy rules per region, per project Quota

The limit for this quota defines the maximum total number of rules in regional backend security policies in a region of a project. The usage for this quota counts both basic rules and rules with advanced match conditions.

Quota name: SECURITY_POLICY_RULES_PER_REGION

Available metrics:

  • compute.googleapis.com/quota/regional_security_policy_rules/limit
  • compute.googleapis.com/quota/regional_security_policy_rules/usage
  • compute.googleapis.com/quota/regional_security_policy_rules/exceeded
Regional backend security policy rules with advanced match conditions per region, per project Quota

The limit for this quota defines the maximum total number of rules with advanced match conditions in regional backend security policies in a region of a project. The usage for this quota counts only rules with advanced match conditions.

Quota name: SECURITY_POLICY_ADVANCED_RULES_PER_REGION

Available metrics:

  • compute.googleapis.com/quota/regional_security_policy_advanced_rules/limit
  • compute.googleapis.com/quota/regional_security_policy_advanced_rules/usage
  • compute.googleapis.com/quota/regional_security_policy_advanced_rules/exceeded

Per regional backend security policy quotas for rules with advanced match conditions

Google Cloud Armor uses the following per security policy quotas for rules with advanced match conditions in regional backend security policies:

Resource Quota Description
Rules with advanced match conditions per regional backend security policy Quota

The limit for this quota defines the maximum number of advanced rules in a specific regional backend security policy.

Quota name: SECURITY_POLICY_ADVANCED_RULES_PER_REGIONAL_SECURITY_POLICY

Available metrics:

  • compute.googleapis.com/quota/advanced_rules_per_regional_security_policy/limit
  • compute.googleapis.com/quota/advanced_rules_per_regional_security_policy/usage
  • compute.googleapis.com/quota/advanced_rules_per_regional_security_policy/exceeded

Summary of quotas counted for rules in regional backend security policies

The following table shows which quotas are counted for basic rules and rules with advanced match conditions in regional backend security policies:

Rule Usage counted in these quotas
Basic rule in a regional backend security policy
  • Regional backend security policy rules per region, per project (SECURITY_POLICY_RULES_PER_REGION)
Rule with advanced match conditions in a regional backend security policy
  • Regional backend security policy rules per region, per project (SECURITY_POLICY_RULES_PER_REGION)
  • Regional backend security policy rules with advanced match conditions per region, per project (SECURITY_POLICY_ADVANCED_RULES_PER_REGION )
  • Rules with advanced match conditions per regional backend security policy (SECURITY_POLICY_ADVANCED_RULES_PER_REGIONAL_SECURITY_POLICY)

Regional network edge security policies

Google Cloud Armor uses the following per region, per project quotas for regional network edge security policies and rules therein:

Resource Quota Description
Regional network edge security policies per region, per project Quota

The limit for this quota defines the maximum number of regional network edge security policies in each region of a project.

Quota name: NET_LB_SECURITY_POLICIES_PER_REGION

Available metrics:

  • compute.googleapis.com/quota/regional_net_lb_security_policies/limit
  • compute.googleapis.com/quota/regional_net_lb_security_policies/usage
  • compute.googleapis.com/quota/regional_net_lb_security_policies/exceeded
Regional network edge security policy rules per region, per project Quota

The limit for this quota defines the maximum total number of rules for regional network edge security policies in each region of a project.

Quota name: NET_LB_SECURITY_POLICY_RULES_PER_REGION

Available metrics:

  • compute.googleapis.com/quota/regional_net_lb_security_policy_rules/limit
  • compute.googleapis.com/quota/regional_net_lb_security_policy_rules/usage
  • compute.googleapis.com/quota/regional_net_lb_security_policy_rules/exceeded
Regional network edge security policy rule match values per region, per project Quota

The limit for this quota defines the maximum total number of attributes in rules of regional network edge security policies in each region of a project. The usage for this quota is the sum of SecurityPolicy.NetworkMatch attributes in every rule of every network edge security policy in a region of a project.

Quota name: NET_LB_SECURITY_POLICY_RULE_ATTRIBUTES_PER_REGION

Available metrics:

  • compute.googleapis.com/quota/regional_net_lb_security_policy_rule_attributes/limit
  • compute.googleapis.com/quota/regional_net_lb_security_policy_rule_attributes/usage
  • compute.googleapis.com/quota/regional_net_lb_security_policy_rule_attributes/exceeded

Address groups

Google Cloud Armor address groups use the following quotas:

Resource Quota Description
Cumulative capacity per organization Quota The maximum capacity per organization across all address groups in the organization, including IPv4 and IPv6 IP address ranges. Consider this limit to be 150,000 ranges, in which an IPv4 address range counts as one range and an IPv6 IP address range counts as three ranges.

For example, if you have 40,000 IPv6 IP address ranges, they count as 120,000 IPv4 IP address ranges. You can add 30,000 IPv4 IP address ranges or 10,000 IPv6 IP address ranges before you reach the limit.

Cumulative capacity per project Quota The maximum capacity per project across all address groups in the project, including IPv4 and IPv6 IP address ranges. Consider this limit to be 150,000 ranges, in which an IPv4 address range counts as one range and an IPv6 IP address range counts as three ranges.

For example, if you have 40,000 IPv6 IP address ranges, they count as 120,000 IPv4 IP address ranges. You can add 30,000 IPv4 IP address ranges or 10,000 IPv6 IP address ranges before you reach the limit.

In addition to Google Cloud Armor quotas, products that use Google Cloud Armor have their own quotas. For example, see Cloud Load Balancing quotas and limits.

Google Cloud enforces quotas on resource usage for many reasons. For example, quotas protect the community of Google Cloud users by preventing unforeseen spikes in usage. Google Cloud also offers free trial quotas that provide limited access for projects that are only exploring Google Cloud on a free trial basis.

Not all projects have the same quotas. As your use of Google Cloud expands over time, your quotas might increase accordingly. If you expect a notable upcoming increase in usage, you can proactively request quota adjustments from the Quotas page in the Google Cloud console.

To request additional quota, you must have the serviceusage.quotas.update permission. This permission is included by default for the following predefined roles: Owner, Editor, and Quota Administrator. Plan and request additional resources at least a week in advance to ensure that there is enough time to fulfill your request. To request additional quota, see requesting additional quota.

Limits

Google Cloud Armor has the following limits:

Item Limits
Number of IP addresses or IP address ranges per rule 10
Number of subexpressions for each rule with a custom expression 5
Number of characters for each subexpression in a custom expression 1024
Number of characters in a custom expression 2048
Number of regular expression matches for each custom expression 1

Number of requests per second per project across all backends with a Google Cloud Armor security policy

This limit is not enforced. Google reserves the right to limit the volume of traffic that can be processed by all security policies on a per-project basis. Direct any requests for QPS increases to your account team.

20,000
Number of network edge security services per region per project 1

Address groups

Google Cloud Armor address groups have the following limits:

Internet Protocol version Maximum capacity of a single address group Maximum addresses changed by one API command (like add-items)
IPv4 150,000 IPv4 IP address ranges 50,000 IPv4 IP address ranges
IPv6 50,000 IPv6 IP address ranges 20,000 IPv6 IP address ranges

Manage quotas

Google Cloud Armor enforces quotas on resource usage for various reasons. For example, quotas protect the community of Google Cloud users by preventing unforeseen spikes in usage. Quotas also help users who are exploring Google Cloud with the free tier to stay within their trial.

All projects start with the same quotas, which you can change by requesting additional quota. Some quotas might increase automatically based on your use of a product.

Permissions

To view quotas or request quota increases, Identity and Access Management (IAM) principals need one of the following roles.

Task Required role
Check quotas for a project One of the following:
Modify quotas, request additional quota One of the following:
  • Project Owner (roles/owner)
  • Project Editor (roles/editor)
  • Quota Administrator (roles/servicemanagement.quotaAdmin)
  • A custom role with the serviceusage.quotas.update permission

Check your quota

Console

  1. In the Google Cloud console, go to the Quotas page.

    Go to Quotas

  2. To search for the quota that you want to update, use the Filter table. If you don't know the name of the quota, use the links on this page instead.

gcloud

Using the Google Cloud CLI, run the following command to check your quotas. Replace PROJECT_ID with your own project ID.

      gcloud compute project-info describe --project PROJECT_ID

To check your used quota in a region, run the following command:

    gcloud compute regions describe example-region
    

Errors when exceeding your quota

If you exceed a quota with a gcloud command, gcloud outputs a quota exceeded error message and returns with the exit code 1.

If you exceed a quota with an API request, Google Cloud returns the following HTTP status code: 413 Request Entity Too Large.

Request additional quota

To increase or decrease most quotas, use the Google Cloud console. For more information, see Request a higher quota.

Console

  1. In the Google Cloud console, go to the Quotas page.

    Go to Quotas

  2. On the Quotas page, select the quotas that you want to change.
  3. At the top of the page, click Edit quotas.
  4. For Name, enter your name.
  5. Optional: For Phone, enter a phone number.
  6. Submit your request. Quota requests take 24 to 48 hours to process.

Resource availability

Each quota represents a maximum number for a particular type of resource that you can create, if that resource is available. It's important to note that quotas don't guarantee resource availability. Even if you have available quota, you can't create a new resource if it is not available.

For example, you might have sufficient quota to create a new regional, external IP address in the us-central1 region. However, that is not possible if there are no available external IP addresses in that region. Zonal resource availability can also affect your ability to create a new resource.

Situations where resources are unavailable in an entire region are rare. However, resources within a zone can be depleted from time to time, typically without impact to the service level agreement (SLA) for the type of resource. For more information, review the relevant SLA for the resource.