Quotas and limits

This document lists the quotas and limits that apply to Google Cloud Armor.

A quota restricts how much of a particular shared Google Cloud resource your Cloud project can use, including hardware, software, and network components.

Quotas are part of a system that does the following:

  • Monitors your use or consumption of Google Cloud products and services.
  • Restricts your consumption of those resources for reasons including ensuring fairness and reducing spikes in usage.
  • Maintains configurations that automatically enforce prescribed restrictions.
  • Provides a means to make or request changes to the quota.

When a quota is exceeded, in most cases, the system immediately blocks access to the relevant Google resource, and the task that you're trying to perform fails. In most cases, quotas apply to each Cloud project and are shared across all applications and IP addresses that use that Cloud project.

Many products and services also have limits that are unrelated to the quota system. These are constraints, such as maximum file sizes or database schema limitations, which generally cannot be increased or decreased, unless otherwise stated.

Quotas

Google Cloud Armor has the following quotas:

Item Quotas
Number of security policies per project 10
Number of security rules per project across all security policies 200
Number of rules with an advanced match condition across all security policies per project 20

In addition, other resources used with Google Cloud Armor might also have quotas.

Google Cloud enforces quotas on resource usage for many reasons. For example, quotas protect the community of Google Cloud users by preventing unforeseen spikes in usage. Google Cloud also offers free trial quotas that provide limited access for projects that are only exploring Google Cloud on a free trial basis.

Not all projects have the same quotas. As your use of Google Cloud expands over time, your quotas might increase accordingly. If you expect a notable upcoming increase in usage, you can proactively request quota adjustments from the Quotas page in the Google Cloud Console.

To request additional quota, you must have the serviceusage.quotas.update permission. This permission is included by default for the following predefined roles: Owner, Editor, and Quota Administrator. Plan and request additional resources at least a week in advance to ensure that there is enough time to fulfill your request. To request additional quota, see requesting additional quota.

Limits

Google Cloud Armor has the following limits:

Item Limits
Number of IP addresses or IP address ranges per rule 10
Number of subexpressions for each rule with a custom expression 5
Number of characters for each subexpression in a custom expression 1024
Number of characters in a custom expression 2048
Number of regular expression matches for each custom expression 1
Number of requests per second per project across all backends with a Google Cloud Armor security policy. Google Cloud Armor limits the volume of traffic that can be processed by all security policies on a per-project basis. Direct any requests for QPS quota increases to your account team. 20,000

Managing quotas

Google Cloud Armor enforces quotas on resource usage for various reasons. For example, quotas protect the community of Google Cloud users by preventing unforeseen spikes in usage. Quotas also help users who are exploring Google Cloud with the free tier to stay within their trial.

All projects start with the same quotas, which you can change by requesting additional quota. Some quotas may increase automatically based on your use of a product.

Permissions

To view quotas or request quota increases, Identity and Access Management (IAM) members need one of the following roles.

Task Required role
Check quotas for a project One of the following:
Modify quotas, request additional quota One of the following:

Checking your quota

Console

  1. In the Cloud Console, go to the Quotas page.

    Go to Quotas

  2. To search for the quota that you want to update, use the Filter table. If you don't know the name of the quota, use the links on this page instead.

gcloud

Using the gcloud command-line tool, run the following command to check your quotas. Replace PROJECT_ID with your own project ID.

      gcloud compute project-info describe --project PROJECT_ID
    

To check your used quota in a region, run the following command:

      gcloud compute regions describe example-region
    

Errors when exceeding your quota

If you exceed a quota with a gcloud command, gcloud outputs a quota exceeded error message and returns with the exit code 1.

If you exceed a quota with an API request, Google Cloud returns the following HTTP status code: HTTP 413 Request Entity Too Large.

Requesting additional quota

To increase or decrease most quotas, use the Google Cloud Console. Some quotas can't be increased above their default values.

For more information, see the following sections of Working with quotas:

Console

  1. In the Cloud Console, go to the Quotas page.

    Go to Quotas

  2. On the Quotas page, select the quotas that you want to change.
  3. At the top of the page, click Edit quotas.
  4. Fill out your name, email, and phone number, and then click Next.
  5. Fill in your quota request, and then click Done.
  6. Submit your request. Quota requests take 24 to 48 hours to process.

Resource availability

Each quota represents a maximum number for a particular type of resource that you can create, if that resource is available. It's important to note that quotas do not guarantee resource availability. Even if you have available quota, you can't create a new resource if it is not available.

For example, you might have sufficient quota to create a new regional, external IP address in the us-central1 region. However, that is not possible if there are no available external IP addresses in that region. Zonal resource availability can also affect your ability to create a new resource.

Situations where resources are unavailable in an entire region are rare. However, resources within a zone can be depleted from time to time, typically without impact to the service level agreement (SLA) for the type of resource. For more information, review the relevant SLA for the resource.