This document lists the quotas and limits that apply to Cloud Load Balancing.
To change a quota, see requesting additional quota.
A quota restricts how much of a particular shared Google Cloud resource your Google Cloud project can use, including hardware, software, and network components.
Quotas are part of a system that does the following:
- Monitors your use or consumption of Google Cloud products and services.
- Restricts your consumption of those resources for reasons including ensuring fairness and reducing spikes in usage.
- Maintains configurations that automatically enforce prescribed restrictions.
- Provides a means to make or request changes to the quota.
When a quota is exceeded, in most cases, the system immediately blocks access to the relevant Google resource, and the task that you're trying to perform fails. In most cases, quotas apply to each Google Cloud project and are shared across all applications and IP addresses that use that Google Cloud project.
There are also limits on Cloud Load Balancing resources. These limits are unrelated to the quota system. Limits cannot be changed unless otherwise stated.
Forwarding rules
| Item | Quotas and limits | Notes |
|---|---|---|
| Forwarding rules | Quota | This quota is for forwarding rules for the global external HTTP(S) load balancer (classic), external SSL proxy load balancers, external TCP proxy load balancers, and Classic VPN gateways. For forwarding rule use cases other than these, see the following rows. |
| Global external HTTP(S) load balancer forwarding rules | Quota | The maximum number of Global external HTTP(S) load balancer forwarding rules that you can create in your project. Quota name: |
| Regional external HTTP(S) load balancer forwarding rules | Quota | The maximum number of regional external HTTP(S) load balancer forwarding rules that you can create in each region in your project. Quota name: |
| External TCP/UDP network load balancer forwarding rules | Quota | Forwarding rules for use by external TCP/UDP network load balancers (both backend service and target pool architectures). |
| External protocol forwarding rules | Quota | Forwarding rules for external protocol forwarding to target instances. |
| Traffic Director forwarding rules | Quota | Forwarding rules for Traffic Director. |
| Internal TCP/UDP load balancer forwarding rules per VPC network | Quota | The maximum number of forwarding rules for internal TCP/UDP load balancers. This quota applies to the total number of forwarding rules for internal TCP/UDP load balancers; it does not apply to each region individually. Quota name: For more information, see VPC per network quotas. |
| Forwarding rules for internal protocol forwarding | Quota | The maximum number of forwarding rules for internal protocol forwarding. This limit applies to the total number of forwarding rules for internal protocol forwarding; it does not apply to each region individually. Quota name: For more information, see VPC per network quotas. |
| Forwarding rules per VPC network for internal HTTP(S) load balancers and internal regional TCP proxy load balancers | Quota | The maximum number of forwarding rules for internal HTTP(S) load balancers and internal regional TCP proxy load balancers. This quota applies to the total number of forwarding rules for internal HTTP(S) load balancers and internal regional TCP proxy load balancers; it does not apply to each region individually. Quota name: For more information, see VPC per network quotas. |
| Maximum number of internal forwarding rules that can share a single internal IP address | 10 | This limit is only applicable to internal TCP/UDP load balancers. This limit cannot be increased. |
| Number of discrete ports per forwarding rule for internal TCP/UDP load balancers and backend service-based network load balancers | 5 |
This limit cannot be increased; however, alternative port specification options are possible:
|
| Number of forwarding rules that can reference the same backend service for a pass-through load balancer | No separate limit | Subject to other quotas and limits, multiple forwarding rules can reference the same backend service for a pass-through load balancer. |
| Number of pass-through load balancer backend services that can be referenced by a single forwarding rule | 1 | Forwarding rules for pass-through load balancers must reference exactly one backend service. |
Target pools and target proxies
| Item | Quotas and limits | Notes |
|---|---|---|
| Target pools | Quota | This quota is per project. |
| Target HTTP proxies | Quota | This quota is per project. |
| Target HTTPS proxies | Quota | This quota is per project. |
| Target SSL proxies | Quota | This quota is per project. |
| Target TCP proxies | Quota | This quota is per project. |
| SSL policies per target HTTPS or target SSL proxy | 1 | This limit cannot be increased. |
| SSL certificates per target HTTPS or target SSL proxy | 15 | This limit cannot be increased; however, some load balancers support Certificate Manager, which provides a way for a target HTTPS proxy or target SSL proxy to use thousands of SSL certificates. For more information, see Multiple SSL certificates in the SSL certificates overview. |
Health checks
| Item | Quotas and limits | Notes |
|---|---|---|
| Health checks | Quota | This is a per-project quota covering all health check types (global, regional, and legacy). |
SSL certificates
| Item | Quotas and limits | Notes |
|---|---|---|
| SSL certificates | Quota | This quota is per project. |
| Supported key lengths for private keys | 2048 bit RSA (RSA-2048) 256 bit ECDSA (ECDSA P-256) |
These limits cannot be increased. |
| Multiple domains per Google-managed SSL certificate | 100 | This limit cannot be increased. |
| Domain name length for Google-managed certificates | 64 bytes | This limit cannot be increased. This length limit only applies to Google-managed SSL certificates. In those certificates, the 64-byte limit only applies to the first domain in the certificate. The length limit for the other domains in the certificate is 253 (which applies to any domain name on the internet, and isn't specific to Google-managed certificates. |
Server TLS policy
| Item | Quotas and limits | Notes |
|---|---|---|
| ServerTLSPolicy | Quota | This quota is per project and applies to global external HTTP(S) load balancer (classic) and global external HTTP(S) load balancers. |
Trust config
The limits documented here cannot be increased and applies to global external HTTP(S) load balancer (classic) and global external HTTP(S) load balancers.
| Item | Quotas and limits | Notes |
|---|---|---|
| Number of trust stores | Limit: 1 | This limit is per TrustConfig resource. |
| Number of trust anchors | Limit: 10 | This limit is per trust store. |
| Number of intermediate certificates | Limit: 10 or 16 KB | This limit is per trust store. |
| Number of name constraints allowed during validation of root and intermediate certificates | Limit: 10 | |
| Intermediate certificates that share the same Subject and Subject Public Key information | Limit: 3 | This limit is per trust store. |
| Certificate chain depth | Limit: 5 | The maximum depth for a certificate chain, including the root and client certificates. |
| Number of times intermediate certificates can be evaluated when attempting to build the chain of trust | Limit: 20 | |
| Keys of certificates uploaded and passed from the client | Limit: RSA keys can be from 2048 to 4096 bits |
URL maps
The limits documented here cannot be increased.
| Item | External HTTP(S) Load Balancing | Internal HTTP(S) Load Balancing |
|---|---|---|
| URL maps | Quota
This quota is per project. |
Quota
This quota is per project. |
| Host rules, path matchers per URL map | Global external HTTP(S) load balancer (classic): Limit: 1000 |
Limit: 2000 |
Global external HTTP(S) load balancer and Regional external HTTP(S) load balancer: Limit: 50 |
||
| Path rules or route rules per path matcher | Global external HTTP(S) load balancer (classic): Limit: 1000 |
Limit: 200 |
Global external HTTP(S) load balancer and Regional external HTTP(S) load balancer: Limit: 50 |
||
| Hosts per host rule | Global external HTTP(S) load balancer (classic): Limit: 1000 |
Limit: 1000 |
Global external HTTP(S) load balancer and Regional external HTTP(S) load balancer: Limit: 50 |
||
| Predicates per path matcher † | Global external HTTP(S) load balancer (classic): Limit: 1000 |
Limit: 1000 |
Global external HTTP(S) load balancer and Regional external HTTP(S) load balancer: Limit: 50 |
||
| Number of distinct backend services or backend buckets that can be referenced by a URL map | Limit: 2500 | Limit: 2500 |
Other limits relevant to cross-project service referencing:
|
||
| Size of URL maps | Limit: 64 KB | Limit: 128 KB |
| Number of URL map tests | Global external HTTP(S) load balancer (classic): Limit: 10000 |
N/A
Internal HTTP(S) load balancers don't support URL map tests. |
Global external HTTP(S) load balancer and Regional external HTTP(S) load balancer: Limit: 100 |
||
† This is a limit on the count of match conditions across all rules in the path matcher. For path matchers with path rules, this is the total number of paths across all path rules. For path matchers with route rules, the prefix count is calculated by adding the following:
- 1 for the path match condition (one of prefixMatch or fullPathMatch)
- the sum of header matches in all route rules of the path matcher
- the sum of query parameter matches in all route rules of the path matcher
For example, for a path matcher with the following route rules:
- Route rule A having one prefixMatch and three header matches
- Route rule B having one fullPathMatch and two query parameter matches
The total count of predicates for this path matcher would be 7. This is calculated as follows: 1 (for the prefixMatch) + 3 (for the number of header matches) + 1 (for the fullPathMatch) + 2 (for the number of query parameter matches).
Backend buckets
| Item | Quotas and limits | Notes |
|---|---|---|
| Backend buckets | Quota | This quota is per project. |
Backend services
| Item | Quotas and limits | Notes |
|---|---|---|
| Global external managed backend services | Quota | This quota includes backend services used by global external HTTP(S) load balancers. |
| Global external proxy load balancer backend services | Quota | This quota includes backend services used by the global external HTTP(S) load balancer (classic), and by external SSL proxy load balancers and external TCP proxy load balancers. |
| Regional external managed backend services | Quota | This quota includes backend services used by regional external HTTP(S) load balancers. |
| Regional external network load balancer backend services | Quota | This quota includes backend services used by backend service-based network load balancers. |
| Regional internal managed backend services | Quota | This quota includes backend services used by internal HTTP(S) load balancers. |
| Regional internal load balancer backend services | Quota | This quota includes backend services used by internal TCP/UDP load balancers. |
| Global internal Traffic Director backend services | Quota | This quota includes backend services used by Traffic Director. |
| Number of backend services per external TCP proxy load balancer, external SSL proxy load balancer, internal TCP/UDP load balancer, and backend service-based network load balancer | 1 | This limit cannot be increased. |
| Maximum number of VM instances for the backend service of an
internal TCP/UDP load balancer This maximum applies to the number of total instances in the active pool if you have configured failover. |
Without backend subsetting: 250 With backend subsetting enabled: 2000 |
These limits cannot be increased. They apply regardless of
how the instances are grouped into instance groups or
For example, if you add five instance groups, each with 60 VM instances, to the same internal TCP/UDP load balancer backend service, the load balancer only distributes packets to 250 of the 300 (5 × 60) instances when backend subsetting is turned off. |
| Named ports per backend service of a proxy load balancer | 1 | This limit cannot be increased. |
| Named ports per backend service of a pass-through load balancer | 0 | This limit cannot be increased. The portName field on the
backend service is ignored for pass-through load balancers. |
| Maximum distinct projects containing URL maps that can reference a particular backend service (limit relevant to cross-project service referencing) | 10 | URL maps from a maximum of 10 distinct projects can reference a particular backend service. This limit cannot be increased. This limit applies independently to each backend service. |
Backends
| Item | Quotas and limits | Notes |
|---|---|---|
| Instance groups | Quota | Quotas are per-project and per-region. When making a quota increase request, select the region that contains the instance group. Zonal instance groups charge the region containing the instance group's zone. |
| Zonal and regional NEGs per project | Quota | Quotas are per-project and per-region, covering all types of NEGs except for internet NEGs (which are global in scope). When making a quota increase request, select the region that contains the NEG. Zonal NEGs charge the region containing the NEG's zone. |
| Global NEGs per project | Quota | This quota is global, per-project, and only covers internet NEGs. |
Maximum number of instance group backends, GCE_VM_IP_PORT
NEG backends, or GCE_VM_IP NEG backends per backend service |
50 |
This limit is not configurable. Support for If you've configured failover for backend service-based
network load balancers or if you've configured failover for
internal TCP/UDP load balancers, you can configure up to 50 primary and 50 backup instance groups or Internal TCP/UDP load balancers also have a limit on the number of individual VM instances or endpoints to which a backend service can distribute packets. For details, see backend services quotas. |
Endpoints per NEG
| Item | Quotas and limits | Notes |
|---|---|---|
Endpoints per GCE_VM_IP_PORT zonal NEG |
10,000 | This limit cannot be increased. |
Endpoints per GCE_VM_IP zonal NEG |
10,000 | This limit cannot be increased. |
| Endpoints per internet NEG | 1 | This limit cannot be increased. |
| Endpoints per serverless NEG | 1 | This limit cannot be increased. |
| Endpoints per hybrid connectivity NEG | 10,000 | This limit cannot be increased. |
VMs per instance group
The number of backend VMs that can be serviced by a single load balancer might be less than the number of VMs that an instance group can support. The maximum number of load-balanced VMs per instance group depends on the number of ports specified in each named port that the instance group exports.
The upper limit of load-balanced VMs per instance group cannot exceed 2,000 for regional managed instance groups, and cannot exceed 1,000 for zonal managed or zonal unmanaged instance groups.
| Item | Quotas and limits | Notes |
|---|---|---|
| Maximum number of VMs per regional managed instance group connected to a pass-through load balancer's backend service | 2,000 | Internal TCP/UDP load balancers also have a limit on the number of individual VM instances or endpoints to which a backend service can distribute packets. For details, see backend services quotas. |
| Maximum number of VMs per zonal managed instance group or per zonal unmanaged instance group connected to a pass-through load balancer's backend service | 1,000 | Internal TCP/UDP load balancers also have a limit on the number of individual VM instances or endpoints to which a backend service can distribute packets. For details, see backend services quotas. |
| Maximum number of VMs per regional managed instance group connected to a proxy load balancer's backend service | Depends on the number of ports specified in the named port for the
instance group. It is the smaller of these two: A: 2,000 B: 10,000 / (number of ports in the named port that contains the most port numbers)† |
Contact your Google Cloud sales team if you need to increase this limit. |
| Maximum number of VMs per zonal managed instance group or per zonal unmanaged instance group connected to a proxy load balancer's backend service | Depends on the number of ports specified in the named port for the
instance group. It is the smaller of these two: A: 1,000 B: 10,000 / (number of ports in the named port that contains the most port numbers)† |
Contact your Google Cloud sales team if you need to increase this limit. |
† To calculate the maximum number of load-balanced VMs in an instance group backend:
Determine maximum number of ports per named port.
For example, if an instance group has the following named ports:
http:80,api-gateway:8080, andapi-gateway:8090, then there is one port number for thehttpname and two port numbers for theapi-gatewayname. Therefore, in this example the maximum number of ports per named port is two.Divide 10,000 by the maximum number of ports per named port and discard the remainder. For example,
10,000 / 2 = 5,000.Compare the number calculated in the previous step with the upper limit of load-balanced VMs per instance group: 2,000 for regional groups, 1,000 for zonal groups.
If the number calculated in the previous step is less than or equal to the upper limit, then the maximum number of load-balanced VMs per instance group is the number you calculated in the previous step. Otherwise, the maximum number of load-balanced VMs per instance group is the upper limit (2,000 for regional groups or 1,000 for zonal groups).
Queries per second for external HTTP(S) load balancers
| Item | Quotas and limits | Notes |
|---|---|---|
| Queries per second (QPS) per backend instance group or NEG for global external HTTP(S) load balancers | Configurable when using RATE for the balancing mode. |
Limited by your backends.* |
| Queries per second (QPS) per region per network for regional external HTTP(S) load balancers | For regional external HTTP(S) load balancers, the maximum QPS load depends on the size of the requests and the complexity of the configuration. If load exceeds capacity, latency increases and requests might be dropped. | Contact your Google Cloud sales team if you need to increase this limit. |
| Queries per second (QPS) per region per network for internal HTTP(S) load balancers | For internal HTTP(S) load balancers, the maximum QPS load depends on the size of the requests and the complexity of the configuration. If load exceeds capacity, latency increases and requests might be dropped. | Limited by your backends.* Contact your Google Cloud sales team if you need to increase this limit. |
* For projects that are using serverless NEGs, the limit is 5000 queries per second (QPS) per project for traffic sent to any serverless NEGs configured with regional external HTTP(S) load balancers or internal HTTP(S) load balancers. This limit is aggregated across all regional external and internal HTTP(S) load balancers in a project and region. This is not a per load balancer limit.
Header size for external HTTP(S) load balancers
| Item | Quotas and limits | Notes |
|---|---|---|
| Maximum client request header size for external HTTP(S) load balancers | 64 KB (kilobytes) | This limit cannot be increased. The combined size of the request URL and request header must be less than or equal to 64 KB. |
| Maximum backend response header size for external HTTP(S) load balancers | About 128 KB (kilobytes) | This limit cannot be increased. |
| Maximum backend request header size for internal HTTP(S) load balancers | 60 KB (kilobytes) | This limit cannot be increased. |
| Lowercase conversion of HTTP request and response headers | Always, except for Global external HTTP(S) load balancer (classic) when using HTTP/1.1 | As examples, Host
becomes host, and Keep-ALIVE becomes
keep-alive. |
| Maximum number of configured custom request headers for each backend service | 16 | This limit cannot be increased. |
| Maximum number of configured custom response headers for each backend service | 16 | This limit cannot be increased. |
| Total size of all custom request headers per backend service (name and value combined, before variable expansion) | 8 KB | This limit cannot be increased. |
| Total size of all custom response headers per backend service (name and value combined, before variable expansion) | 8 KB | This limit cannot be increased. |
Managing quotas
Cloud Load Balancing enforces quotas on resource usage for various reasons. For example, quotas protect the community of Google Cloud users by preventing unforeseen spikes in usage. Quotas also help users who are exploring Google Cloud with the free tier to stay within their trial.
All projects start with the same quotas, which you can change by requesting additional quota. Some quotas may increase automatically based on your use of a product.
Permissions
To view quotas or request quota increases, Identity and Access Management (IAM) principals need one of the following roles.
| Task | Required role |
|---|---|
| Check quotas for a project | One of the following:
|
| Modify quotas, request additional quota | One of the following:
|
Checking your quota
Console
- In the Google Cloud console, go to the Quotas page.
- To search for the quota that you want to update, use the Filter table. If you don't know the name of the quota, use the links on this page instead.
gcloud
Using the Google Cloud CLI, run the following command to
check your quotas. Replace PROJECT_ID with your own project ID.
gcloud compute project-info describe --project PROJECT_ID
To check your used quota in a region, run the following command:
gcloud compute regions describe example-region
Errors when exceeding your quota
If you exceed a quota with a gcloud command,
gcloud outputs a quota exceeded error
message and returns with the exit code 1.
If you exceed a quota with an API request, Google Cloud returns the
following HTTP status code: HTTP 413 Request Entity Too Large.
Requesting additional quota
To increase or decrease most quotas, use the Google Cloud console. For more information, see Requesting a higher quota.
Console
- In the Google Cloud console, go to the Quotas page.
- On the Quotas page, select the quotas that you want to change.
- At the top of the page, click Edit quotas.
- Fill out your name, email, and phone number, and then click Next.
- Fill in your quota request, and then click Done.
- Submit your request. Quota requests take 24 to 48 hours to process.
Resource availability
Each quota represents a maximum number for a particular type of resource that you can create, if that resource is available. It's important to note that quotas do not guarantee resource availability. Even if you have available quota, you can't create a new resource if it is not available.
For example, you might have sufficient quota to create a new regional, external IP address
in the us-central1 region. However, that is not possible if there are no
available external IP addresses in that region. Zonal resource
availability can also affect your ability to create a new resource.
Situations where resources are unavailable in an entire region are rare. However, resources within a zone can be depleted from time to time, typically without impact to the service level agreement (SLA) for the type of resource. For more information, review the relevant SLA for the resource.