Quotas and limits

This document lists the quotas and limits that apply to Cloud Load Balancing.

To change a quota, see requesting additional quota.

A quota limit restricts how much of a shared Google Cloud resource your Google Cloud project can use, including hardware, software, and network components. Therefore, quota limits are a part of a system that does the following:

  • Monitors your use or consumption of Google Cloud products and services.
  • Restricts your consumption of those resources for reasons, which include ensuring fairness and reducing spikes in usage.
  • Maintains configurations that automatically enforce prescribed restrictions.
  • Provides a means to request or make changes to the quota.

In most cases, when a quota limit is exceeded, the system immediately blocks access to the relevant Google resource, and the task that you're trying to perform fails. In most cases, quota limits apply to each Google Cloud project and are shared across all applications and IP addresses that use that Google Cloud project.

To increase or decrease most quota limits, use the Google Cloud console. For more information, see Request a higher quota limit.

There are also limits on Cloud Load Balancing resources. These limits are unrelated to the quota system. Limits cannot be changed unless otherwise stated.

Forwarding rules

Item Quotas and limits Notes
Forwarding rules Quota

This quota is for forwarding rules for the classic Application Load Balancer, external proxy Network Load Balancers, and Classic VPN gateways.

For forwarding rule use cases other than these, see the following rows.

Global external Application Load Balancer forwarding rules Quota

The maximum number of Global external Application Load Balancer forwarding rules that you can create in your project.

Quota name: GLOBAL_EXTERNAL_MANAGED_FORWARDING_RULES

Regional external Application Load Balancer forwarding rules Quota

The maximum number of regional external Application Load Balancer forwarding rules that you can create in each region in your project.

Quota name: EXTERNAL_MANAGED_FORWARDING_RULES

Cross-region internal Application Load Balancer forwarding rules per region per network Quota

The maximum number of cross-region internal Application Load Balancer forwarding rules that you can create in each region in your project. This quota applies to each network individually.

Quota name: GLOBAL_INTERNAL_MANAGED_FORWARDING_RULES_PER_REGION_PER_NETWORK

Forwarding rules per VPC network for regional internal Application Load Balancers and regional internal proxy Network Load Balancers Quota

The maximum number of forwarding rules for regional internal Application Load Balancers and regional internal proxy Network Load Balancers.

This quota applies to the total number of forwarding rules for regional internal Application Load Balancers and regional internal proxy Network Load Balancers; it does not apply to each region individually.

Quota name:
INTERNAL_MANAGED_FORWARDING_RULES_PER_NETWORK

For more information, see VPC per network quotas.

External passthrough Network Load Balancer forwarding rules Quota Forwarding rules for use by external passthrough Network Load Balancers (both backend service and target pool architectures).
External protocol forwarding rules Quota Forwarding rules for external protocol forwarding to target instances.
Traffic Director forwarding rules Quota Forwarding rules for Traffic Director.
Internal passthrough Network Load Balancer forwarding rules per VPC network Quota

The maximum number of forwarding rules for internal passthrough Network Load Balancers.

This quota applies to the total number of forwarding rules for internal passthrough Network Load Balancers; it does not apply to each region individually.

Quota name:
INTERNAL_FORWARDING_RULES_PER_NETWORK

For more information, see VPC per network quotas.

Forwarding rules for internal protocol forwarding Quota

The maximum number of forwarding rules for internal protocol forwarding.

This limit applies to the total number of forwarding rules for internal protocol forwarding; it does not apply to each region individually.

Quota name:
INTERNAL_FORWARDING_RULES_WITH_TARGET_INSTANCE_PER_NETWORK

For more information, see VPC per network quotas.

Maximum number of internal forwarding rules that can share a single internal IP address 10 This limit is only applicable to internal passthrough Network Load Balancers. This limit cannot be increased.
Number of discrete ports per forwarding rule for internal passthrough Network Load Balancers and backend service-based external passthrough Network Load Balancers 5

This limit cannot be increased; however, alternative port specification options are possible:

  • You can specify a single range of contiguous ports on forwarding rules for backend service-based external passthrough Network Load Balancers and target pool-based external passthrough Network Load Balancers. The range can include more than five ports.
  • You can specify all ports on forwarding rules for backend service-based external passthrough Network Load Balancers and internal passthrough Network Load Balancers.
Number of forwarding rules that can reference the same backend service for a pass-through load balancer No separate limit Subject to other quotas and limits, multiple forwarding rules can reference the same backend service for a pass-through load balancer.
Number of pass-through load balancer backend services that can be referenced by a single forwarding rule 1 Forwarding rules for pass-through load balancers must reference exactly one backend service.

Target pools and target proxies

Item Quotas and limits Notes
Target pools Quota This quota is per project.
Target HTTP proxies Quota This quota is per project.
Target HTTPS proxies Quota This quota is per project.
Target SSL proxies Quota This quota is per project.
Target TCP proxies Quota This quota is per project.
SSL policies per target HTTPS or target SSL proxy 1 This limit cannot be increased.
SSL certificates per target HTTPS or target SSL proxy 15 This limit cannot be increased; however, some load balancers support Certificate Manager, which provides a way for a target HTTPS proxy or target SSL proxy to use thousands of SSL certificates. For more information, see Multiple SSL certificates in the SSL certificates overview.

Health checks

Item Quotas and limits Notes
Health checks Quota This is a per-project quota covering all health check types (global, regional, and legacy).

SSL certificates

Item Quotas and limits Notes
SSL certificates Quota This quota is per project.
Supported key lengths for private keys 2048 bit RSA (RSA-2048)
256 bit ECDSA (ECDSA P-256)
These limits cannot be increased.
Multiple domains per Google-managed SSL certificate 100 This limit cannot be increased.
Domain name length for Google-managed certificates 64 bytes This limit cannot be increased.

This length limit only applies to Google-managed SSL certificates. In those certificates, the 64-byte limit only applies to the first domain in the certificate. The length limit for the other domains in the certificate is 253 (which applies to any domain name on the internet, and isn't specific to Google-managed certificates.

Server TLS policy

Item Quotas and limits Notes
ServerTLSPolicy Quota This quota is per project and applies to classic Application Load Balancer and global external Application Load Balancers.

Trust config

The limits documented here cannot be increased and applies to classic Application Load Balancer and global external Application Load Balancers.

Item Quotas and limits Notes
Number of trust stores Limit: 1 This limit is per TrustConfig resource.
Number of trust anchors Limit: 100 This limit is per trust store.
Number of intermediate certificates Limit: 100 This limit is per trust store.
Number of name constraints allowed during validation of root and intermediate certificates Limit: 10
Intermediate certificates that share the same Subject and Subject Public Key information Limit: 10 This limit is per trust store.
Certificate chain depth Limit: 10 The maximum depth for a certificate chain, including the root and client certificates.
Number of times intermediate certificates can be evaluated when attempting to build the chain of trust Limit: 100
Keys of certificates uploaded and passed from the client

Limit: RSA keys can be from 2048 to 4096 bits

ECDSA certificates must use either P-256 or P-384 curves

URL maps

The limits documented here cannot be increased.

Item External Application Load Balancer Internal Application Load Balancer
URL maps Quota

This quota is per project.

Quota

This quota is per project.

Host rules, path matchers per URL map

Global external Application Load Balancer and classic Application Load Balancer:

Limit: 1000

Limit: 2000

Regional external Application Load Balancer:

Limit: 50

Path rules or route rules per path matcher

Global external Application Load Balancer and classic Application Load Balancer:

Limit: 1000

Limit: 200

Regional external Application Load Balancer:

Limit: 50

Hosts per host rule

Global external Application Load Balancer and classic Application Load Balancer:

Limit: 1000

Limit: 1000

Regional external Application Load Balancer:

Limit: 50

Predicates per path matcher

Global external Application Load Balancer and classic Application Load Balancer:

Limit: 1000

Limit: 1000

Regional external Application Load Balancer:

Limit: 50

pathTemplateMatch predicates per path matcher

Global external Application Load Balancer:

Limit: 100

Not supported for regional external Application Load Balancers and classic Application Load Balancers

N/A

Not supported for internal Application Load Balancers.

Number of distinct backend services or backend buckets that can be referenced by a URL map Limit: 2500 Limit: 2500

Other limits relevant to cross-project service referencing:

  • A URL map can reference backend services in a maximum of 1000 distinct projects. This limit doesn't apply to global external Application Load Balancers and classic Application Load Balancers.
  • URL maps from a maximum of 10 distinct projects can reference a particular backend service.
Size of URL maps Limit: 64 KB Limit: 128 KB
Number of URL map tests

Classic Application Load Balancer:

Limit: 10000

N/A

Internal Application Load Balancers don't support URL map tests.

Global external Application Load Balancer and Regional external Application Load Balancer:

Limit: 100

This is a limit on the count of match conditions across all rules in the path matcher. For path matchers with path rules, this is the total number of paths across all path rules. For path matchers with route rules, the prefix count is calculated by adding the following:

  • 1 for the path match condition (one of prefixMatch or fullPathMatch)
  • the sum of header matches in all route rules of the path matcher
  • the sum of query parameter matches in all route rules of the path matcher

For example, for a path matcher with the following route rules:

  • Route rule A having one prefixMatch and three header matches
  • Route rule B having one fullPathMatch and two query parameter matches

The total count of predicates for this path matcher would be 7. This is calculated as follows: 1 (for the prefixMatch) + 3 (for the number of header matches) + 1 (for the fullPathMatch) + 2 (for the number of query parameter matches).

Backend buckets

Item Quotas and limits Notes
Backend buckets Quota This quota is per project.

Backend services

Item Quotas and limits Notes
Global external managed backend services Quota This quota includes backend services used by global external Application Load Balancers.
Global external proxy load balancer backend services Quota This quota includes backend services used by classic Application Load Balancers and external proxy Network Load Balancers.
Regional external managed backend services Quota This quota includes backend services used by regional external Application Load Balancers.
Global internal managed backend services Quota This quota includes backend services used by cross-region internal Application Load Balancers.
Regional internal managed backend services Quota This quota includes backend services used by regional internal Application Load Balancers.
Regional external network load balancer backend services Quota This quota includes backend services used by backend service-based external passthrough Network Load Balancers.
Regional internal load balancer backend services Quota This quota includes backend services used by internal passthrough Network Load Balancers.
Global internal Traffic Director backend services Quota This quota includes backend services used by Traffic Director.
Number of backend services per external proxy Network Load Balancer, internal passthrough Network Load Balancer, and backend service-based external passthrough Network Load Balancer 1 This limit cannot be increased.
Maximum number of VM instances for the backend service of an internal passthrough Network Load Balancer

This maximum applies to the number of total instances in the active pool if you have configured failover.

Without backend subsetting: 250

With backend subsetting enabled: 2000

These limits cannot be increased. They apply regardless of how the instances are grouped into instance groups or GCE_VM_IP NEGs.

For example, if you add five instance groups, each with 60 VM instances, to the same internal passthrough Network Load Balancer backend service, the load balancer only distributes packets to 250 of the 300 (5 × 60) instances when backend subsetting is turned off.

Named ports per backend service of a proxy load balancer 1 This limit cannot be increased.
Named ports per backend service of a pass-through load balancer 0 This limit cannot be increased. The portName field on the backend service is ignored for pass-through load balancers.
Maximum distinct projects containing URL maps that can reference a particular backend service (limit relevant to cross-project service referencing) 10 URL maps from a maximum of 10 distinct projects can reference a particular backend service. This limit cannot be increased. This limit applies independently to each backend service.

Backends

Item Quotas and limits Notes
Instance groups Quota Quotas are per-project and per-region. When making a quota increase request, select the region that contains the instance group. Zonal instance groups charge the region containing the instance group's zone.
Zonal and regional NEGs per project Quota Quotas are per-project and per-region, covering all types of NEGs except for global internet NEGs. When making a quota increase request, select the region that contains the NEG. Zonal NEGs charge the region containing the NEG's zone.
Global NEGs per project Quota This quota is global, per-project, and only covers global internet NEGs.
Maximum number of instance group backends, GCE_VM_IP_PORT NEG backends, GCE_VM_IP NEG backends, or regional internet NEG backends per backend service 50

This limit is not configurable.

Support for zonal and internet NEG backends varies by load balancing product.

If you've configured failover for backend service-based external passthrough Network Load Balancers or if you've configured failover for internal passthrough Network Load Balancers, you can configure up to 50 primary and 50 backup instance groups or GCE_VM_IP NEGs per backend service.

Internal passthrough Network Load Balancers also have a limit on the number of individual VM instances or endpoints to which a backend service can distribute packets. For details, see backend services quotas.

Endpoints per NEG

Item Quotas and limits Notes
Endpoints per GCE_VM_IP_PORT zonal NEG 10,000 This limit cannot be increased.
Endpoints per GCE_VM_IP zonal NEG 10,000 This limit cannot be increased.
Endpoints per global internet NEG 1 This limit cannot be increased.
Endpoints per regional internet NEG 256 This limit cannot be increased.
Endpoints per serverless NEG 1 This limit cannot be increased.
Endpoints per hybrid connectivity NEG 10,000 This limit cannot be increased.

VMs per instance group

The number of backend VMs that can be serviced by a single load balancer might be less than the number of VMs that an instance group can support. The maximum number of load-balanced VMs per instance group depends on the number of ports specified in each named port that the instance group exports.

By default, the upper limit of load-balanced VMs per instance group cannot exceed 2,000 for regional managed instance groups, and cannot exceed 1,000 for zonal managed or zonal unmanaged instance groups. If you need more VMs, you can increase the size limit of your MIG or contact support.

Item Quotas and limits Notes
Maximum number of VMs per regional managed instance group connected to a pass-through load balancer's backend service 2,000 Internal passthrough Network Load Balancers also have a limit on the number of individual VM instances or endpoints to which a backend service can distribute packets. For details, see backend services quotas.
Maximum number of VMs per zonal managed instance group or per zonal unmanaged instance group connected to a pass-through load balancer's backend service 1,000 Internal passthrough Network Load Balancers also have a limit on the number of individual VM instances or endpoints to which a backend service can distribute packets. For details, see backend services quotas.
Maximum number of VMs per regional managed instance group connected to a proxy load balancer's backend service Depends on the number of ports specified in the named port for the instance group. It is the smaller of these two:
A: 2,000
B: 10,000 / (number of ports in the named port that contains the most port numbers)
Contact your Google Cloud sales team if you need to increase this limit.
Maximum number of VMs per zonal managed instance group or per zonal unmanaged instance group connected to a proxy load balancer's backend service Depends on the number of ports specified in the named port for the instance group. It is the smaller of these two:
A: 1,000
B: 10,000 / (number of ports in the named port that contains the most port numbers)
Contact your Google Cloud sales team if you need to increase this limit.

To calculate the maximum number of load-balanced VMs in an instance group backend:

  1. Determine maximum number of ports per named port.

    For example, if an instance group has the following named ports: http:80, api-gateway:8080, and api-gateway:8090, then there is one port number for the http name and two port numbers for the api-gateway name. Therefore, in this example the maximum number of ports per named port is two.

  2. Divide 10,000 by the maximum number of ports per named port and discard the remainder. For example, 10,000 / 2 = 5,000.

  3. Compare the number calculated in the previous step with the upper limit of load-balanced VMs per instance group: 2,000 for regional groups, 1,000 for zonal groups.

    If the number calculated in the previous step is less than or equal to the upper limit, then the maximum number of load-balanced VMs per instance group is the number you calculated in the previous step. Otherwise, the maximum number of load-balanced VMs per instance group is the upper limit (2,000 for regional groups or 1,000 for zonal groups).

Queries per second for Application Load Balancers

Item Quotas and limits Notes
Queries per second (QPS) per backend instance group or NEG for global external Application Load Balancers Configurable when using RATE for the balancing mode. Limited by your backends.
Queries per second (QPS) per region per network for regional external Application Load Balancers For regional external Application Load Balancers, the maximum QPS load depends on the size of the requests and the complexity of the configuration. If load exceeds capacity, latency increases and requests might be dropped.

Limited by your backends.*

Contact your Google Cloud sales team if you need to increase this limit.

Queries per second (QPS) per region per network for internal Application Load Balancers For internal Application Load Balancers, the maximum QPS load depends on the size of the requests and the complexity of the configuration. If load exceeds capacity, latency increases and requests might be dropped.

Limited by your backends.*

Contact your Google Cloud sales team if you need to increase this limit.

* For projects that are using serverless NEGs, the limit is 5000 queries per second (QPS) per project for traffic sent to any serverless NEGs configured with regional external Application Load Balancers or regional internal Application Load Balancers. This limit is aggregated across all regional external Application Load Balancers and regional internal Application Load Balancers in a project and region. This is not a per load balancer limit.

Header size for external Application Load Balancers

Item Quotas and limits Notes
Maximum client request header size for external Application Load Balancers 64 KB (kilobytes) This limit cannot be increased.
The combined size of the request URL and request header must be less than or equal to 64 KB.
Maximum backend response header size for external Application Load Balancers About 128 KB (kilobytes) This limit cannot be increased.
Maximum backend request header size for internal Application Load Balancers 60 KB (kilobytes) This limit cannot be increased.
Lowercase conversion of HTTP request and response headers Always, except for Classic Application Load Balancer when using HTTP/1.1 As examples, Host becomes host, and Keep-ALIVE becomes keep-alive.
Maximum number of configured custom request headers for each backend service 16 This limit cannot be increased.
Maximum number of configured custom response headers for each backend service 16 This limit cannot be increased.
Total size of all custom request headers per backend service (name and value combined, before variable expansion) 8 KB This limit cannot be increased.
Total size of all custom response headers per backend service (name and value combined, before variable expansion) 8 KB This limit cannot be increased.

Managing quotas

Cloud Load Balancing enforces quotas on resource usage for various reasons. For example, quotas protect the community of Google Cloud users by preventing unforeseen spikes in usage. Quotas also help users who are exploring Google Cloud with the free tier to stay within their trial.

All projects start with the same quotas, which you can change by requesting additional quota. Some quotas may increase automatically based on your use of a product.

Permissions

To view quotas or request quota increases, Identity and Access Management (IAM) principals need one of the following roles.

Task Required role
Check quotas for a project One of the following:
Modify quotas, request additional quota One of the following:
  • Project Owner (roles/owner)
  • Project Editor (roles/editor)
  • Quota Administrator (roles/servicemanagement.quotaAdmin)
  • A custom role with the serviceusage.quotas.update permission

Checking your quota

Console

  1. In the Google Cloud console, go to the Quotas page.

    Go to Quotas

  2. To search for the quota that you want to update, use the Filter table. If you don't know the name of the quota, use the links on this page instead.

gcloud

Using the Google Cloud CLI, run the following command to check your quotas. Replace PROJECT_ID with your own project ID.

      gcloud compute project-info describe --project PROJECT_ID
    

To check your used quota in a region, run the following command:

      gcloud compute regions describe example-region
    

Errors when exceeding your quota

If you exceed a quota with a gcloud command, gcloud outputs a quota exceeded error message and returns with the exit code 1.

If you exceed a quota with an API request, Google Cloud returns the following HTTP status code: HTTP 413 Request Entity Too Large.

Requesting additional quota

To increase or decrease most quotas, use the Google Cloud console. For more information, see Request a higher quota limit.

Console

  1. In the Google Cloud console, go to the Quotas page.

    Go to Quotas

  2. On the Quotas page, select the quotas that you want to change.
  3. At the top of the page, click Edit quotas.
  4. Fill out your name, email, and phone number, and then click Next.
  5. Fill in your quota request, and then click Done.
  6. Submit your request. Quota requests take 24 to 48 hours to process.

Resource availability

Each quota represents a maximum number for a particular type of resource that you can create, if that resource is available. It's important to note that quotas do not guarantee resource availability. Even if you have available quota, you can't create a new resource if it is not available.

For example, you might have sufficient quota to create a new regional, external IP address in the us-central1 region. However, that is not possible if there are no available external IP addresses in that region. Zonal resource availability can also affect your ability to create a new resource.

Situations where resources are unavailable in an entire region are rare. However, resources within a zone can be depleted from time to time, typically without impact to the service level agreement (SLA) for the type of resource. For more information, review the relevant SLA for the resource.