Quotas and limits

This document lists the quotas and system limits that apply to Network Security Integration.

  • Quotas specify the amount of a countable, shared resource that you can use. Quotas are defined by Google Cloud services such as Network Security Integration.
  • System limits are fixed values that cannot be changed.

Google Cloud uses quotas to help ensure fairness and reduce spikes in resource use and availability. A quota restricts how much of a Google Cloud resource your Google Cloud project can use. Quotas apply to a range of resource types, including hardware, software, and network components. For example, quotas can restrict the number of API calls to a service, the number of load balancers used concurrently by your project, or the number of projects that you can create. Quotas protect the community of Google Cloud users by preventing the overloading of services. Quotas also help you to manage your own Google Cloud resources.

The Cloud Quotas system does the following:

  • Monitors your consumption of Google Cloud products and services
  • Restricts your consumption of those resources
  • Provides a way to request changes to the quota value

In most cases, when you attempt to consume more of a resource than its quota allows, the system blocks access to the resource, and the task that you're trying to perform fails.

Quotas generally apply at the Google Cloud project level. Your use of a resource in one project doesn't affect your available quota in another project. Within a Google Cloud project, quotas are shared across all applications and IP addresses.

There are also system limits on Network Security Integration resources. System limits can't be changed.

Quotas

This section lists the quotas that apply to Network Security Integration.

To monitor per-project quotas that use Cloud Monitoring, set up monitoring for the metric serviceruntime.googleapis.com/quota/allocation/usage on the Consumer Quota resource type. Set additional label filters (service, quota_metric) to get to the quota type. For information about monitoring quota metrics, see Chart and monitor quota metrics. Each quota has a limit and a usage value.

Unless noted otherwise, to change a quota, see Request a higher quota.

Per project

The following table highlights Network Security Integration quotas that are per project.

Quota Default quota Description
Global network firewall policies N/A The number of global network firewall policies in a project, regardless of how many VPC networks are associated with each policy.
Mirroring deployments per zone per project 5 The number of mirroring deployments that you can create per zone in a project.
Mirroring deployment groups per project 20 The number of mirroring deployment groups that you can create per project.

Per organization

The following table highlights Network Security Integration quotas that are per organization. To change an organization-level quota, file a support case.

Quota Description
Unassociated Hierarchical firewall policies in an organization The number of Hierarchical firewall policies in an organization that are not associated with any folder or organization resource. There is no limit on the number of Hierarchical firewall policies in an organization that are associated with a resource.

Per firewall policy

The following table highlights Network Security Integration quotas that are per firewall policy resource.

Quota Description
Hierarchical firewall policies
Rule attributes per hierarchical firewall policy The sum of rule attributes from all rules in a hierarchical firewall policy. For more information, see Rule attribute count details.

This quota is shared by the firewall policy rules and mirroring rules. Therefore, if a hierarchical firewall policy contains both the firewall policy rules and the mirroring rules, the rule attributes from both rule types contribute to this quota.

Global network firewall policies
Rule attributes per global network firewall policy The sum of rule attributes from all rules in a global network firewall policy. For more information, see Rule attribute count details.

This quota is shared by the firewall policy rules and mirroring rules. Therefore, if a global network firewall policy contains both the firewall policy rules and the mirroring rules, the rule attributes from both rule types contribute to this quota.

Rule attribute count details

Each firewall policy supports a maximum total number of rule attributes. The rule attribute count for a firewall policy is the sum of the rule attributes of its firewall rules and mirroring rules.

The following example rules show how Google Cloud counts rule attributes on a per policy rule basis:

Example policy rule Total rule attribute count Explanation
A global network firewall policy with the following two rules:
  • Ingress allow firewall policy rule with source IP address range 10.100.0.1/32, tcp protocol, and 5000-6000 port range.
  • Ingress mirroring rule with destination IP range 100.64.0.7/32 and tcp protocol with port 53-63
6
  • Rule attribute count for firewall policy rule: one source range; one protocol, one port range
  • Rule attribute count for mirroring rule: one destination range; one protocol, one port range

Per deployment group

The following limits apply to deployment groups:

Quota Default quota Description
Mirroring endpoint groups per mirroring deployment group 10 The maximum number of mirroring endpoint groups that you can associate with a mirroring deployment group.

Limits

Limits cannot be increased unless specifically noted.

Per organization

The following limits apply to organizations:

Item limit Notes
Security profile groups per organization 40 The maximum number of security profile groups that you can create per organization.
Mirroring endpoint groups per organization 1 The maximum number of mirroring endpoint groups that you can create per organization. To update this limit, file a support case.

Per network

The following limits apply to VPC networks:

Item Limit Notes
Maximum global network firewall policies per network 1 The maximum number of global network firewall policies that you can associate with a VPC network.

Per rule

The following limits apply to VPC firewall rules, firewall policy rules, and mirroring rules:

Item Limit Notes
Maximum number of source IP address ranges per firewall rule 5,000 The maximum number of source IP address ranges that you can specify in a VPC firewall rule, firewall policy rule, or mirroring rule. IP address ranges are either IPv4 only or IPv6 only. This limit cannot be increased.
Maximum number of destination IP address ranges per firewall rule 5,000 The maximum number of destination IP address ranges that you can specify in a VPC firewall rule, firewall policy rule, or mirroring rule. IP address ranges are either IPv4 only or IPv6 only. This limit cannot be increased.

Per deployment group

The following limits apply to deployment groups:

Item Limit Notes
Mirroring deployment and endpoint group association pairs per mirroring deployment group 1,000 The maximum number of mirroring deployments multiplied by the mirroring endpoint group associations per mirroring deployment group.

Manage quotas

Network Security Integration enforces quotas on resource usage for various reasons. For example, quotas protect the community of Google Cloud users by preventing unforeseen spikes in usage. Quotas also help users who are exploring Google Cloud with the free tier to stay within their trial.

All projects start with the same quotas, which you can change by requesting additional quota. Some quotas might increase automatically based on your use of a product.

Permissions

To view quotas or request quota increases, Identity and Access Management (IAM) principals need one of the following roles.

Task Required role
Check quotas for a project One of the following:
Modify quotas, request additional quota One of the following:
  • Project Owner (roles/owner)
  • Project Editor (roles/editor)
  • Quota Administrator (roles/servicemanagement.quotaAdmin)
  • A custom role with the serviceusage.quotas.update permission

Check your quota

Console

  1. In the Google Cloud console, go to the Quotas page.

    Go to Quotas

  2. To search for the quota that you want to update, use the Filter table. If you don't know the name of the quota, use the links on this page instead.

gcloud

Using the Google Cloud CLI, run the following command to check your quotas. Replace PROJECT_ID with your own project ID.

    gcloud compute project-info describe --project PROJECT_ID

To check your used quota in a region, run the following command:

    gcloud compute regions describe example-region
    

Errors when exceeding your quota

If you exceed a quota with a gcloud command, gcloud outputs a quota exceeded error message and returns with the exit code 1.

If you exceed a quota with an API request, Google Cloud returns the following HTTP status code: 413 Request Entity Too Large.

Request additional quota

To adjust most quotas, use the Google Cloud console. For more information, see Request a quota adjustment.

Console

  1. In the Google Cloud console, go to the Quotas page.

    Go to Quotas

  2. On the Quotas page, select the quotas that you want to change.
  3. At the top of the page, click Edit quotas.
  4. For Name, enter your name.
  5. Optional: For Phone, enter a phone number.
  6. Submit your request. Quota requests take 24 to 48 hours to process.

Resource availability

Each quota represents a maximum number for a particular type of resource that you can create, if that resource is available. It's important to note that quotas don't guarantee resource availability. Even if you have available quota, you can't create a new resource if it is not available.

For example, you might have sufficient quota to create a new regional, external IP address in a given region. However, that is not possible if there are no available external IP addresses in that region. Zonal resource availability can also affect your ability to create a new resource.

Situations where resources are unavailable in an entire region are rare. However, resources within a zone can be depleted from time to time, typically without impact to the service level agreement (SLA) for the type of resource. For more information, review the relevant SLA for the resource.