Quotas and limits

Stay organized with collections Save and categorize content based on your preferences.

This document lists the quotas and limits that apply to VPC Service Controls. Quotas and limits specified in this topic are subject to change.

Quotas

You are subject to the Access Context Manager quotas because VPC Service Controls uses Access Context Manager APIs.

VPC Service Controls limits

The following table shows the limits that apply when you create a service perimeter:

Type Limit Notes
Projects per perimeter 20,000 This limit is the sum of projects specified in the enforced mode, dry-run mode, ingress rules, and egress rules.
Services per perimeter 100 -
Access levels per perimeter 100

This limit is the sum of access levels specified, not just unique access levels. This sum includes access levels specified in enforced mode, dry-run mode, and ingress rules. For example, if the same access level is specified in an enforced mode perimeter and for the ingress rule of the perimeter, then the access level count is considered as two and not one.

Access policies per organization

1 - Organization-level policy

5 - Scoped policies per organization

-
Perimeters per organization 1000 This limit is the sum of regular service perimeters and perimeter bridges.
Projects per organization 20,000 This limit is the sum of projects specified for all perimeters in an organization, not just unique projects. This sum includes projects specified in the enforced mode, dry-run mode, ingress rules, and egress rules.

Ingress and egress limits

The following table shows the limits that apply when you use ingress and egress rules:

Type Limit per service perimeter Limit per access policy Notes
Ingress policies 500 10,000 The total number of ingress policies.
Egress policies 500 10,000 The total number of egress policies.
Ingress source 30 500 This limit applies to access levels and not projects. The access level references in ingress sources count towards the total number of access level references defined in service perimeters. Resources in ingress sources count towards the total number of service perimeters allowed in an access policy.
Attributes 4,000 -

The attribute limit includes the attributes in ingress or egress rules such as projects, access levels, method selectors, or identities.

The following identities are not counted in the total number of attributes: ANY_SERVICE_ACOUNT, ANY_USER_ACCOUNT, and ANY_IDENTITY. The value "*" used in the methods, services, or projects attributes are counted in the total number of attributes.

Identities 3,000 The identity limit includes identities specified across all perimeters in the access policy and not just unique identities.
API operation messages 1,000 API operation messages can be specified inside one access policy message.

Access Context Manager limits

For information about limits that Access Context Manager enforces, see Access Context Manager limits.