This document lists the quotas and limits that apply to VPC Service Controls. Quotas and limits specified in this topic are subject to change.
Quotas
You are subject to the Access Context Manager quotas because VPC Service Controls uses Access Context Manager APIs.
VPC Service Controls limits
The following table shows the limits that apply when you create a service perimeter:
| Type | Limit | Notes |
|---|---|---|
| Projects per perimeter | 20,000 | This limit is the sum of projects specified in the enforced mode, dry-run mode, ingress rules, and egress rules. |
| Services per perimeter | 100 | - |
| Access levels per perimeter | 100 |
This limit is the sum of access levels specified, not just unique access levels. This sum includes access levels specified in enforced mode, dry-run mode, and ingress rules. For example, if the same access level is specified in an enforced mode perimeter and for the ingress rule of the perimeter, then the access level count is considered as two and not one. |
| Access policies per organization | 1 - Organization-level policy 5 - Scoped policies per organization |
- |
| Perimeters per organization | 1000 | This limit is the sum of regular service perimeters and perimeter bridges. |
| Projects per organization | 20,000 | This limit is the sum of projects specified for all perimeters in an organization, not just unique projects. This sum includes projects specified in the enforced mode, dry-run mode, ingress rules, and egress rules. |
| VPC networks per organization | 500 | This limit is the sum of VPC networks specified for all perimeters in an organization, not just unique projects. This sum includes VPC networks specified in the enforced mode, dry-run mode, and ingress rules. |
Ingress and egress limits
The following table shows the limits that apply when you use ingress and egress rules:
| Type | Limit per service perimeter | Limit per access policy | Notes |
|---|---|---|---|
| Ingress policies | 500 | 10,000 | The total number of ingress policies. |
| Egress policies | 500 | 10,000 | The total number of egress policies. |
| Ingress source | 30 | 500 | This limit applies to access levels and not projects. The access level references in ingress sources count towards the total number of access level references defined in service perimeters. Resources in ingress sources count towards the total number of service perimeters allowed in an access policy. |
| Attributes | 4,000 | - |
The attribute limit includes the attributes in ingress or egress rules such as projects, access levels, method selectors, or identities. The following identities are not counted in the total number of attributes: ANY_SERVICE_ACOUNT, ANY_USER_ACCOUNT, and ANY_IDENTITY. The value "*" used in the methods, services, or projects attributes are counted in the total number of attributes. |
| Identities | – | 3,000 | The identity limit includes identities specified across all perimeters in the access policy and not just unique identities. |
| API operation messages | – | 1,000 | API operation messages can be specified inside one access policy message. |
Access Context Manager limits
For information about limits that Access Context Manager enforces, see Access Context Manager limits.