Quotas and limits

This document lists the quotas and limits that apply to VPC Service Controls. Quotas and limits specified in this document are subject to change.

The quota utilization computation is based on the sum of the utilization across the enforced and the dry-run modes. For example, if a service perimeter protects five resources in enforced mode and seven resources in dry-run mode, then the sum of both, which is 12, is tested against the corresponding limit. Also, each individual entry is counted as one even if it occurs elsewhere in the policy. For example, if a project is included in one regular perimeter and five bridge perimeters, all six instances are counted and no deduplication is performed.

View quotas in the Google Cloud console

  1. In the Google Cloud console navigation menu, click Security, and then click VPC Service Controls.

    Go to VPC Service Controls

  2. If you are prompted, select your organization, folder, or project.

  3. On the VPC Service Controls page, select the access policy for which you want to view quotas.

  4. Click View Quota.

    The Quota page displays the usage metrics for the following access policy limits that apply cumulatively across all service perimeters in a given access policy:

    • Service perimeters
    • Protected resources
    • Access levels
    • Total ingress and egress attributes

Service perimeter limits

The following limits apply to each individual service perimeter:

Type Limit Notes
Access levels 500 This limit is on the number of access level references in a service perimeter, which includes the access level references in ingress and egress rules associated with the service perimeter.

Access policy limits

The following access policy limits apply cumulatively across all service perimeters in a given access policy:

Type Limit Notes
Service perimeters 10,000 Service perimeter bridges count towards this limit.
Protected resources 40,000 Projects that are only referenced in ingress and egress policies do not count towards this limit.
Attributes 4,000 This limit is on the count of all attributes specified in ingress and egress rules. The attribute limit includes projects, VPC networks, access levels, method selectors, and identities. The number of occurrences of the value "*" in the methods, services, or projects attributes are included in the total.
VPC networks 500 This limit is on the count of VPC networks referenced in the enforced mode, dry-run mode, and ingress rules.

Organization limits

The following limits apply across all access policies in a given organization:

Type Limit
Organization-level access policy 1
Folder and project-scoped access policies 50

Access Context Manager quotas and limits

You're also subject to the Access Context Manager quotas and limits because VPC Service Controls uses Access Context Manager APIs.