This document lists the quotas and limits that apply to VPC Service Controls. Quotas and limits specified in this document are subject to change.
The quota utilization computation is based on the sum of the utilization across the enforced and the dry-run modes. For example, if a service perimeter protects five resources in enforced mode and seven resources in dry-run mode, then the sum of both, which is 12, is tested against the corresponding limit. Also, each individual entry is counted as one even if it occurs elsewhere in the policy. For example, if a project is included in one regular perimeter and five bridge perimeters, all six instances are counted and no deduplication is performed.
View quotas in the Google Cloud console
In the Google Cloud console navigation menu, click Security, and then click VPC Service Controls.
If you are prompted, select your organization, folder, or project.
On the VPC Service Controls page, select the access policy for which you want to view quotas.
Click View Quota.
The Quota page displays the usage metrics for the following access policy limits that apply cumulatively across all service perimeters in a given access policy:
- Service perimeters
- Protected resources
- Access levels
- Total ingress and egress attributes
Service perimeter limits
The following limit applies to each service perimeter configuration. That is, this limit applies separately for the dry-run and enforced configurations of a perimeter:
Type | Limit | Notes |
---|---|---|
Attributes | 6,000 | This limit applies to the total number of attributes specified in ingress and egress rules. The attribute limit includes projects, VPC networks, access levels, method selectors, roles, and identities. The total includes the number of occurrences of the value `*` in the methods, services, and project attributes. |
Access policy limits
The following access policy limits apply cumulatively across all service perimeters in a given access policy:
Type | Limit | Notes |
---|---|---|
Service perimeters | 10,000 | Service perimeter bridges count towards this limit. |
Protected resources | 40,000 | Projects that are only referenced in ingress and egress policies don't count towards this limit. Add protected resources to a policy only in batches of 10,000 resources or fewer to prevent policy modification requests from timing out. We recommend that you wait 30 seconds before making the next policy modification. |
Identity groups | 1,000 | This limit is on the count of identity groups configured in the ingress and egress rules. |
VPC networks | 500 | This limit is on the count of VPC networks referenced in the enforced mode, dry-run mode, and ingress rules. |
The following access policy limits apply cumulatively across all access levels in a given access policy:
Type | Limit | Notes |
---|---|---|
VPC networks | 500 | This limit is on the count of VPC networks referenced in access levels. |
Organization limits
The following limits apply across all access policies in a given organization:
Type | Limit |
---|---|
Organization-level access policy | 1 |
Folder and project-scoped access policies | 50 |
Access Context Manager quotas and limits
You're also subject to the Access Context Manager quotas and limits because VPC Service Controls uses Access Context Manager APIs.