Quotas and limits

This document lists the quotas and limits that apply to VPC Service Controls. Quotas and limits specified in this document are subject to change.

The quota utilization computation is based on the sum of the utilization across the enforced and the dry-run modes. For example, if a service perimeter protects five resources in enforced mode and seven resources in dry-run mode, then the sum of both, which is 12, is tested against the corresponding limit. Also, each individual entry is counted as one even if it occurs elsewhere in the policy. For example, if a project is included in one regular perimeter and five bridge perimeters, all six instances are counted and no deduplication is performed.

View quotas in the Google Cloud console

  1. In the Google Cloud console navigation menu, click Security, and then click VPC Service Controls.

    Go to VPC Service Controls

  2. If you are prompted, select your organization, folder, or project.

  3. On the VPC Service Controls page, select the access policy for which you want to view quotas.

  4. Click View Quota.

    The Quota page displays the usage metrics for the following access policy limits that apply cumulatively across all service perimeters in a given access policy:

    • Service perimeters
    • Protected resources
    • Access levels
    • Total ingress and egress attributes

Service perimeter limits

The following limit applies to each service perimeter configuration. That is, this limit applies separately for the dry-run and enforced configurations of a perimeter:

Type Limit Notes
Attributes 6,000 This limit applies to the total number of attributes specified in ingress and egress rules. The attribute limit includes projects, VPC networks, access levels, method selectors, roles, and identities. The total includes the number of occurrences of the value `*` in the methods, services, and project attributes.

Access policy limits

The following access policy limits apply cumulatively across all service perimeters in a given access policy:

Type Limit Notes
Service perimeters 10,000 Service perimeter bridges count towards this limit.
Protected resources 40,000 Projects that are only referenced in ingress and egress policies don't count towards this limit. Add protected resources to a policy only in batches of 10,000 resources or fewer to prevent policy modification requests from timing out. We recommend that you wait 30 seconds before making the next policy modification.
Identity groups 1,000 This limit is on the count of identity groups configured in the ingress and egress rules.
VPC networks 500 This limit is on the count of VPC networks referenced in the enforced mode, dry-run mode, and ingress rules.

The following access policy limits apply cumulatively across all access levels in a given access policy:

Type Limit Notes
VPC networks 500 This limit is on the count of VPC networks referenced in access levels.

Organization limits

The following limits apply across all access policies in a given organization:

Type Limit
Organization-level access policy 1
Folder and project-scoped access policies 50

Access Context Manager quotas and limits

You're also subject to the Access Context Manager quotas and limits because VPC Service Controls uses Access Context Manager APIs.