This document lists the quotas and limits that apply to VPC Service Controls. Quotas and limits specified in this document are subject to change.
The quota utilization computation is based on the sum of the utilization across the enforced and the dry-run modes. For example, if a service perimeter protects five resources in enforced mode and seven resources in dry-run mode, then the sum of both, which is 12, is tested against the corresponding limit. Also, each individual entry is counted as one even if it occurs elsewhere in the policy. For example, if a project is included in one regular perimeter and five bridge perimeters, all six instances are counted and no deduplication is performed.
However, VPC Service Controls calculates the service perimeter limits differently. For more information, see the Service perimeter limits section of this document.
View quotas in the Google Cloud console
In the Google Cloud console navigation menu, click Security, and then click VPC Service Controls.
If you are prompted, select your organization, folder, or project.
On the VPC Service Controls page, select the access policy for which you want to view quotas.
Click View Quota.
The Quota page displays the usage metrics for the following access policy limits that apply cumulatively across all service perimeters in a given access policy:
- Service perimeters
- Protected resources
- Access levels
- Total ingress and egress attributes
Service perimeter limits
The following limit applies to each service perimeter configuration. That is, this limit applies separately for the dry-run and enforced configurations of a perimeter:
| Type | Limit | Notes |
|---|---|---|
| Attributes | 6,000 | This limit applies to the total number of attributes specified in the ingress
and egress rules. The attribute limit includes the references to projects, VPC
networks, access levels, method selectors, and identities in these rules. The
total attribute count also includes the use of wildcard characters, *,
in the methods, services, and project attributes.
|
Attribute limit considerations
VPC Service Controls counts each entry in the following ingress and egress rule fields as one attribute:
| Rule block | Fields |
|---|---|
ingressFrom |
|
ingressTo |
|
egressFrom |
|
egressTo |
|
For more information about these fields, see Ingress rules reference and Egress rules reference.
VPC Service Controls considers the following rules to check if a perimeter exceeds the attribute limit:
Each field in an ingress and egress rule can have multiple entries, and each entry counts towards the limit.
For example, if you mention a service account and a user account in the
identitiesfield of anegressFromrule block, VPC Service Controls counts two attributes towards the limit.VPC Service Controls counts each occurrence of a resource in the rules separately, even if you repeat the same resource in multiple rules.
For example, if you mention a project,
project-1, in two different ingress or egress rules,rule-1andrule-2, VPC Service Controls counts two attributes towards the limit.Each service perimeter can have an enforced and a dry run configuration. VPC Service Controls applies the attribute limit separately for each configuration.
For example, if the total attribute counts for the enforced and dry run configurations of a perimeter are 3,500 and 3,000 attributes, respectively, VPC Service Controls considers that the perimeter is still within the attribute limit.
Access policy limits
The following access policy limits apply cumulatively across all service perimeters in a given access policy:
| Type | Limit | Notes |
|---|---|---|
| Service perimeters | 10,000 | Service perimeter bridges count towards this limit. |
| Protected resources | 40,000 | Projects that are only referenced in ingress and egress policies don't count towards this limit. Add protected resources to a policy only in batches of 10,000 resources or fewer to prevent policy modification requests from timing out. We recommend that you wait 30 seconds before making the next policy modification. |
| Identity groups | 1,000 | This limit is on the count of identity groups configured in the ingress and egress rules. |
| VPC networks | 500 | This limit is on the count of VPC networks referenced in the enforced mode, dry-run mode, and ingress rules. |
The following access policy limits apply cumulatively across all access levels in a given access policy:
| Type | Limit | Notes |
|---|---|---|
| VPC networks | 500 | This limit is on the count of VPC networks referenced in access levels. |
Organization limits
The following limits apply across all access policies in a given organization:
| Type | Limit |
|---|---|
| Organization-level access policy | 1 |
| Folder and project-scoped access policies | 50 |
Access Context Manager quotas and limits
You're also subject to the Access Context Manager quotas and limits because VPC Service Controls uses Access Context Manager APIs.