This document lists the quotas and limits that apply to VPC Service Controls. Quotas and limits specified in this document are subject to change.
The quota utilization computation is based on the sum of the utilization across the enforced and the dry-run modes. For example, if a service perimeter protects five resources in enforced mode and seven resources in dry-run mode, then the sum of both, which is 12, is tested against the corresponding limit. Also, each individual entry is counted as one even if it occurs elsewhere in the policy. For example, if a project is included in one regular perimeter and five bridge perimeters, all six instances are counted and no deduplication is performed.
View quotas in the Google Cloud console
In the Google Cloud console navigation menu, click Security, and then click VPC Service Controls.
If you are prompted, select your organization, folder, or project.
On the VPC Service Controls page, select the access policy for which you want to view quotas.
Click View Quota.
The Quota page displays the usage metrics for the following access policy limits that apply cumulatively across all service perimeters in a given access policy:
- Service perimeters
- Protected resources
- Access levels
- Total ingress and egress attributes
Service perimeter limits
The following limits apply to each individual service perimeter:
| Type | Limit | Notes |
|---|---|---|
| Access levels | 500 | This limit is on the number of access level references in a service perimeter, which includes the access level references in ingress and egress rules associated with the service perimeter. |
Access policy limits
The following access policy limits apply cumulatively across all service perimeters in a given access policy:
| Type | Limit | Notes |
|---|---|---|
| Service perimeters | 10,000 | Service perimeter bridges count towards this limit. |
| Protected resources | 40,000 | Projects that are only referenced in ingress and egress policies do not count towards this limit. |
| Attributes | 4,000 | This limit is on the count of all attributes specified in ingress and egress rules. The attribute limit includes projects, VPC networks, access levels, method selectors, and identities. The number of occurrences of the value "*" in the methods, services, or projects attributes are included in the total. |
| VPC networks | 500 | This limit is on the count of VPC networks referenced in the enforced mode, dry-run mode, and ingress rules. |
Organization limits
The following limits apply across all access policies in a given organization:
| Type | Limit |
|---|---|
| Organization-level access policy | 1 |
| Folder and project-scoped access policies | 50 |
Access Context Manager quotas and limits
You're also subject to the Access Context Manager quotas and limits because VPC Service Controls uses Access Context Manager APIs.