Quotas and limits

This document lists the quotas and limits that apply to Virtual Private Cloud (VPC) networking.

A quota restricts how much of a particular shared Google Cloud resource your Cloud project can use, including hardware, software, and network components.

Quotas are part of a system that does the following:

Monitors your use or consumption of Google Cloud products and services.
Restricts your consumption of those resources for reasons including ensuring fairness and reducing spikes in usage.
Maintains configurations that automatically enforce prescribed restrictions.
Provides a means to make or request changes to the quota.

When a quota is exceeded, in most cases, the system immediately blocks access to the relevant Google resource, and the task that you're trying to perform fails. In most cases, quotas apply to each Cloud project and are shared across all applications and IP addresses that use that Cloud project.

There are also limits on VPC resources. These limits are unrelated to the quota system. Limits cannot be changed unless otherwise stated.

Quotas

To change a quota, see requesting additional quota.

Per project

This table highlights important global quotas for VPC resources in each project. For other quotas, see the Quotas page in the Google Cloud console.

To monitor per-project quotas using Cloud Monitoring, set up monitoring for the metric serviceruntime.googleapis.com/quota/allocation/usage on the Consumer Quota resource type. Set additional label filters (service, quota_metric) to get to the quota type. For details on monitoring quota metrics, see Use quota metrics.

Quota	Description
Network bandwidth
Internet egress bandwidth	Per-region internet egress bandwidth from Google Cloud VMs in all VPC networks of the project.
Shared VPC
Cross Project Networking Service projects	Number of Shared VPC service projects that can be attached to a Shared VPC host project. In addition to this quota, see Shared VPC project limits.
General
Networks	Includes the `default` network, which you can remove.
Routes	Counts custom static routes defined in all VPC networks in the project. It does not include the following types of routes: Subnet routes in VPC networks in the project Custom dynamic routes learned by Cloud Routers in the project Peering subnet routes imported into VPC networks in the project Peering custom routes imported into VPC networks in the project
Cloud Routers	The number of Cloud Routers that you can create within your project, in any network and region. Networks also have a limit on the number of Cloud Routers in any given region. For details, see Cloud Router quotas and limits.
Packet Mirroring policies	The number of Packet Mirroring policies that you can create in your project, in any network and region.
Firewalls
Firewall rules	The number of firewall rules that you can create for all VPC networks in your project.
Network Firewall policies	The maximum number of Network Firewall Policies assigned to at least one VPC network in a project.
Regional Network Firewall Policies	The maximum number of Regional Network Firewall Policies assigned to the corresponding region of least one VPC network.
Rule attribute count per firewall policy	The maximum number of firewall rule attributes you can assign to a firewall policy. If there are multiple VPC networks in the same project, the aggregated rule count is considered for each policy for all the networks sharing the same project.
Forwarding rules
Forwarding rules	This quota is only for forwarding rules for the global external HTTP(S) load balancer (classic), external SSL proxy load balancer, external TCP proxy load balancer, and Classic VPN gateways. For forwarding rule use cases other than these, see the following rows.
Global external HTTP(S) load balancer forwarding rules	The maximum number of global external HTTP(S) load balancer forwarding rules that you can create in your project.
Regional external HTTP(S) load balancer forwarding rules	The maximum number of regional external HTTP(S) load balancer forwarding rules that you can create in each region in your project.
External TCP/UDP network load balancer forwarding rules	Forwarding rules for use by external TCP/UDP network load balancers (both backend service and target pool architectures).
External protocol forwarding rules	Forwarding rules for external protocol forwarding to target instances.
Traffic Director forwarding rules	Forwarding rules for Traffic Director.
Internal forwarding rules	See per network quotas for all types of internal forwarding rules used by Internal HTTP(S) Load Balancing, Internal TCP/UDP Load Balancing, and internal protocol forwarding.
IP addresses and BYOIP
Internal IP addresses	The number of static regional internal IP addresses that you can reserve in each region in your project.
Global internal IP addresses	The number of allocated ranges that you can reserve for private services access. Each range is a contiguous internal IP address range.
Static IP addresses	The number of static regional external IP addresses that you can reserve in each region in your project.
Static IP addresses global	The number of static global external IP addresses that you can reserve in your project.
In-use IP addresses	The number of static and ephemeral regional external IP addresses that you can use in your project simultaneously.
In-use IP addresses global	The number of static and ephemeral global external IP addresses that you can use in your project simultaneously.
Static BYOIP IP addresses	The number of bring your own IP regional external IP addresses that you can reserve in each region in your project.
Static BYOIP IP addresses global	The number of bring your own IP global external IP addresses that you can reserve in your project.
Public advertised prefixes	The number of public advertised prefixes (PAPs) that you can create in your project.
Regional public delegated prefixes	The number of regional public delegated prefixes (PDPs) that you can reserve in each region in your project.
Global public delegated prefixes	The number of global public delegated prefixes (PDPs) that you can reserve in your project.
Private Service Connect
Private Service Connect PSC Internal LB Forwarding Rules	The maximum number of Private Service Connect forwarding rules (endpoints) that a service consumer can create to connect to producer services. This quota is per region, per project. Quota name: `PSC-INTERNAL-LB-FORWARDING-RULES-per-project-region`
Service attachments	The maximum number of Private Service Connect service attachments that a service producer can create. This quota is per region, per project. Quota name: `SERVICE-ATTACHMENTS-per-project-region`

Per network

This table highlights important network quotas. For other quotas, see the Quotas page in the Google Cloud console.

Information on monitoring the available metrics using Cloud Monitoring is available at Use quota metrics.

Quota	Description
Instances
VM instances per network	This quota might be lower when you use VPC Network Peering to connect the network to other networks. For details, see VPC Network Peering limits. Quota name: `INSTANCES_PER_NETWORK_GLOBAL` Available metrics: compute.googleapis.com/quota/instances_per_vpc_network/limit compute.googleapis.com/quota/instances_per_vpc_network/usage compute.googleapis.com/quota/instances_per_vpc_network/exceeded
Maximum number of VM instances per subnet	No separate restriction.
IP aliases per VPC network	An alias IP range is either a single IP address (/32) or a CIDR block (for example, a /24 or /16) assigned to a network interface of a VM. Alias IP addresses can come from either the primary or secondary IP ranges of a subnet. For the purposes of this quota, Google Cloud does not consider the size of the range's netmask. It only counts the number of alias IP ranges assigned to all VMs in the network. In addition to this quota, there is a per-VM limit on the number of alias IP ranges per network interface. Quota name: `ALIASES_PER_NETWORK_GLOBAL` Available metrics: compute.googleapis.com/quota/ip_aliases_per_vpc_network/limit compute.googleapis.com/quota/ip_aliases_per_vpc_network/usage compute.googleapis.com/quota/ip_aliases_per_vpc_network/exceeded
Subnet IP ranges
Subnet IP ranges (primary and secondary) per VPC network	The total number of primary and secondary subnet IP ranges assigned to all subnets in a VPC network. Quota name: `SUBNET_RANGES_PER_NETWORK` Available metrics: compute.googleapis.com/quota/subnet_ranges_per_vpc_network/limit compute.googleapis.com/quota/subnet_ranges_per_vpc_network/usage compute.googleapis.com/quota/subnet_ranges_per_vpc_network/exceeded
Forwarding rules
Internal TCP/UDP Load Balancing forwarding rules per VPC network	The maximum number of forwarding rules for Internal TCP/UDP Load Balancing. This quota applies to the total number of forwarding rules for Internal TCP/UDP Load Balancing; it does not apply to each region individually. If your network uses VPC Network Peering to connect to other networks, see VPC Network Peering limits. Quota name: `INTERNAL_FORWARDING_RULES_PER_NETWORK` Available metrics: compute.googleapis.com/quota/internal_lb_forwarding_rules_per_vpc_network/limit compute.googleapis.com/quota/internal_lb_forwarding_rules_per_vpc_network/usage compute.googleapis.com/quota/internal_lb_forwarding_rules_per_vpc_network/exceeded
Internal protocol forwarding rules per VPC network	The maximum number of forwarding rules for internal protocol forwarding. This quota applies to the total number of forwarding rules for internal protocol forwarding; it does not apply to each region individually. If your network uses VPC Network Peering to connect to other networks, see VPC Network Peering limits. Quota name: `INTERNAL_FORWARDING_RULES_WITH_TARGET_INSTANCE_PER_NETWORK` Available metrics: compute.googleapis.com/quota/internal_protocol_forwarding_rules_per_vpc_network/limit compute.googleapis.com/quota/internal_protocol_forwarding_rules_per_vpc_network/usage compute.googleapis.com/quota/internal_protocol_forwarding_rules_per_vpc_network/exceeded
Internal HTTP(S) Load Balancing forwarding rules per VPC network	The maximum number of forwarding rules for Internal HTTP(S) Load Balancing. This quota applies to the total number of forwarding rules for Internal HTTP(S) Load Balancing; it does not apply to each region individually. If your network uses VPC Network Peering to connect to other networks, see VPC Network Peering limits. Quota name: `INTERNAL_MANAGED_FORWARDING_RULES_PER_NETWORK` Available metrics: compute.googleapis.com/quota/internal_managed_forwarding_rules_per_vpc_network/limit compute.googleapis.com/quota/internal_managed_forwarding_rules_per_vpc_network/usage compute.googleapis.com/quota/internal_managed_forwarding_rules_per_vpc_network/exceeded
Private Service Connect
Private Service Connect forwarding rules for Google APIs	The maximum number of Private Service Connect forwarding rules (endpoints) that can be used to access Google APIs. This quota applies to the total number of forwarding rules used to access Google APIs in all regions. This quota cannot be increased. See per project for additional important details about how many global internal addresses you can create. Quota name: `PSC_GOOGLE_APIS_FORWARDING_RULES_PER_NETWORK` Available metrics: compute.googleapis.com/quota/psc_google_apis_forwarding_rules_per_vpc_network/limit compute.googleapis.com/quota/psc_google_apis_forwarding_rules_per_vpc_network/usage compute.googleapis.com/quota/psc_google_apis_forwarding_rules_per_vpc_network/exceeded
Consumer Private Service Connect forwarding rules per service producer VPC network	The maximum number of Private Service Connect forwarding rules (endpoints) that can be used to access a service in a service producer VPC network. This quota applies to the total number of forwarding rules created by all consumers that are accessing services in all regions of the service producer VPC network. This quota cannot be increased. Quota name: `PSC_ILB_CONSUMER_FORWARDING_RULES_PER_PRODUCER_NETWORK` Available metrics: compute.googleapis.com/psc_ilb_consumer_forwarding_rules_per_producer_vpc_network/limit compute.googleapis.com/psc_ilb_consumer_forwarding_rules_per_producer_vpc_network/usage compute.googleapis.com/psc_ilb_consumer_forwarding_rules_per_producer_vpc_network/exceeded

Limits

Limits cannot generally be increased unless specifically noted.

Per organization

The following limits apply to organizations.

Item Limit Notes

Unassociated hierarchical firewall policies per organization

Item	Limit	Notes
Unassociated hierarchical firewall policies per organization	50	An unassociated policy is a policy that exists in your Google Cloud organization, but which is not associated with a node. There is no limit on the number of policies your organization can have that are associated with nodes, though each node can have only one policy associated. To request an update to this limit, file a support case.
Hierarchical firewall rule attributes in a hierarchical firewall policy	2000	The number of rule attributes in all rules in a hierarchical firewall policy. The number of rules does not matter, only the total number of attributes in all rules in the policy. A rule attribute is an IP range, protocol, port or port range, target service account, or target resource. Examples: A rule that specifies a source IP range of `10.100.0.1/32` and destination ports of `tcp:5000-6000` counts as three attributes, one for the IP range, one for the protocol, and one for the port range. A rule that specifies source ranges of `10.100.0.1/32` and `10.100.1.1/32` and destination protocols and ports of `tcp:80`, `tcp:443`, `udp:4000-5000`, and `icmp` count as nine, one each for the two IP ranges, and one each for the four protocols, and one each for the three ports or port ranges. To view how many attributes your policy has, see Describe a policy. To request an update to this limit, file a support case.

An unassociated policy is a policy that exists in your Google Cloud organization, but which is not associated with a node. There is no limit on the number of policies your organization can have that are associated with nodes, though each node can have only one policy associated.

To request an update to this limit, file a support case.

Hierarchical firewall rule attributes in a hierarchical firewall policy

2000

The number of rule attributes in all rules in a hierarchical firewall policy. The number of rules does not matter, only the total number of attributes in all rules in the policy.

A rule attribute is an IP range, protocol, port or port range, target service account, or target resource. Examples:

A rule that specifies a source IP range of 10.100.0.1/32 and destination ports of tcp:5000-6000 counts as three attributes, one for the IP range, one for the protocol, and one for the port range.
A rule that specifies source ranges of 10.100.0.1/32 and 10.100.1.1/32 and destination protocols and ports of tcp:80, tcp:443, udp:4000-5000, and icmp count as nine, one each for the two IP ranges, and one each for the four protocols, and one each for the three ports or port ranges.

To view how many attributes your policy has, see Describe a policy.

To request an update to this limit, file a support case.

Shared VPC project limits

The number of service projects that can be attached to a host project is a configurable per-project quota. In addition to that quota, the following limits apply to Shared VPC.

Item	Limit	Notes
Number of Shared VPC host projects in a single organization	100	To request an update to this limit, file a support case.
Number of host projects to which a service project can attach	1	This limit cannot be increased.

Per network

The following limits apply to VPC networks. These limits are enforced by using quotas internally. When per-network limits are exceeded, you see QUOTA_EXCEEDED errors with the internal quota names.

Item	Limit	Notes
Subnet IP ranges
Primary IP ranges per subnet	1	Each subnet must have exactly one primary IP range (CIDR block). This range is used for VM primary internal IP addresses, VM alias IP ranges, and the IP addresses of internal load balancers. This limit cannot be increased.
Maximum number of secondary IP ranges per subnet	30	Optionally, you can define up to thirty secondary CIDR blocks per subnet. These secondary IP ranges can only be used for alias IP ranges. This limit cannot be increased.
Routes
Maximum number of network tags per route	256	The maximum number of network tags that you can associate with a static route. This limit cannot be increased.
Firewall rules
Maximum number of source tags per firewall rule	256	The maximum number of network tags that you can specify as source tags when creating an ingress firewall rule. This limit cannot be increased.
Maximum number of target tags per firewall rule	256	The maximum number of network tags that you can specify as target tags when creating an egress or ingress firewall rule. This limit cannot be increased.
Maximum number of source service accounts per firewall rule	10	The maximum number of source service accounts that you can specify when creating an ingress firewall rule. This limit cannot be increased.
Maximum number of target service accounts per firewall rule	10	The maximum number of target service accounts that you can specify when creating an egress or ingress firewall rule. This limit cannot be increased.
Maximum number of source ranges per firewall rule	5000	The maximum number of source IP ranges that you can specify when creating a firewall rule. This limit cannot be increased.
Maximum number of destination ranges per firewall rule	5000	The maximum number of destination IP ranges that you can specify when creating a firewall rule. This limit cannot be increased.

VPC Network Peering limits

The following limits apply to VPC networks connected by using VPC Network Peering. Each limit applies to a peering group, which is a collection of VPC networks that are directly peered to each other. From the perspective of a given VPC network, it and all of its peer networks are in one peering group. Peering groups do not include the peers of peer networks.

These limits can sometimes be increased. For more information about increasing any of these limits, file a support case.

Item	Peering group limit	Notes
Peering group
Maximum number of connections to a single VPC network	25	The maximum number of networks that can connect to a given VPC network using VPC Network Peering.
Maximum number of subnet routes in a peering group	No separate restriction	The number of subnet routes that can be exchanged is limited by the maximum number of subnet IP ranges (primary and secondary) per peering group, described later in this document.
Maximum number of static routes in a peering group	300	The maximum number of static routes that can be exchanged among networks in a peering group when importing and exporting custom routes. Google Cloud prevents you from creating a peering connection to a network if that would cause the peering group to exceed this limit.
Maximum number of dynamic routes in a peering group	300	The maximum number of dynamic routes that Cloud Routers can apply to all networks of a peering group when importing and exporting custom routes. If the number of dynamic routes exceeds this limit, Google Cloud adjusts how it imports dynamic routes for a given network: Google Cloud drops imported dynamic routes from peered networks. Google Cloud uses an internal algorithm to drop dynamic routes, which means Google Cloud might drop older ones and not just the recently added routes. You cannot predict which imported dynamic routes will be dropped. Instead, you should reduce the number of dynamic routes in the peering group. Subject to Cloud Router limits, Google Cloud never drops dynamic routes that are learned by Cloud Routers in the local network. If a peering connection causes this limit to be exceeded, Google Cloud still allows you to create the peering connection without warning.
Instances
Maximum number of VM instances in a peering group	15,500	Google Cloud lets you create a new instance in a given VPC network as long as both of the following are true: You have not exceeded `INSTANCES_PER_NETWORK_GLOBAL` in the VPC network. You have not exceeded the effective per peering group maximum defined by using this per peering group's limit. For information about how effective per peering group limits are calculated, see Effective limits for VPC Network Peering. Error code for limit exceeded: `INSTANCES_PER_NETWORK_WITH_PEERING_LIMITS_EXCEEDED`
Maximum number of assigned alias IP ranges in a peering group	15,500	An alias IP range is either a single IP address (/32) or a CIDR block (for example, a /24 or /16) assigned to a network interface of a VM. Alias IP addresses can come from either the primary or secondary IP ranges of a subnet. For the purposes of this limit, Google Cloud does not consider the size of the range's netmask. It only counts the number of alias IP ranges assigned to all VMs in the network. In addition to this quota, there is a per-VM limit on the number of alias IP ranges per network interface. Error code for limit exceeded: `ALIASES_PER_NETWORK_PEERING_LIMITS_EXCEEDED`
Subnet IP ranges
Maximum number of subnet IP ranges (primary and secondary) in a peering group	400	Google Cloud lets you create a new subnet range in a given VPC network as long as both of the following are true: You have not exceeded `SUBNET_RANGES_PER_NETWORK` in the VPC network. You have not exceeded the effective per peering group maximum defined by using this per peering group's limit. For information about how effective per peering group limits are calculated, see Effective limits for VPC Network Peering. Error code for limit exceeded: `SUBNET_RANGES_PER_NETWORK_LIMITS_EXCEEDED_PEERING`
Internal load balancing
Maximum number of forwarding rules for Internal TCP/UDP Load Balancing per peering group	500	You can create new regional internal forwarding rules for Internal TCP/UDP Load Balancing as long as both of the following conditions are true: You have not exceeded `INTERNAL_FORWARDING_RULES_PER_NETWORK` in the VPC network. You have not exceeded the effective per peering group maximum defined by using this per peering group's limit. For information about how effective per peering group limits are calculated, see Effective limits for VPC Network Peering. Error code for limit exceeded: `INTERNAL_FORWARDING_RULES_WITH_PEERING_LIMITS_EXCEEDED`
Maximum number of forwarding rules for Internal HTTP(S) Load Balancing per peering group	175	You can create new regional internal managed forwarding rules for Internal HTTP(S) Load Balancing as long as both of the following conditions are true: You have not exceeded `INTERNAL_MANAGED_FORWARDING_RULES_PER_NETWORK` in the VPC network. You have not exceeded the effective per peering group maximum defined by using this per peering group's limit. For information about how effective per peering group limits are calculated, see Effective limits for VPC Network Peering. Error code for limit exceeded: `INTERNAL_MANAGED_FORWARDING_RULES_WITH_PEERING_LIMITS_EXCEEDED`
Protocol forwarding
Maximum number of forwarding rules for internal protocol forwarding per peering group	2,000	You can create new regional internal forwarding rules for protocol forwarding as long as both of the following conditions are true: You have not exceeded `INTERNAL_FORWARDING_RULES_WITH_TARGET_INSTANCE_PER_NETWORK` in the VPC network. You have not exceeded the effective per peering group maximum defined by using this per peering group's limit. For information about how effective per peering group limits are calculated, see Effective limits for VPC Network Peering. Error code for limit exceeded: `INTERNAL_FORWARDING_RULES_WITH_TARGET_INSTANCE_LIMITS_EXCEEDED_PEERING`

Effective limits for VPC Network Peering

Most per network quotas have a corresponding per peering group limit. For these, the per network quota's limit and the per peering group limit are used to calculate an effective per peering group limit. This section describes that method using the following:

The internal forwarding rules per network quota
The internal forwarding rules per peering group limit

From the perspective of a given VPC network, Google Cloud calculates an effective number of forwarding rules for the internal load balancers in the peering group by using this method:

Step 1. For the given network, find the greater of these two values:
- Maximum number of forwarding rules for the internal load balancers in the given network
- Maximum number of forwarding rules for the internal load balancers in the peering group
Step 2. For each of the remaining networks in the peering group, find the greater of these two values:
- Maximum number of forwarding rules for the internal load balancers in the peer network
- Maximum number of forwarding rules for the internal load balancers in the peering group
Step 3. Find the smallest value from the list created by Step 2.
Step 4. Take the greater of the two numbers from Step 1 and Step 3. This number is the effective number of forwarding rules for the internal load balancers that can be created in the peering group from the perspective of the given network.

Suppose that you have four VPC networks, network-a, network-b, network-c, and network-d:

network-a is peered with network-b, and network-b is peered with network-a
network-a is peered with network-c, and network-c is peered with network-a
network-c is peered with network-d, and network-d is peered with network-c

And each network has the following limits:

Network	Maximum number of forwarding rules for the internal load balancers in the given network	Maximum number of forwarding rules for the internal load balancers in the peering group
`network-a`	600	500
`network-b`	300	350
`network-c`	300	300
`network-d`	300	400

From the perspective of each VPC network, Google Cloud calculates the effective number of forwarding rules for the internal load balancers in that peering group:

From the perspective of network-a, its peering group contains network-a, network-b, and network-c. The effective number of forwarding rules for the internal load balancers in the peering group is calculated as follows:
1. In network-a: max(600,500) = 600
2. In the remaining peer networks:
  - network-b: max(300,350) = 350
  - network-c: max(300,300) = 300
3. min(350,300) = 300
4. max(600,300) = 600
  - Effective number of forwarding rules for the internal load balancers: per peering group from the perspective of network-a: 600
From the perspective of network-b, its peering group contains network-b and network-a. The effective number of forwarding rules for the internal load balancers in the peering group is calculated as follows:
1. In network-b: max(300,350) = 350
2. In the remaining peer networks:
  - network-a: max(600,500) = 600
3. min(600) = 600
4. max(350,600) = 600
  - Effective number of forwarding rules for the internal load balancers per peering group from the perspective of network-b: 600
From the perspective of network-c, its peering group contains network-c, network-a, and network-d. The effective number of forwarding rules for the internal load balancers in the peering group is calculated as follows:
1. In network-c: max(300,300) = 300
2. In the remaining peer networks:
  - network-a: max(600,500) = 600
  - network-d: max(300,400) = 400
3. min(600,400) = 400
4. max(300,400) = 400
  - Effective number of forwarding rules for the internal load balancers per peering group from the perspective of network-c: 400
From the perspective of network-d, its peering group contains network-d, and network-c. The effective number of forwarding rules for the internal load balancers in the peering group is calculated as follows:
1. In network-d: max(300,400) = 400
2. In the remaining peer networks:
  - network-c: max(300,300) = 300
3. min(300) = 300
4. max(400,300) = 400
  - Effective number of forwarding rules for the internal load balancers per peering group from the perspective of network-d: 400

IP address limits

Item	Limit	Notes
Public delegated prefixes per public advertised prefix	10	The number of public delegated prefixes (PDPs) that you can create from a public advertised prefix (PAP).

Per instance

The following limits apply to VM instances. Unless otherwise noted, these limits cannot be increased. For quotas relevant to VMs, see Compute Engine quotas.

Item	Limit	Notes
Maximum Transmission Unit (MTU)	From 1460 (default), or to 1500 (standard Ethernet), or up to 8896 bytes (jumbo frames), depending on VPC network configuration.	Instances using MTU sizes larger than that supported by the VPC network can experience dropped packets. For more information, see Maximum transmission unit.
Maximum number of network interfaces	8	Network interfaces are defined at instance creation time, and cannot be changed by editing the instance later.
Maximum number of alias IP ranges per network interface	100	The number of alias IP ranges that you can assign to a network interface as long as you don't exceed the quota for the total number of assigned alias IP ranges in the VPC network. Google Cloud does not consider the size of the alias IP range's netmask. For example, an individual `/24` range is a single alias IP range and an individual `/23` range is also a single alias IP range.
Network interfaces per VPC network	1	Each network interface must be connected to a unique VPC network. An instance can only have one network interface in a given VPC network.
Maximum duration for idle TCP connections	10 minutes	VPC networks automatically drop idle TCP connections after ten minutes. You cannot change this limit, but you can use TCP keepalives to prevent connections to instances from becoming idle. For details, see Compute Engine tips and troubleshooting.
Maximum egress data rate to an internal IP address destination	Depends on the machine type of the VM	See Egress to internal IP address destinations and machine types in the Compute Engine documentation.
Maximum egress data rate to an external IP address destination	all flows: about 7 Gbps (gigabits per second) sustained or 25 Gbps with per VM Tier_1 networking performance single flow: 3 Gbps sustained	See Egress to external IP address destinations in the Compute Engine documentation.
Maximum ingress data rate to an internal IP address destination	No artificial limit	See Ingress to internal IP address destinations in the Compute Engine documentation.
Maximum ingress data rate to an external IP address destination	no more than 20 Gbps no more than 1,800,000 packets per second	See Ingress to external IP address destinations in the Compute Engine documentation.

Connection logging limits

The maximum number of connections that can be logged per VM instance depends on its machine type. Connection logging limits are expressed as the maximum number of connections that can be logged in a five-second interval.

Instance machine type	Maximum number of connections logged in a 5-second interval
f1-micro	100 connections
g1-small	250 connections
Machine types with 1–8 vCPUs	500 connections per vCPU
Machine types with more than 8 vCPUs	4,000 (500×8) connections

Hybrid connectivity

Use the following links to find quotas and limits for Cloud VPN, Cloud Interconnect, and Cloud Router:

Managing quotas

Virtual Private Cloud enforces quotas on resource usage for various reasons. For example, quotas protect the community of Google Cloud users by preventing unforeseen spikes in usage. Quotas also help users who are exploring Google Cloud with the free tier to stay within their trial.

All projects start with the same quotas, which you can change by requesting additional quota. Some quotas may increase automatically based on your use of a product.

Permissions

To view quotas or request quota increases, Identity and Access Management (IAM) principals need one of the following roles.

Task	Required role
Check quotas for a project	One of the following: Project Owner role (`roles/owner`) Project Editor role (`roles/editor`) Quota Viewer role (`roles/servicemanagement.quotaViewer`)
Modify quotas, request additional quota	One of the following: Project Owner role (`roles/owner`) Project Editor role (`roles/editor`) Quota Administrator role (`roles/servicemanagement.quotaAdmin`) A custom role with the `serviceusage.quotas.update` permission

Checking your quota

Console

In the Google Cloud console, go to the Quotas page.
Go to Quotas
To search for the quota that you want to update, use the Filter table. If you don't know the name of the quota, use the links on this page instead.

gcloud

Using the Google Cloud CLI, run the following command to check your quotas. Replace PROJECT_ID with your own project ID.

      gcloud compute project-info describe --project PROJECT_ID

To check your used quota in a region, run the following command:

      gcloud compute regions describe example-region

Errors when exceeding your quota

If you exceed a quota with a gcloud command, gcloud outputs a quota exceeded error message and returns with the exit code 1.

If you exceed a quota with an API request, Google Cloud returns the following HTTP status code: HTTP 413 Request Entity Too Large.

Requesting additional quota

To increase or decrease most quotas, use the Google Cloud console. For more information, see Requesting a higher quota.

Console

In the Google Cloud console, go to the Quotas page.
Go to Quotas
On the Quotas page, select the quotas that you want to change.
At the top of the page, click Edit quotas.
Fill out your name, email, and phone number, and then click Next.
Fill in your quota request, and then click Done.
Submit your request. Quota requests take 24 to 48 hours to process.

Resource availability

Each quota represents a maximum number for a particular type of resource that you can create, if that resource is available. It's important to note that quotas do not guarantee resource availability. Even if you have available quota, you can't create a new resource if it is not available.

For example, you might have sufficient quota to create a new regional, external IP address in the us-central1 region. However, that is not possible if there are no available external IP addresses in that region. Zonal resource availability can also affect your ability to create a new resource.

Situations where resources are unavailable in an entire region are rare. However, resources within a zone can be depleted from time to time, typically without impact to the service level agreement (SLA) for the type of resource. For more information, review the relevant SLA for the resource.