Quotas and limits
This document lists the quotas and limits that apply to Virtual Private Cloud (VPC) networking.
A quota restricts how much of a particular shared Google Cloud resource your Cloud project can use, including hardware, software, and network components.
Quotas are part of a system that does the following:
- Monitors your use or consumption of Google Cloud products and services.
- Restricts your consumption of those resources for reasons including ensuring fairness and reducing spikes in usage.
- Maintains configurations that automatically enforce prescribed restrictions.
- Provides a means to make or request changes to the quota.
When a quota is exceeded, in most cases, the system immediately blocks access to the relevant Google resource, and the task that you're trying to perform fails. In most cases, quotas apply to each Cloud project and are shared across all applications and IP addresses that use that Cloud project.
There are also limits on VPC resources. These limits are unrelated to the quota system. Limits cannot be changed unless otherwise stated.
Quotas
To change a quota, see requesting additional quota.
Per project
This table highlights important global quotas for VPC resources in each project. For other quotas, see the Quotas page in the Google Cloud console.
To monitor per-project quotas using Cloud Monitoring, set up monitoring
for the metric serviceruntime.googleapis.com/quota/allocation/usage
on the
Consumer Quota
resource type. Set additional label filters (service
,
quota_metric
) to get to the quota type. For details on monitoring quota metrics,
see Use quota metrics.
Quota | Description |
---|---|
Network bandwidth | |
GCE VM to internet egress bandwidth Mbps | Per-region internet egress bandwidth from Google Cloud VMs in all VPC networks of the project. |
Shared VPC | |
Cross project networking service projects | Number of Shared VPC service projects that can be attached to a Shared VPC host project. In addition to this quota, see Shared VPC project limits. |
General | |
Networks | Includes the default network, which you can
remove. |
Routes | Counts custom static routes defined in all VPC
networks in the project. It does not include the following types of
routes:
|
Policy-based routes | The number of policy-based routes that you can create in your project. |
Routers | The number of Cloud Routers that you can create within your project, in any network and region. Networks also have a limit on the number of Cloud Routers in any given region. For details, see Cloud Router quotas and limits. |
Packet Mirrorings | The number of Packet Mirroring policies that you can create in your project, in any network and region. |
Firewalls | |
Firewall rules | The number of VPC firewall rules that you can create for all VPC networks in your project. |
Rule attribute count per firewall policy | The maximum number of firewall rule attributes that you can assign to a firewall policy. If there are multiple VPC networks in the same project, the aggregated rule count is considered for each policy for all the networks sharing the same project. |
Global address groups per project | The maximum number of global address groups that you can define in a project. |
Regional address groups per project per region | The maximum number of regional address groups that you can define for a project in a region. |
Address groups per project | The maximum number of address groups that you can define in a project irrespective of location (global or regional). |
Network firewall policies | The maximum number of network firewall policies assigned to at least one VPC network in a project. |
Regional network firewall policies | The maximum number of Regional Network Firewall Policies assigned to the corresponding region of least one VPC network. |
Forwarding rules | |
Forwarding rules | This quota is only for forwarding rules for the global external HTTP(S) load balancer (classic), external SSL proxy load balancer, external TCP proxy load balancer, and Classic VPN gateways. For forwarding rule use cases other than these, see the following rows. |
Global external managed forwarding rules | The maximum number of global external HTTP(S) load balancer forwarding rules that you can create in your project. |
Regional external managed forwarding rules | The maximum number of regional external HTTP(S) load balancer forwarding rules that you can create in each region in your project. |
External network load balancer forwarding rules | Forwarding rules for use by external TCP/UDP network load balancers (both backend service and target pool architectures). |
External protocol forwarding rules | Forwarding rules for external protocol forwarding to target instances. |
Traffic director forwarding rules | Forwarding rules for Traffic Director. |
Internal forwarding rules | See per network quotas for all types of internal forwarding rules used by Internal HTTP(S) Load Balancing, Internal TCP/UDP Load Balancing, and internal protocol forwarding. |
IP addresses and BYOIP | |
Internal IP addresses | The number of static regional internal IP addresses that you can reserve in each region in your project. This quota applies to the aggregate of internal IPv4 and IPv6 addresses. |
Global internal IP addresses | The number of allocated ranges that you can reserve for private services access. Each range is a contiguous internal IP address range. |
Static IP addresses | The number of static regional external IP addresses that you can reserve in each region in your project. |
Static IP addresses global | The number of static global external IP addresses that you can reserve in your project. |
In-use IP addresses | The number of static and ephemeral regional external IP addresses that you can use in your project simultaneously. |
In-use IP addresses global | The number of static and ephemeral global external IP addresses that you can use in your project simultaneously. |
Static BYOIP IP addresses | The number of bring your own IP regional external IP addresses that you can reserve in each region in your project. |
Static BYOIP IP addresses global | The number of bring your own IP global external IP addresses that you can reserve in your project. |
Public advertised prefixes | The number of public advertised prefixes (PAPs) that you can create in your project. |
Regional public delegated prefixes | The number of regional public delegated prefixes (PDPs) that you can reserve in each region in your project. |
Global public delegated prefixes | The number of global public delegated prefixes (PDPs) that you can reserve in your project. |
Private Service Connect | |
PSC internal LB forwarding rules | The maximum number of Private Service Connect forwarding rules (endpoints) that a service consumer can create to connect to producer services. This quota is per region, per project. Quota name: |
Service attachments | The maximum number of Private Service Connect service attachments that a service producer can create. This quota is per region, per project. Quota name: |
Per network
This table highlights important network quotas. For other quotas, see the Quotas page in the Google Cloud console.
Information on monitoring the available metrics using Cloud Monitoring is available at Use quota metrics.
Quota | Description |
---|---|
Instances | |
Instances per VPC network | This quota might be lower when you use VPC Network Peering to connect the network to other networks. For details, see VPC Network Peering limits. Quota name: Available metrics:
|
Maximum number of VM instances per subnet | No separate restriction. |
IP aliases per VPC network | An alias IP range is either a single IP address (/32) or a CIDR block (for example, a /24 or /16) assigned to a network interface of a VM. Alias IP addresses can come from either the primary or secondary IP ranges of a subnet. For the purposes of this quota, Google Cloud does not consider the size of the range's netmask. It only counts the number of alias IP ranges assigned to all VMs in the network. In addition to this quota, there is a per-VM limit on the number of alias IP ranges per network interface. Quota name: Available metrics:
|
Subnet IP ranges | |
Subnetwork ranges per VPC network | The total number of primary and secondary subnet IP ranges assigned to all subnets in a VPC network. Quota name: Available metrics:
|
Forwarding rules | |
Internal TCP/UDP load balancer forwarding rules per VPC network | The maximum number of forwarding rules for Internal TCP/UDP Load Balancing. This quota applies to the total number of forwarding rules for Internal TCP/UDP Load Balancing; it does not apply to each region individually. If your network uses VPC Network Peering to connect to other networks, see VPC Network Peering limits. Quota name: Available metrics:
|
Internal protocol forwarding rules per VPC network | The maximum number of forwarding rules for internal protocol forwarding. This quota applies to the total number of forwarding rules for internal protocol forwarding; it does not apply to each region individually. If your network uses VPC Network Peering to connect to other networks, see VPC Network Peering limits. Quota name: Available metrics:
|
Internal HTTP(S) load balancer forwarding rules per VPC network | The maximum number of forwarding rules for Internal HTTP(S) Load Balancing. This quota applies to the total number of forwarding rules for Internal HTTP(S) Load Balancing; it does not apply to each region individually. If your network uses VPC Network Peering to connect to other networks, see VPC Network Peering limits. Quota name: Available metrics:
|
Private Service Connect | |
PSC Google APIs forwarding rules per VPC network | The maximum number of Private Service Connect forwarding rules (endpoints) that can be used to access Google APIs. This quota applies to the total number of forwarding rules used to access Google APIs in all regions. This quota cannot be increased. See per project for additional important details about how many global internal addresses you can create. Quota name: Available metrics:
|
PSC ILB consumer forwarding rules per producer VPC network | The maximum number of Private Service Connect forwarding rules (endpoints) that can be used to access a service in a service producer VPC network. This quota applies to the total number of forwarding rules created by all consumers that are accessing services in all regions of the service producer VPC network. This quota cannot be increased. Quota name: Available metrics:
|
Limits
Limits cannot generally be increased unless specifically noted.
Per organization
The following limits apply to organizations.
Item | Limit | Notes |
---|---|---|
Unassociated hierarchical firewall policies per organization | 50 | An unassociated policy is a policy that exists in your Google Cloud organization, but which is not associated with a node. There is no limit on the number of policies your organization can have that are associated with nodes, though each node can have only one policy associated. To request an update to this limit, file a support case. |
Hierarchical firewall rule attributes in a hierarchical firewall policy | 2000 | The number of rule attributes in all rules in a hierarchical firewall policy. The number of rules does not matter, only the total number of attributes in all rules in the policy. A rule attribute is an IP range, protocol, port or port range, target service account, or target resource. Examples:
To view how many attributes your policy has, see Describe a policy. To request an update to this limit, file a support case. |
Global address groups per organization | 30 | The maximum number of global address groups that you can create per organization. |
Regional address groups per organization per region | 30 | The maximum number of regional address groups that you can create per organization in a region. |
Organization address groups | 30 | The maximum number of address groups that you can create per organization in a region irrespective of location (global or regional). |
Shared VPC project limits
The number of service projects that can be attached to a host project is a configurable per-project quota. In addition to that quota, the following limits apply to Shared VPC.
Item | Limit | Notes |
---|---|---|
Number of Shared VPC host projects in a single organization | 100 | To request an update to this limit, file a support case. |
Number of host projects to which a service project can attach | 1 | This limit cannot be increased. |
Per network
The following limits apply to VPC networks. These limits are
enforced by using quotas internally. When per-network limits are exceeded, you
see QUOTA_EXCEEDED
errors with the internal quota names.
Item | Limit | Notes |
---|---|---|
Subnet IP ranges | ||
Primary IP ranges per subnet | 1 | Each subnet must have exactly one primary IP range (CIDR block). This range is used for VM primary internal IP addresses, VM alias IP ranges, and the IP addresses of internal load balancers. This limit cannot be increased. |
Maximum number of secondary IP ranges per subnet | 30 | Optionally, you can define up to thirty secondary CIDR blocks per subnet. These secondary IP ranges can only be used for alias IP ranges. This limit cannot be increased. |
Routes | ||
Maximum number of network tags per route | 256 | The maximum number of network tags that you can associate with a static route. This limit cannot be increased. |
Firewall rules | ||
Maximum number of source tags per firewall rule | 256 | The maximum number of network tags that you can specify as source tags when creating an ingress firewall rule. This limit cannot be increased. |
Maximum number of target tags per firewall rule | 256 | The maximum number of network tags that you can specify as target tags when creating an egress or ingress firewall rule. This limit cannot be increased. |
Maximum number of source service accounts per firewall rule | 10 | The maximum number of source service accounts that you can specify when creating an ingress firewall rule. This limit cannot be increased. |
Maximum number of target service accounts per firewall rule | 10 | The maximum number of target service accounts that you can specify when creating an egress or ingress firewall rule. This limit cannot be increased. |
Maximum number of source ranges per firewall rule | 5000 | The maximum number of source IP ranges that you can specify when creating a firewall rule. This limit cannot be increased. |
Maximum number of destination ranges per firewall rule | 5000 | The maximum number of destination IP ranges that you can specify when creating a firewall rule. This limit cannot be increased. |
Maximum number of source domain names per firewall rule | 100 | The maximum number of source domain names that you can specify when creating an ingress firewall rule. This limit cannot be increased. |
Maximum number of destination domain names per firewall rule | 100 | The maximum number of destination domain names that you can specify when creating an egress firewall rule. This limit cannot be increased. |
Maximum number of source address groups per firewall rule | 10 | The maximum number of source address groups that you can specify when creating a firewall rule. This limit cannot be increased. |
Maximum number of destination address groups per firewall rule | 10 | The maximum number of destination address groups that you can specify when creating a firewall rule. This limit cannot be increased. |
VPC Network Peering limits
The following limits apply to VPC networks connected by using VPC Network Peering. Each limit applies to a peering group, which is a collection of VPC networks that are directly peered to each other. From the perspective of a given VPC network, it and all of its peer networks are in one peering group. Peering groups do not include the peers of peer networks.
These limits can sometimes be increased. For more information about increasing any of these limits, file a support case.
Item | Peering group limit | Notes |
---|---|---|
Peering group | ||
Maximum number of connections to a single VPC network | 25 | The maximum number of networks that can connect to a given VPC network using VPC Network Peering. |
Maximum number of subnet routes in a peering group | No separate restriction | The number of subnet routes that can be exchanged is limited by the maximum number of subnet IP ranges (primary and secondary) per peering group, described later in this document. |
Maximum number of static routes in a peering group | 300 | The maximum number of static routes that can be exchanged among networks in a peering group when importing and exporting custom routes. Google Cloud prevents you from creating a peering connection to a network if that would cause the peering group to exceed this limit. |
Maximum number of dynamic routes in a peering group | 300 | The maximum number of dynamic routes that
Cloud Routers can apply to all networks of a peering group when
importing and
exporting custom routes. This limit applies to the aggregate of IPv4 and
IPv6 dynamic routes. If the number of dynamic routes exceeds this limit, Google Cloud
adjusts how it imports dynamic routes for a given
network:
|
Instances | ||
Maximum number of VM instances in a peering group | 15,500 | Google Cloud lets you create a new instance in a given VPC network as long as both of the following are true:
Error code for limit exceeded: |
Maximum number of assigned alias IP ranges in a peering group | 15,500 | An alias IP range is either a single IP address (/32) or a CIDR block (for example, a /24 or /16) assigned to a network interface of a VM. Alias IP addresses can come from either the primary or secondary IP ranges of a subnet. For the purposes of this limit, Google Cloud does not consider the size of the range's netmask. It only counts the number of alias IP ranges assigned to all VMs in the network. In addition to this quota, there is a per-VM limit on the number of alias IP ranges per network interface. Error code for limit exceeded: |
Subnet IP ranges | ||
Maximum number of subnet IP ranges (primary and secondary) in a peering group | 400 | Google Cloud lets you create a new subnet range in a given VPC network as long as both of the following are true:
Error code for limit exceeded: |
Internal load balancing | ||
Maximum number of forwarding rules for Internal TCP/UDP Load Balancing per peering group |
500 | You can create new regional internal forwarding rules for Internal TCP/UDP Load Balancing as long as both of the following conditions are true:
Error code for limit exceeded: |
Maximum number of forwarding rules for Internal HTTP(S) Load Balancing per peering group |
175 | You can create new regional internal managed forwarding rules for Internal HTTP(S) Load Balancing as long as both of the following conditions are true:
Error code for limit exceeded: |
Protocol forwarding | ||
Maximum number of forwarding rules for internal protocol forwarding per peering group | 2,000 | You can create new regional internal forwarding rules for protocol forwarding as long as both of the following conditions are true:
Error code for limit exceeded: |
Effective limits for VPC Network Peering
Most per network quotas have a corresponding per peering group limit. For these, the per network quota's limit and the per peering group limit are used to calculate an effective per peering group limit. This section describes that method using the following:
- The internal forwarding rules per network quota
- The internal forwarding rules per peering group limit
From the perspective of a given VPC network, Google Cloud calculates an effective number of forwarding rules for the internal load balancers in the peering group by using this method:
Step 1. For the given network, find the greater of these two values:
- Maximum number of forwarding rules for the internal load balancers in the given network
- Maximum number of forwarding rules for the internal load balancers in the peering group
Step 2. For each of the remaining networks in the peering group, find the greater of these two values:
- Maximum number of forwarding rules for the internal load balancers in the peer network
- Maximum number of forwarding rules for the internal load balancers in the peering group
Step 3. Find the smallest value from the list created by Step 2.
Step 4. Take the greater of the two numbers from Step 1 and Step 3. This number is the effective number of forwarding rules for the internal load balancers that can be created in the peering group from the perspective of the given network.
Suppose that you have four VPC networks, network-a
,
network-b
, network-c
, and network-d
:
network-a
is peered withnetwork-b
, andnetwork-b
is peered withnetwork-a
network-a
is peered withnetwork-c
, andnetwork-c
is peered withnetwork-a
network-c
is peered withnetwork-d
, andnetwork-d
is peered withnetwork-c
And each network has the following limits:
Network | Maximum number of forwarding rules for the internal load balancers in the given network | Maximum number of forwarding rules for the internal load balancers in the peering group |
---|---|---|
network-a |
600 | 500 |
network-b |
300 | 350 |
network-c |
300 | 300 |
network-d |
300 | 400 |
From the perspective of each VPC network, Google Cloud calculates the effective number of forwarding rules for the internal load balancers in that peering group:
From the perspective of
network-a
, its peering group containsnetwork-a
,network-b
, andnetwork-c
. The effective number of forwarding rules for the internal load balancers in the peering group is calculated as follows:- In
network-a
:max(600,500) = 600
- In the remaining peer networks:
network-b
:max(300,350) = 350
network-c
:max(300,300) = 300
min(350,300) = 300
max(600,300) = 600
- Effective number of forwarding rules for the internal load balancers:
per peering group from the perspective of
network-a
:600
- Effective number of forwarding rules for the internal load balancers:
per peering group from the perspective of
- In
From the perspective of
network-b
, its peering group containsnetwork-b
andnetwork-a
. The effective number of forwarding rules for the internal load balancers in the peering group is calculated as follows:- In
network-b
:max(300,350) = 350
- In the remaining peer networks:
network-a
:max(600,500) = 600
min(600) = 600
max(350,600) = 600
- Effective number of forwarding rules for the internal load balancers
per peering group from the perspective of
network-b
:600
- Effective number of forwarding rules for the internal load balancers
per peering group from the perspective of
- In
From the perspective of
network-c
, its peering group containsnetwork-c
,network-a
, andnetwork-d
. The effective number of forwarding rules for the internal load balancers in the peering group is calculated as follows:- In
network-c
:max(300,300) = 300
- In the remaining peer networks:
network-a
:max(600,500) = 600
network-d
:max(300,400) = 400
min(600,400) = 400
max(300,400) = 400
- Effective number of forwarding rules for the internal load balancers
per peering group from the perspective of
network-c
:400
- Effective number of forwarding rules for the internal load balancers
per peering group from the perspective of
- In
From the perspective of
network-d
, its peering group containsnetwork-d
, andnetwork-c
. The effective number of forwarding rules for the internal load balancers in the peering group is calculated as follows:- In
network-d
:max(300,400) = 400
- In the remaining peer networks:
network-c
:max(300,300) = 300
min(300) = 300
max(400,300) = 400
- Effective number of forwarding rules for the internal load balancers
per peering group from the perspective of
network-d
:400
- Effective number of forwarding rules for the internal load balancers
per peering group from the perspective of
- In
IP address limits
Item | Limit | Notes |
---|---|---|
Public delegated prefixes per public advertised prefix | 10 | The number of public delegated prefixes (PDPs) that you can create from a public advertised prefix (PAP). |
Per instance
The following limits apply to VM instances. Unless otherwise noted, these limits cannot be increased. For quotas relevant to VMs, see Compute Engine quotas.
Item | Limit | Notes |
---|---|---|
Maximum Transmission Unit (MTU) | From 1460 (default), or to 1500 (standard Ethernet), or up to 8896 bytes (jumbo frames), depending on VPC network configuration. | Instances using MTU sizes larger than that supported by the VPC network can experience dropped packets. For more information, see Maximum transmission unit. |
Maximum number of network interfaces | 8 | Network interfaces are defined at instance creation time, and cannot be changed by editing the instance later. |
Maximum number of alias IP ranges per network interface | 100 | The number of alias IP ranges that you can assign to a network interface as long as you don't exceed the quota for the total number of assigned alias IP ranges in the VPC network. Google Cloud does not consider the size of the alias
IP range's netmask. For example, an individual |
Network interfaces per VPC network | 1 | Each network interface must be connected to a unique VPC network. An instance can only have one network interface in a given VPC network. |
Maximum duration for idle TCP connections | 10 minutes | VPC networks automatically drop idle TCP connections after ten minutes. You cannot change this limit, but you can use TCP keepalives to prevent connections to instances from becoming idle. For details, see Compute Engine tips and troubleshooting. |
Maximum egress data rate to an internal IP address destination | Depends on the machine type of the VM | See Egress to internal IP address destinations and machine types in the Compute Engine documentation. |
Maximum egress data rate to an external IP address destination | all flows: about 7 Gbps (gigabits per second) sustained or 25 Gbps with per VM Tier_1 networking performance single flow: 3 Gbps sustained |
See Egress to external IP address destinations in the Compute Engine documentation. |
Maximum ingress data rate to an internal IP address destination | No artificial limit | See Ingress to internal IP address destinations in the Compute Engine documentation. |
Maximum ingress data rate to an external IP address destination | no more than 20 Gbps no more than 1,800,000 packets per second |
See Ingress to external IP address destinations in the Compute Engine documentation. |
Connection logging limits
The maximum number of connections that can be logged per VM instance depends on its machine type. Connection logging limits are expressed as the maximum number of connections that can be logged in a five-second interval.
Instance machine type | Maximum number of connections logged in a 5-second interval |
---|---|
f1-micro | 100 connections |
g1-small | 250 connections |
Machine types with 1–8 vCPUs | 500 connections per vCPU |
Machine types with more than 8 vCPUs | 4,000 (500×8) connections |
Hybrid connectivity
Use the following links to find quotas and limits for Cloud VPN, Cloud Interconnect, and Cloud Router:
Managing quotas
Virtual Private Cloud enforces quotas on resource usage for various reasons. For example, quotas protect the community of Google Cloud users by preventing unforeseen spikes in usage. Quotas also help users who are exploring Google Cloud with the free tier to stay within their trial.
All projects start with the same quotas, which you can change by requesting additional quota. Some quotas may increase automatically based on your use of a product.
Permissions
To view quotas or request quota increases, Identity and Access Management (IAM) principals need one of the following roles.
Task | Required role |
---|---|
Check quotas for a project | One of the following:
|
Modify quotas, request additional quota | One of the following:
|
Checking your quota
Console
- In the Google Cloud console, go to the Quotas page.
- To search for the quota that you want to update, use the Filter table. If you don't know the name of the quota, use the links on this page instead.
gcloud
Using the Google Cloud CLI, run the following command to
check your quotas. Replace PROJECT_ID
with your own project ID.
gcloud compute project-info describe --project PROJECT_ID
To check your used quota in a region, run the following command:
gcloud compute regions describe example-region
Errors when exceeding your quota
If you exceed a quota with a gcloud
command,
gcloud
outputs a quota exceeded
error
message and returns with the exit code 1
.
If you exceed a quota with an API request, Google Cloud returns the
following HTTP status code: HTTP 413 Request Entity Too Large
.
Requesting additional quota
To increase or decrease most quotas, use the Google Cloud console. For more information, see Requesting a higher quota.
Console
- In the Google Cloud console, go to the Quotas page.
- On the Quotas page, select the quotas that you want to change.
- At the top of the page, click Edit quotas.
- Fill out your name, email, and phone number, and then click Next.
- Fill in your quota request, and then click Done.
- Submit your request. Quota requests take 24 to 48 hours to process.
Resource availability
Each quota represents a maximum number for a particular type of resource that you can create, if that resource is available. It's important to note that quotas do not guarantee resource availability. Even if you have available quota, you can't create a new resource if it is not available.
For example, you might have sufficient quota to create a new regional, external IP address
in the us-central1
region. However, that is not possible if there are no
available external IP addresses in that region. Zonal resource
availability can also affect your ability to create a new resource.
Situations where resources are unavailable in an entire region are rare. However, resources within a zone can be depleted from time to time, typically without impact to the service level agreement (SLA) for the type of resource. For more information, review the relevant SLA for the resource.