Stay organized with collections Save and categorize content based on your preferences.

Quotas and limits

This document lists the quotas and limits that apply to Virtual Private Cloud (VPC) networking.

A quota restricts how much of a particular shared Google Cloud resource your Cloud project can use, including hardware, software, and network components.

Quotas are part of a system that does the following:

  • Monitors your use or consumption of Google Cloud products and services.
  • Restricts your consumption of those resources for reasons including ensuring fairness and reducing spikes in usage.
  • Maintains configurations that automatically enforce prescribed restrictions.
  • Provides a means to make or request changes to the quota.

When a quota is exceeded, in most cases, the system immediately blocks access to the relevant Google resource, and the task that you're trying to perform fails. In most cases, quotas apply to each Cloud project and are shared across all applications and IP addresses that use that Cloud project.

There are also limits on VPC resources. These limits are unrelated to the quota system. Limits cannot be changed unless otherwise stated.

Quotas

To change a quota, see requesting additional quota.

Per project

This table highlights important global quotas for VPC resources in each project. For other quotas, see the Quotas page in the Google Cloud console.

To monitor per-project quotas using Cloud Monitoring, set up monitoring for the metric serviceruntime.googleapis.com/quota/allocation/usage on the Consumer Quota resource type. Set additional label filters (service, quota_metric) to get to the quota type. For details on monitoring quota metrics, see Use quota metrics.

Quota Description
Network bandwidth
GCE VM to internet egress bandwidth Mbps Per-region internet egress bandwidth from Google Cloud VMs in all VPC networks of the project.
Shared VPC
Cross project networking service projects

Number of Shared VPC service projects that can be attached to a Shared VPC host project.

In addition to this quota, see Shared VPC project limits.

General
Networks Includes the default network, which you can remove.
Routes Counts custom static routes defined in all VPC networks in the project. It does not include the following types of routes:
  • Subnet routes in VPC networks in the project
  • Custom dynamic routes learned by Cloud Routers in the project
  • Peering subnet routes imported into VPC networks in the project
  • Peering custom routes imported into VPC networks in the project
Policy-based routes The number of policy-based routes that you can create in your project.
Routers The number of Cloud Routers that you can create within your project, in any network and region. Networks also have a limit on the number of Cloud Routers in any given region. For details, see Cloud Router quotas and limits.
Packet Mirrorings The number of Packet Mirroring policies that you can create in your project, in any network and region.
Firewalls
Firewall rules The number of VPC firewall rules that you can create for all VPC networks in your project.
Rule attribute count per firewall policy The maximum number of firewall rule attributes that you can assign to a firewall policy. If there are multiple VPC networks in the same project, the aggregated rule count is considered for each policy for all the networks sharing the same project.
Global address groups per project The maximum number of global address groups that you can define in a project.
Regional address groups per project per region The maximum number of regional address groups that you can define for a project in a region.
Address groups per project The maximum number of address groups that you can define in a project irrespective of location (global or regional).
Network firewall policies The maximum number of network firewall policies assigned to at least one VPC network in a project.
Regional network firewall policies The maximum number of Regional Network Firewall Policies assigned to the corresponding region of least one VPC network.
Forwarding rules
Forwarding rules

This quota is only for forwarding rules for the global external HTTP(S) load balancer (classic), external SSL proxy load balancer, external TCP proxy load balancer, and Classic VPN gateways.

For forwarding rule use cases other than these, see the following rows.

Global external managed forwarding rules

The maximum number of global external HTTP(S) load balancer forwarding rules that you can create in your project.

Regional external managed forwarding rules

The maximum number of regional external HTTP(S) load balancer forwarding rules that you can create in each region in your project.

External network load balancer forwarding rules Forwarding rules for use by external TCP/UDP network load balancers (both backend service and target pool architectures).
External protocol forwarding rules Forwarding rules for external protocol forwarding to target instances.
Traffic director forwarding rules Forwarding rules for Traffic Director.
Internal forwarding rules See per network quotas for all types of internal forwarding rules used by Internal HTTP(S) Load Balancing, Internal TCP/UDP Load Balancing, and internal protocol forwarding.
IP addresses and BYOIP
Internal IP addresses The number of static regional internal IP addresses that you can reserve in each region in your project. This quota applies to the aggregate of internal IPv4 and IPv6 addresses.
Global internal IP addresses The number of allocated ranges that you can reserve for private services access. Each range is a contiguous internal IP address range.
Static IP addresses The number of static regional external IP addresses that you can reserve in each region in your project.
Static IP addresses global The number of static global external IP addresses that you can reserve in your project.
In-use IP addresses The number of static and ephemeral regional external IP addresses that you can use in your project simultaneously.
In-use IP addresses global The number of static and ephemeral global external IP addresses that you can use in your project simultaneously.
Static BYOIP IP addresses The number of bring your own IP regional external IP addresses that you can reserve in each region in your project.
Static BYOIP IP addresses global The number of bring your own IP global external IP addresses that you can reserve in your project.
Public advertised prefixes The number of public advertised prefixes (PAPs) that you can create in your project.
Regional public delegated prefixes The number of regional public delegated prefixes (PDPs) that you can reserve in each region in your project.
Global public delegated prefixes The number of global public delegated prefixes (PDPs) that you can reserve in your project.
Private Service Connect
PSC internal LB forwarding rules

The maximum number of Private Service Connect forwarding rules (endpoints) that a service consumer can create to connect to producer services. This quota is per region, per project.

Quota name:
PSC-INTERNAL-LB-FORWARDING-RULES-per-project-region

Service attachments

The maximum number of Private Service Connect service attachments that a service producer can create. This quota is per region, per project.

Quota name:
SERVICE-ATTACHMENTS-per-project-region

Per network

This table highlights important network quotas. For other quotas, see the Quotas page in the Google Cloud console.

Information on monitoring the available metrics using Cloud Monitoring is available at Use quota metrics.

Quota Description
Instances
Instances per VPC network

This quota might be lower when you use VPC Network Peering to connect the network to other networks. For details, see VPC Network Peering limits.

Quota name:
INSTANCES_PER_NETWORK_GLOBAL

Available metrics:

  • compute.googleapis.com/quota/instances_per_vpc_network/limit
  • compute.googleapis.com/quota/instances_per_vpc_network/usage
  • compute.googleapis.com/quota/instances_per_vpc_network/exceeded
Maximum number of VM instances per subnet No separate restriction.
IP aliases per VPC network

An alias IP range is either a single IP address (/32) or a CIDR block (for example, a /24 or /16) assigned to a network interface of a VM. Alias IP addresses can come from either the primary or secondary IP ranges of a subnet.

For the purposes of this quota, Google Cloud does not consider the size of the range's netmask. It only counts the number of alias IP ranges assigned to all VMs in the network.

In addition to this quota, there is a per-VM limit on the number of alias IP ranges per network interface.

Quota name:
ALIASES_PER_NETWORK_GLOBAL

Available metrics:

  • compute.googleapis.com/quota/ip_aliases_per_vpc_network/limit
  • compute.googleapis.com/quota/ip_aliases_per_vpc_network/usage
  • compute.googleapis.com/quota/ip_aliases_per_vpc_network/exceeded
Subnet IP ranges
Subnetwork ranges per VPC network

The total number of primary and secondary subnet IP ranges assigned to all subnets in a VPC network.

Quota name:
SUBNET_RANGES_PER_NETWORK

Available metrics:

  • compute.googleapis.com/quota/subnet_ranges_per_vpc_network/limit
  • compute.googleapis.com/quota/subnet_ranges_per_vpc_network/usage
  • compute.googleapis.com/quota/subnet_ranges_per_vpc_network/exceeded
Forwarding rules
Internal TCP/UDP load balancer forwarding rules per VPC network

The maximum number of forwarding rules for Internal TCP/UDP Load Balancing.

This quota applies to the total number of forwarding rules for Internal TCP/UDP Load Balancing; it does not apply to each region individually.

If your network uses VPC Network Peering to connect to other networks, see VPC Network Peering limits.

Quota name:
INTERNAL_FORWARDING_RULES_PER_NETWORK

Available metrics:

  • compute.googleapis.com/quota/internal_lb_forwarding_rules_per_vpc_network/limit
  • compute.googleapis.com/quota/internal_lb_forwarding_rules_per_vpc_network/usage
  • compute.googleapis.com/quota/internal_lb_forwarding_rules_per_vpc_network/exceeded
Internal protocol forwarding rules per VPC network

The maximum number of forwarding rules for internal protocol forwarding.

This quota applies to the total number of forwarding rules for internal protocol forwarding; it does not apply to each region individually.

If your network uses VPC Network Peering to connect to other networks, see VPC Network Peering limits.

Quota name:
INTERNAL_FORWARDING_RULES_WITH_TARGET_INSTANCE_PER_NETWORK

Available metrics:

  • compute.googleapis.com/quota/internal_protocol_forwarding_rules_per_vpc_network/limit
  • compute.googleapis.com/quota/internal_protocol_forwarding_rules_per_vpc_network/usage
  • compute.googleapis.com/quota/internal_protocol_forwarding_rules_per_vpc_network/exceeded
Internal HTTP(S) load balancer forwarding rules per VPC network

The maximum number of forwarding rules for Internal HTTP(S) Load Balancing.

This quota applies to the total number of forwarding rules for Internal HTTP(S) Load Balancing; it does not apply to each region individually.

If your network uses VPC Network Peering to connect to other networks, see VPC Network Peering limits.

Quota name:
INTERNAL_MANAGED_FORWARDING_RULES_PER_NETWORK

Available metrics:

  • compute.googleapis.com/quota/internal_managed_forwarding_rules_per_vpc_network/limit
  • compute.googleapis.com/quota/internal_managed_forwarding_rules_per_vpc_network/usage
  • compute.googleapis.com/quota/internal_managed_forwarding_rules_per_vpc_network/exceeded
Private Service Connect
PSC Google APIs forwarding rules per VPC network

The maximum number of Private Service Connect forwarding rules (endpoints) that can be used to access Google APIs.

This quota applies to the total number of forwarding rules used to access Google APIs in all regions.

This quota cannot be increased.

See per project for additional important details about how many global internal addresses you can create.

Quota name:
PSC_GOOGLE_APIS_FORWARDING_RULES_PER_NETWORK

Available metrics:

  • compute.googleapis.com/quota/psc_google_apis_forwarding_rules_per_vpc_network/limit
  • compute.googleapis.com/quota/psc_google_apis_forwarding_rules_per_vpc_network/usage
  • compute.googleapis.com/quota/psc_google_apis_forwarding_rules_per_vpc_network/exceeded
PSC ILB consumer forwarding rules per producer VPC network

The maximum number of Private Service Connect forwarding rules (endpoints) that can be used to access a service in a service producer VPC network.

This quota applies to the total number of forwarding rules created by all consumers that are accessing services in all regions of the service producer VPC network.

This quota cannot be increased.

Quota name:
PSC_ILB_CONSUMER_FORWARDING_RULES_PER_PRODUCER_NETWORK

Available metrics:

  • compute.googleapis.com/psc_ilb_consumer_forwarding_rules_per_producer_vpc_network/limit
  • compute.googleapis.com/psc_ilb_consumer_forwarding_rules_per_producer_vpc_network/usage
  • compute.googleapis.com/psc_ilb_consumer_forwarding_rules_per_producer_vpc_network/exceeded

Limits

Limits cannot generally be increased unless specifically noted.

Per organization

The following limits apply to organizations.

Item Limit Notes
Unassociated hierarchical firewall policies per organization 50

An unassociated policy is a policy that exists in your Google Cloud organization, but which is not associated with a node. There is no limit on the number of policies your organization can have that are associated with nodes, though each node can have only one policy associated.

To request an update to this limit, file a support case.

Hierarchical firewall rule attributes in a hierarchical firewall policy 2000

The number of rule attributes in all rules in a hierarchical firewall policy. The number of rules does not matter, only the total number of attributes in all rules in the policy.

A rule attribute is an IP range, protocol, port or port range, target service account, or target resource. Examples:

  • A rule that specifies a source IP range of 10.100.0.1/32 and destination ports of tcp:5000-6000 counts as three attributes, one for the IP range, one for the protocol, and one for the port range.
  • A rule that specifies source ranges of 10.100.0.1/32 and 10.100.1.1/32 and destination protocols and ports of tcp:80, tcp:443, udp:4000-5000, and icmp count as nine, one each for the two IP ranges, and one each for the four protocols, and one each for the three ports or port ranges.

To view how many attributes your policy has, see Describe a policy.

To request an update to this limit, file a support case.

Global address groups per organization 30

The maximum number of global address groups that you can create per organization.

Regional address groups per organization per region 30

The maximum number of regional address groups that you can create per organization in a region.

Organization address groups 30

The maximum number of address groups that you can create per organization in a region irrespective of location (global or regional).

Shared VPC project limits

The number of service projects that can be attached to a host project is a configurable per-project quota. In addition to that quota, the following limits apply to Shared VPC.

Item Limit Notes
Number of Shared VPC host projects in a single organization 100 To request an update to this limit, file a support case.
Number of host projects to which a service project can attach 1 This limit cannot be increased.

Per network

The following limits apply to VPC networks. These limits are enforced by using quotas internally. When per-network limits are exceeded, you see QUOTA_EXCEEDED errors with the internal quota names.

Item Limit Notes
Subnet IP ranges
Primary IP ranges per subnet 1 Each subnet must have exactly one primary IP range (CIDR block). This range is used for VM primary internal IP addresses, VM alias IP ranges, and the IP addresses of internal load balancers. This limit cannot be increased.
Maximum number of secondary IP ranges per subnet 30 Optionally, you can define up to thirty secondary CIDR blocks per subnet. These secondary IP ranges can only be used for alias IP ranges. This limit cannot be increased.
Routes
Maximum number of network tags per route 256 The maximum number of network tags that you can associate with a static route. This limit cannot be increased.
Firewall rules
Maximum number of source tags per firewall rule 256 The maximum number of network tags that you can specify as source tags when creating an ingress firewall rule. This limit cannot be increased.
Maximum number of target tags per firewall rule 256 The maximum number of network tags that you can specify as target tags when creating an egress or ingress firewall rule. This limit cannot be increased.
Maximum number of source service accounts per firewall rule 10 The maximum number of source service accounts that you can specify when creating an ingress firewall rule. This limit cannot be increased.
Maximum number of target service accounts per firewall rule 10 The maximum number of target service accounts that you can specify when creating an egress or ingress firewall rule. This limit cannot be increased.
Maximum number of source ranges per firewall rule 5000 The maximum number of source IP ranges that you can specify when creating a firewall rule. This limit cannot be increased.
Maximum number of destination ranges per firewall rule 5000 The maximum number of destination IP ranges that you can specify when creating a firewall rule. This limit cannot be increased.
Maximum number of source domain names per firewall rule 100 The maximum number of source domain names that you can specify when creating an ingress firewall rule. This limit cannot be increased.
Maximum number of destination domain names per firewall rule 100 The maximum number of destination domain names that you can specify when creating an egress firewall rule. This limit cannot be increased.
Maximum number of source address groups per firewall rule 10 The maximum number of source address groups that you can specify when creating a firewall rule. This limit cannot be increased.
Maximum number of destination address groups per firewall rule 10 The maximum number of destination address groups that you can specify when creating a firewall rule. This limit cannot be increased.

VPC Network Peering limits

The following limits apply to VPC networks connected by using VPC Network Peering. Each limit applies to a peering group, which is a collection of VPC networks that are directly peered to each other. From the perspective of a given VPC network, it and all of its peer networks are in one peering group. Peering groups do not include the peers of peer networks.

These limits can sometimes be increased. For more information about increasing any of these limits, file a support case.

Item Peering group limit Notes
Peering group
Maximum number of connections to a single VPC network 25 The maximum number of networks that can connect to a given VPC network using VPC Network Peering.
Maximum number of subnet routes in a peering group No separate restriction The number of subnet routes that can be exchanged is limited by the maximum number of subnet IP ranges (primary and secondary) per peering group, described later in this document.
Maximum number of static routes in a peering group 300 The maximum number of static routes that can be exchanged among networks in a peering group when importing and exporting custom routes. Google Cloud prevents you from creating a peering connection to a network if that would cause the peering group to exceed this limit.
Maximum number of dynamic routes in a peering group 300 The maximum number of dynamic routes that Cloud Routers can apply to all networks of a peering group when importing and exporting custom routes. This limit applies to the aggregate of IPv4 and IPv6 dynamic routes. If the number of dynamic routes exceeds this limit, Google Cloud adjusts how it imports dynamic routes for a given network:
  • Google Cloud drops imported dynamic routes from peered networks. Google Cloud uses an internal algorithm to drop dynamic routes, which means Google Cloud might drop older ones and not just the recently added routes. You cannot predict which imported dynamic routes will be dropped. Instead, you should reduce the number of dynamic routes in the peering group.
  • Subject to Cloud Router limits, Google Cloud never drops dynamic routes that are learned by Cloud Routers in the local network.
  • If a peering connection causes this limit to be exceeded, Google Cloud still allows you to create the peering connection without warning.
Instances
Maximum number of VM instances in a peering group 15,500

Google Cloud lets you create a new instance in a given VPC network as long as both of the following are true:

  • You have not exceeded INSTANCES_PER_NETWORK_GLOBAL in the VPC network.
  • You have not exceeded the effective per peering group maximum defined by using this per peering group's limit. For information about how effective per peering group limits are calculated, see Effective limits for VPC Network Peering.

Error code for limit exceeded:
INSTANCES_PER_NETWORK_WITH_PEERING_LIMITS_EXCEEDED

Maximum number of assigned alias IP ranges in a peering group 15,500

An alias IP range is either a single IP address (/32) or a CIDR block (for example, a /24 or /16) assigned to a network interface of a VM. Alias IP addresses can come from either the primary or secondary IP ranges of a subnet.

For the purposes of this limit, Google Cloud does not consider the size of the range's netmask. It only counts the number of alias IP ranges assigned to all VMs in the network.

In addition to this quota, there is a per-VM limit on the number of alias IP ranges per network interface.

Error code for limit exceeded:
ALIASES_PER_NETWORK_PEERING_LIMITS_EXCEEDED

Subnet IP ranges
Maximum number of subnet IP ranges (primary and secondary) in a peering group 400

Google Cloud lets you create a new subnet range in a given VPC network as long as both of the following are true:

  • You have not exceeded SUBNET_RANGES_PER_NETWORK in the VPC network.
  • You have not exceeded the effective per peering group maximum defined by using this per peering group's limit. For information about how effective per peering group limits are calculated, see Effective limits for VPC Network Peering.

Error code for limit exceeded:
SUBNET_RANGES_PER_NETWORK_LIMITS_EXCEEDED_PEERING

Internal load balancing

Maximum number of forwarding rules for Internal TCP/UDP Load Balancing per peering group

500

You can create new regional internal forwarding rules for Internal TCP/UDP Load Balancing as long as both of the following conditions are true:

  • You have not exceeded INTERNAL_FORWARDING_RULES_PER_NETWORK in the VPC network.
  • You have not exceeded the effective per peering group maximum defined by using this per peering group's limit. For information about how effective per peering group limits are calculated, see Effective limits for VPC Network Peering.

Error code for limit exceeded:
INTERNAL_FORWARDING_RULES_WITH_PEERING_LIMITS_EXCEEDED

Maximum number of forwarding rules for Internal HTTP(S) Load Balancing per peering group

175

You can create new regional internal managed forwarding rules for Internal HTTP(S) Load Balancing as long as both of the following conditions are true:

  • You have not exceeded INTERNAL_MANAGED_FORWARDING_RULES_PER_NETWORK in the VPC network.
  • You have not exceeded the effective per peering group maximum defined by using this per peering group's limit. For information about how effective per peering group limits are calculated, see Effective limits for VPC Network Peering.

Error code for limit exceeded:
INTERNAL_MANAGED_FORWARDING_RULES_WITH_PEERING_LIMITS_EXCEEDED

Protocol forwarding
Maximum number of forwarding rules for internal protocol forwarding per peering group 2,000

You can create new regional internal forwarding rules for protocol forwarding as long as both of the following conditions are true:

  • You have not exceeded INTERNAL_FORWARDING_RULES_WITH_TARGET_INSTANCE_PER_NETWORK in the VPC network.
  • You have not exceeded the effective per peering group maximum defined by using this per peering group's limit. For information about how effective per peering group limits are calculated, see Effective limits for VPC Network Peering.

Error code for limit exceeded:
INTERNAL_FORWARDING_RULES_WITH_TARGET_INSTANCE_LIMITS_EXCEEDED_PEERING

Effective limits for VPC Network Peering

Most per network quotas have a corresponding per peering group limit. For these, the per network quota's limit and the per peering group limit are used to calculate an effective per peering group limit. This section describes that method using the following:

  • The internal forwarding rules per network quota
  • The internal forwarding rules per peering group limit

From the perspective of a given VPC network, Google Cloud calculates an effective number of forwarding rules for the internal load balancers in the peering group by using this method:

  • Step 1. For the given network, find the greater of these two values:

    • Maximum number of forwarding rules for the internal load balancers in the given network
    • Maximum number of forwarding rules for the internal load balancers in the peering group
  • Step 2. For each of the remaining networks in the peering group, find the greater of these two values:

    • Maximum number of forwarding rules for the internal load balancers in the peer network
    • Maximum number of forwarding rules for the internal load balancers in the peering group
  • Step 3. Find the smallest value from the list created by Step 2.

  • Step 4. Take the greater of the two numbers from Step 1 and Step 3. This number is the effective number of forwarding rules for the internal load balancers that can be created in the peering group from the perspective of the given network.

Suppose that you have four VPC networks, network-a, network-b, network-c, and network-d:

  • network-a is peered with network-b, and network-b is peered with network-a
  • network-a is peered with network-c, and network-c is peered with network-a
  • network-c is peered with network-d, and network-d is peered with network-c

And each network has the following limits:

Network Maximum number of forwarding rules for the internal load balancers in the given network Maximum number of forwarding rules for the internal load balancers in the peering group
network-a 600 500
network-b 300 350
network-c 300 300
network-d 300 400

From the perspective of each VPC network, Google Cloud calculates the effective number of forwarding rules for the internal load balancers in that peering group:

  • From the perspective of network-a, its peering group contains network-a, network-b, and network-c. The effective number of forwarding rules for the internal load balancers in the peering group is calculated as follows:

    1. In network-a: max(600,500) = 600
    2. In the remaining peer networks:
      • network-b: max(300,350) = 350
      • network-c: max(300,300) = 300
    3. min(350,300) = 300
    4. max(600,300) = 600
      • Effective number of forwarding rules for the internal load balancers: per peering group from the perspective of network-a: 600
  • From the perspective of network-b, its peering group contains network-b and network-a. The effective number of forwarding rules for the internal load balancers in the peering group is calculated as follows:

    1. In network-b: max(300,350) = 350
    2. In the remaining peer networks:
      • network-a: max(600,500) = 600
    3. min(600) = 600
    4. max(350,600) = 600
      • Effective number of forwarding rules for the internal load balancers per peering group from the perspective of network-b: 600
  • From the perspective of network-c, its peering group contains network-c, network-a, and network-d. The effective number of forwarding rules for the internal load balancers in the peering group is calculated as follows:

    1. In network-c: max(300,300) = 300
    2. In the remaining peer networks:
      • network-a: max(600,500) = 600
      • network-d: max(300,400) = 400
    3. min(600,400) = 400
    4. max(300,400) = 400
      • Effective number of forwarding rules for the internal load balancers per peering group from the perspective of network-c: 400
  • From the perspective of network-d, its peering group contains network-d, and network-c. The effective number of forwarding rules for the internal load balancers in the peering group is calculated as follows:

    1. In network-d: max(300,400) = 400
    2. In the remaining peer networks:
      • network-c: max(300,300) = 300
    3. min(300) = 300
    4. max(400,300) = 400
      • Effective number of forwarding rules for the internal load balancers per peering group from the perspective of network-d: 400

IP address limits

Item Limit Notes
Public delegated prefixes per public advertised prefix 10 The number of public delegated prefixes (PDPs) that you can create from a public advertised prefix (PAP).

Per instance

The following limits apply to VM instances. Unless otherwise noted, these limits cannot be increased. For quotas relevant to VMs, see Compute Engine quotas.

Item Limit Notes
Maximum Transmission Unit (MTU) From 1460 (default), or to 1500 (standard Ethernet), or up to 8896 bytes (jumbo frames), depending on VPC network configuration. Instances using MTU sizes larger than that supported by the VPC network can experience dropped packets. For more information, see Maximum transmission unit.
Maximum number of network interfaces 8 Network interfaces are defined at instance creation time, and cannot be changed by editing the instance later.
Maximum number of alias IP ranges per network interface 100

The number of alias IP ranges that you can assign to a network interface as long as you don't exceed the quota for the total number of assigned alias IP ranges in the VPC network.

Google Cloud does not consider the size of the alias IP range's netmask. For example, an individual /24 range is a single alias IP range and an individual /23 range is also a single alias IP range.

Network interfaces per VPC network 1 Each network interface must be connected to a unique VPC network. An instance can only have one network interface in a given VPC network.
Maximum duration for idle TCP connections 10 minutes VPC networks automatically drop idle TCP connections after ten minutes. You cannot change this limit, but you can use TCP keepalives to prevent connections to instances from becoming idle. For details, see Compute Engine tips and troubleshooting.
Maximum egress data rate to an internal IP address destination Depends on the machine type of the VM See Egress to internal IP address destinations and machine types in the Compute Engine documentation.
Maximum egress data rate to an external IP address destination

all flows: about 7 Gbps (gigabits per second) sustained or 25 Gbps with per VM Tier_1 networking performance

single flow: 3 Gbps sustained

See Egress to external IP address destinations in the Compute Engine documentation.
Maximum ingress data rate to an internal IP address destination No artificial limit See Ingress to internal IP address destinations in the Compute Engine documentation.
Maximum ingress data rate to an external IP address destination

no more than 20 Gbps

no more than 1,800,000 packets per second

See Ingress to external IP address destinations in the Compute Engine documentation.

Connection logging limits

The maximum number of connections that can be logged per VM instance depends on its machine type. Connection logging limits are expressed as the maximum number of connections that can be logged in a five-second interval.

Instance machine type Maximum number of connections logged in a 5-second interval
f1-micro 100 connections
g1-small 250 connections
Machine types with 1–8 vCPUs 500 connections per vCPU
Machine types with more than 8 vCPUs 4,000 (500×8) connections

Hybrid connectivity

Use the following links to find quotas and limits for Cloud VPN, Cloud Interconnect, and Cloud Router:

Managing quotas

Virtual Private Cloud enforces quotas on resource usage for various reasons. For example, quotas protect the community of Google Cloud users by preventing unforeseen spikes in usage. Quotas also help users who are exploring Google Cloud with the free tier to stay within their trial.

All projects start with the same quotas, which you can change by requesting additional quota. Some quotas may increase automatically based on your use of a product.

Permissions

To view quotas or request quota increases, Identity and Access Management (IAM) principals need one of the following roles.

Task Required role
Check quotas for a project One of the following:
Modify quotas, request additional quota One of the following:
  • Project Owner (roles/owner)
  • Project Editor (roles/editor)
  • Quota Administrator (roles/servicemanagement.quotaAdmin)
  • A custom role with the serviceusage.quotas.update permission

Checking your quota

Console

  1. In the Google Cloud console, go to the Quotas page.

    Go to Quotas

  2. To search for the quota that you want to update, use the Filter table. If you don't know the name of the quota, use the links on this page instead.

gcloud

Using the Google Cloud CLI, run the following command to check your quotas. Replace PROJECT_ID with your own project ID.

      gcloud compute project-info describe --project PROJECT_ID
    

To check your used quota in a region, run the following command:

      gcloud compute regions describe example-region
    

Errors when exceeding your quota

If you exceed a quota with a gcloud command, gcloud outputs a quota exceeded error message and returns with the exit code 1.

If you exceed a quota with an API request, Google Cloud returns the following HTTP status code: HTTP 413 Request Entity Too Large.

Requesting additional quota

To increase or decrease most quotas, use the Google Cloud console. For more information, see Requesting a higher quota.

Console

  1. In the Google Cloud console, go to the Quotas page.

    Go to Quotas

  2. On the Quotas page, select the quotas that you want to change.
  3. At the top of the page, click Edit quotas.
  4. Fill out your name, email, and phone number, and then click Next.
  5. Fill in your quota request, and then click Done.
  6. Submit your request. Quota requests take 24 to 48 hours to process.

Resource availability

Each quota represents a maximum number for a particular type of resource that you can create, if that resource is available. It's important to note that quotas do not guarantee resource availability. Even if you have available quota, you can't create a new resource if it is not available.

For example, you might have sufficient quota to create a new regional, external IP address in the us-central1 region. However, that is not possible if there are no available external IP addresses in that region. Zonal resource availability can also affect your ability to create a new resource.

Situations where resources are unavailable in an entire region are rare. However, resources within a zone can be depleted from time to time, typically without impact to the service level agreement (SLA) for the type of resource. For more information, review the relevant SLA for the resource.