Quotas and limits
This document lists the quotas and limits that apply to Virtual Private Cloud (VPC) networking.
A quota restricts how much of a shared Google Cloud resource your Google Cloud project can use, including hardware, software, and network components. Therefore, quotas are a part of a system that does the following:
- Monitors your use or consumption of Google Cloud products and services.
- Restricts your consumption of those resources, for reasons that include ensuring fairness and reducing spikes in usage.
- Maintains configurations that automatically enforce prescribed restrictions.
- Provides a means to request or make changes to the quota.
In most cases, when a quota is exceeded, the system immediately blocks access to the relevant Google resource, and the task that you're trying to perform fails. In most cases, quotas apply to each Google Cloud project and are shared across all applications and IP addresses that use that Google Cloud project.
There are also limits on VPC resources. These limits are unrelated to the quota system. Limits cannot be changed unless otherwise stated.
Quotas
To change a quota, see requesting additional quota.
Per project
This table highlights important global quotas for VPC resources in each project. For other quotas, see the Quotas page in the Google Cloud console.
To monitor per-project quotas using Cloud Monitoring, set up monitoring
for the metric serviceruntime.googleapis.com/quota/allocation/usage on the
Consumer Quota resource type. Set additional label filters (service,
quota_metric) to get to the quota type. For details on monitoring quota metrics,
see Use quota metrics. Each quota has
a limit and a usage value.
| Quota | Description |
|---|---|
| Network bandwidth | |
| GCE VM to internet egress bandwidth Mbps | Total egress bandwidth from Google Cloud VMs in one region to destinations outside of a VPC network (using the default internet gateway). This quota's usage is charged to the project that contains the Compute Engine VMs that emit the packets. Excludes traffic sent to Google APIs and services by using Private Google Access. Excludes traffic sent to Google APIs and services from VMs with external IP addresses. |
| Inter-region network egress bandwidth (Mbps) from Compute instances | Total egress bandwidth from Google Cloud VMs in one region to destinations that are routable within a VPC network (using next hops that are not the default internet gateway). This quota's usage is charged to the project that contains the Compute Engine VMs that emit the packets. |
| Shared VPC | |
| Cross project networking service projects | Number of Shared VPC service projects that can be attached to a Shared VPC host project. In addition to this quota, see Shared VPC project limits. |
| General | |
| Networks | Includes the default network, which you can
remove. |
| Policy-based routes | The number of policy-based routes that you can create in your project. |
| Routers | The number of Cloud Routers that you can create within your project, in any network and region. Networks also have a limit on the number of Cloud Routers in any given region. For details, see Cloud Router quotas and limits. |
| Packet Mirrorings | The number of Packet Mirroring policies that you can create in your project, in any network and region. |
| Load balancer and protocol forwarding rules See Forwarding rules in the load balancing quotas documentation. | |
| IP addresses and BYOIP | |
| Address move requests per minute | The global number of address move requests that you can make per minute. |
| Address move requests per minute per region | The number of address move requests that you can make per minute per region. |
| Internal IP addresses | The number of static regional internal IPv4 addresses that you can reserve in each region in your project. |
| Regional static internal IPv6 address ranges | The number of static regional internal IPv6 address ranges that you can reserve in each region in your project. |
| Global internal IP addresses | The number of allocated ranges that you can reserve for private services access. Each range is a contiguous internal IP address range. |
| Internal ranges | The number of internal range resources that you can reserve in your project. |
| Static IP addresses | The number of static regional external IPv4 addresses that you can reserve in each region in your project. |
| Regional static external IPv6 address ranges | The number of static regional external IPv6 address ranges that you can reserve in each region in your project. |
| Static IP addresses global | The number of static global external IP addresses that you can reserve in your project. |
| In-use IP addresses | The number of static and ephemeral regional external IP addresses that you can use in your project simultaneously. |
| In-use IP addresses global | The number of static and ephemeral global external IP addresses that you can use in your project simultaneously. |
| Static BYOIP IP addresses | The number of bring your own IP regional external IP addresses that you can reserve in each region in your project. |
| Static BYOIP IP addresses global | The number of bring your own IP global external IP addresses that you can reserve in your project. |
| Public advertised prefixes | The number of public advertised prefixes (PAPs) that you can create in your project. |
| Regional public delegated prefixes | The number of regional public delegated prefixes (PDPs) that you can reserve in each region in your project. |
| Global public delegated prefixes | The number of global public delegated prefixes (PDPs) that you can reserve in your project. |
| Private Service Connect | |
| PSC internal LB forwarding rules | The maximum number of Private Service Connect forwarding rules (endpoints) that a service consumer can create to connect to producer services. This quota is per region, per project. Quota name: |
| Service attachments | The maximum number of Private Service Connect service attachments that a service producer can create. This quota is per region, per project. Quota name: |
| Network attachments | The maximum number of network attachments that a Private Service Connect consumer can create. This quota is per region, per project. Quota name: |
Per network
This table highlights important network quotas. For other quotas, see the Quotas page in the Google Cloud console.
Information on monitoring the available metrics using Cloud Monitoring is available at Use quota metrics. Each quota has a limit and a usage value.
A per-network quota usually has a corresponding per-peering group quota applicable when VPC Network Peering is used. Per-peering group quotas have the concept of an effective limit.
| Quota | Description |
|---|---|
| Instances & alias IP ranges | |
| Instances per VPC network | The total number of VM instances with a network interface (NIC) in the VPC network. Quota name: Available metrics:
|
| Instances per peering group | From the perspective of a VPC network, the total number of VM instances with a network interface (NIC) in either the VPC network itself or in one of its directly connected peers. Quota name: Available metrics:
|
| IP aliases per VPC network | The total number of alias IP ranges used by network interfaces (NICs) of VM instances in the VPC network. This quota counts the number of alias IP ranges without regard to each range's size (subnet mask). In addition to this quota, there is a per-VM limit on the number of alias IP ranges per network interface. Quota name: Available metrics:
|
| IP aliases per peering group | From the perspective of a VPC network, the total number of alias IP ranges used by NICs of VM instances local to the VPC network and in its directly connected peers. This quota counts the number of alias IP ranges without regard to each range's size (subnet mask). In addition to this quota, there is a per-VM limit on the number of alias IP ranges per network interface. Quota name: Available metrics:
|
| Subnet IP address ranges | |
| Subnetwork ranges per VPC network | The total number of subnet IP address ranges used by subnets in the VPC network. Includes primary IPv4 address ranges, secondary IPv4 address ranges, and IPv6 address ranges. Quota name: Available metrics:
|
| Subnetwork ranges per peering group | From the perspective of a VPC network, the total number of subnet IP address ranges used by subnets local to the VPC network and in its directly connected peers. Includes primary IPv4 address ranges, secondary IPv4 address ranges, and IPv6 address ranges. Quota name: Available metrics:
|
| VPC Network Peering | |
| Peerings per VPC network | From the perspective of a VPC network, the total number of other VPC networks it can connect to by using VPC Network Peering. Quota name: Available metrics:
|
| Static and dynamic routes | |
| Static routes per network | From the perspective of all regions of a VPC network, the total number of static routes local to the VPC network. This quota applies to the aggregate of IPv4 and IPv6 static routes. Quota name: Available metrics:
|
| Static routes per peering group | From the perspective of all regions of a VPC network, the total number of static routes local to the VPC network and in its directly connected peers. This quota applies to the aggregate of IPv4 and IPv6 static routes. Quota name: Available metrics:
|
| Dynamic routes per region per peering group | From the perspective of each region in a VPC network, the total number of dynamic routes local to the VPC network and in its directly connected peers. This quota applies to the aggregate of IPv4 and IPv6 dynamic routes. Quota name: Available metrics:
If the number of dynamic routes exceeds this limit, Google Cloud adjusts how it imports dynamic routes according to the following rules:
|
| Load balancer and protocol forwarding rules See Forwarding rules in the load balancing quotas documentation. | |
| Private Service Connect | |
| PSC Google APIs forwarding rules per VPC network | The maximum number of Private Service Connect forwarding rules (endpoints) that can be used to access Google APIs. This quota applies to the total number of forwarding rules used to access Google APIs in all regions. This quota cannot be increased. See per project for additional important details about how many global internal addresses you can create. Quota name: Available metrics:
|
| PSC ILB consumer forwarding rules per producer VPC network | The maximum number of Private Service Connect forwarding rules (endpoints) that can be used to access a service in a service producer VPC network. This quota applies to the total number of forwarding rules created by all consumers that are accessing services in all regions of the service producer VPC network. Quota name: Available metrics:
|
Deprecated quotas
Google Cloud no longer enforces the following quotas:
Subnetworks: The Subnetwork ranges per VPC network quota is the replacement.
Routes: The Static routes per network quota is the replacement.
Limits
Limits cannot generally be increased unless specifically noted.
Shared VPC limits
The number of service projects that can be attached to a host project is a configurable per-project quota. In addition to that quota, the following limits apply to Shared VPC.
| Item | Limit | Notes |
|---|---|---|
| Number of Shared VPC host projects in a single organization | 100 | To request an update to this limit, file a support case. |
| Number of host projects to which a service project can attach | 1 | This limit cannot be increased. |
Per network
The following limits apply to VPC networks. These limits are
enforced by using quotas internally. When per-network limits are exceeded, you
see QUOTA_EXCEEDED errors with the internal quota names.
| Item | Limit | Notes |
|---|---|---|
| Subnet IP ranges | ||
| Primary IP ranges per subnet | 1 | Each subnet must have exactly one primary IP range (CIDR block). This range is used for VM primary internal IP addresses, VM alias IP ranges, and the IP addresses of internal load balancers. This limit cannot be increased. |
| Maximum number of secondary IP ranges per subnet | 30 | Optionally, you can define up to thirty secondary CIDR blocks per subnet. These secondary IP ranges can only be used for alias IP ranges. This limit cannot be increased. |
| Routes | ||
| Maximum number of network tags per route | 256 | The maximum number of network tags that you can associate with a static route. This limit cannot be increased. |
IP address limits
| Item | Limit | Notes |
|---|---|---|
| Public delegated prefixes per public advertised prefix | 10 | The number of public delegated prefixes (PDPs) that you can create from a public advertised prefix (PAP). |
Per instance
The following limits apply to VM instances. Unless otherwise noted, these limits cannot be increased. For quotas relevant to VMs, see Compute Engine quotas.
| Item | Limit | Notes |
|---|---|---|
| Maximum Transmission Unit (MTU) | From 1460 (default), or to 1500 (standard Ethernet), or up to 8896 bytes (jumbo frames), depending on VPC network configuration. | Instances using MTU sizes larger than that supported by the VPC network can experience dropped packets. For more information, see Maximum transmission unit. |
| Maximum number of network interfaces | 8 | Network interfaces are defined at instance creation time, and cannot be changed by editing the instance later. |
| Maximum number of alias IP ranges per network interface | 100 | The number of alias IP ranges that you can assign to a network interface as long as you don't exceed the quota for the total number of assigned alias IP ranges in the VPC network. Google Cloud does not consider the size of the alias
IP range's netmask. For example, an individual |
| Network interfaces per VPC network | 1 | Each network interface must be connected to a unique VPC network. An instance can only have one network interface in a given VPC network. |
| Maximum duration for idle TCP connections | 10 minutes | VPC networks automatically drop idle TCP connections after ten minutes. You cannot change this limit, but you can use TCP keepalives to prevent connections to instances from becoming idle. For details, see Compute Engine tips and troubleshooting. |
| Maximum egress data rate to an internal IP address destination | Depends on the machine type of the VM | See Egress to internal IP address destinations and machine types in the Compute Engine documentation. |
| Maximum egress data rate to an external IP address destination | all flows: about 7 Gbps (gigabits per second) sustained or 25 Gbps with per VM Tier_1 networking performance single flow: 3 Gbps sustained |
See Egress to external IP address destinations in the Compute Engine documentation. |
| Maximum ingress data rate to an internal IP address destination | No artificial limit | See Ingress to internal IP address destinations in the Compute Engine documentation. |
| Maximum ingress data rate to an external IP address destination | no more than 30 Gbps no more than 1,800,000 packets per second |
See Ingress to external IP address destinations in the Compute Engine documentation. |
Connection logging limits
The maximum number of connections that can be logged per VM instance depends on its machine type. Connection logging limits are expressed as the maximum number of connections that can be logged in a five-second interval.
| Instance machine type | Maximum number of connections logged in a 5-second interval |
|---|---|
| f1-micro | 100 connections |
| g1-small | 250 connections |
| Machine types with 1–8 vCPUs | 500 connections per vCPU |
| Machine types with more than 8 vCPUs | 4,000 (500×8) connections |
Hybrid connectivity
Use the following links to find quotas and limits for Cloud VPN, Cloud Interconnect, and Cloud Router:
Effective limits for per-peering group quotas
Each per-peering group quota has the concept of an effective limit. This section describes how the quota's effective limit is calculated. The effective limit is always greater than or equal to the value of the per-peering group quota's limit.
Most per-peering group quotas have a corresponding network quota—for
example, SUBNET_RANGES_PER_PEERING_GROUP and SUBNET_RANGES_PER_NETWORK. The
effective limit calculation described in this section applies to all per-peering
group quotas, even those that do not have a corresponding per-network quota.
A per-peering group quota's effective limit is calculated in the following way:
Step 1. Select a VPC network. When VPC Network Peering is used, each network has its own peering group. A network's peering group consists of the VPC network itself and all other VPC networks that are directly connected to it through VPC Network Peering. Effective limit calculations are repeated for each per-peering group quota on a network by network basis.
Step 2. For the selected VPC network, find the greater of these limits:
- the limit for the per-peering group quota
- the limit for the corresponding per-network quota
If no corresponding per-network quota exists, use the per-peering group quota's limit.
Step 3. Create a list consisting of the greater of these two limits in each peer network:
- the limit for the per-peering group quota
- the limit for the corresponding per-network quota
If no corresponding per-network quota exists, use the per-peering group quota's limit.
Step 4. Find the smallest value from the list created by Step 3.
Step 5. Take the greater of the two values from Step 2 and Step 4. This number is the effective limit for the per-peering group quota from the perspective of the selected VPC network.
Effective limits example
Suppose that you have four VPC networks, network-a,
network-b, network-c, and network-d. Because there are four
VPC networks, there are also four peering groups, one from the
perspective of each network.
Suppose the network peering connections are as follows:
network-ais peered withnetwork-b, andnetwork-bis peered withnetwork-anetwork-ais peered withnetwork-c, andnetwork-cis peered withnetwork-anetwork-cis peered withnetwork-d, andnetwork-dis peered withnetwork-c
Suppose the limits for two corresponding quotas are set as follows:
| Network | Limit for INTERNAL_FORWARDING_RULES_PER_PEERING_GROUP |
Limit for INTERNAL_FORWARDING_RULES_PER_NETWORK |
|---|---|---|
network-a |
500 | 600 |
network-b |
350 | 300 |
network-c |
300 | 300 |
network-d |
400 | 300 |
The effective limits for each INTERNAL_FORWARDING_RULES_PER_PEERING_GROUP
quota are as follows:
Peering group for
network-a—direct peers arenetwork-bandnetwork-c.- In
network-a:max(500,600) = 600 - List of maxima for direct peers:
network-b:max(350,300) = 350network-c:max(300,300) = 300
- Minimum of the list of direct peers:
min(350,300) = 300 - Effective limit for
INTERNAL_FORWARDING_RULES_PER_PEERING_GROUPinnetwork-a:max(600,300) = 600
- In
Peering group for
network-b—one direct peer,network-a.- In
network-b:max(350,300) = 350 - List of maxima for direct peers:
network-a:max(500,600) = 600
- Minimum of the list of direct peers:
min(600) = 600 - Effective limit for
INTERNAL_FORWARDING_RULES_PER_PEERING_GROUPinnetwork-b:max(350,600) = 600
- In
Peering group for
network-c—direct peers arenetwork-aandnetwork-d.- In
network-c:max(300,300) = 300 - List of maxima for direct peers:
network-a:max(500,600) = 600network-d:max(400,300) = 400
- Minimum of the list of direct peers:
min(600,400) = 400 - Effective limit for
INTERNAL_FORWARDING_RULES_PER_PEERING_GROUPinnetwork-c:max(300,400) = 400
- In
Peering group for
network-d—one direct peer,network-c.- In
network-d:max(400,300) = 400 - List of maxima for direct peers:
network-c:max(300,300) = 300
- Minimum of the list of direct peers:
min(300) = 300 - Effective limit for
INTERNAL_FORWARDING_RULES_PER_PEERING_GROUPinnetwork-d:max(400,300) = 400
- In
Managing quotas
Virtual Private Cloud enforces quotas on resource usage for various reasons. For example, quotas protect the community of Google Cloud users by preventing unforeseen spikes in usage. Quotas also help users who are exploring Google Cloud with the free tier to stay within their trial.
All projects start with the same quotas, which you can change by requesting additional quota. Some quotas may increase automatically based on your use of a product.
Permissions
To view quotas or request quota increases, Identity and Access Management (IAM) principals need one of the following roles.
| Task | Required role |
|---|---|
| Check quotas for a project | One of the following:
|
| Modify quotas, request additional quota | One of the following:
|
Checking your quota
Console
- In the Google Cloud console, go to the Quotas page.
- To search for the quota that you want to update, use the Filter table. If you don't know the name of the quota, use the links on this page instead.
gcloud
Using the Google Cloud CLI, run the following command to
check your quotas. Replace PROJECT_ID with your own project ID.
gcloud compute project-info describe --project PROJECT_ID
To check your used quota in a region, run the following command:
gcloud compute regions describe example-region
Errors when exceeding your quota
If you exceed a quota with a gcloud command,
gcloud outputs a quota exceeded error
message and returns with the exit code 1.
If you exceed a quota with an API request, Google Cloud returns the
following HTTP status code: HTTP 413 Request Entity Too Large.
Requesting additional quota
To increase or decrease most quotas, use the Google Cloud console. For more information, see Request a higher quota.
Console
- In the Google Cloud console, go to the Quotas page.
- On the Quotas page, select the quotas that you want to change.
- At the top of the page, click Edit quotas.
- Fill out your name, email, and phone number, and then click Next.
- Fill in your quota request, and then click Done.
- Submit your request. Quota requests take 24 to 48 hours to process.
Resource availability
Each quota represents a maximum number for a particular type of resource that you can create, if that resource is available. It's important to note that quotas do not guarantee resource availability. Even if you have available quota, you can't create a new resource if it is not available.
For example, you might have sufficient quota to create a new regional, external IP address
in the us-central1 region. However, that is not possible if there are no
available external IP addresses in that region. Zonal resource
availability can also affect your ability to create a new resource.
Situations where resources are unavailable in an entire region are rare. However, resources within a zone can be depleted from time to time, typically without impact to the service level agreement (SLA) for the type of resource. For more information, review the relevant SLA for the resource.