Quotas and limits

The following sections describe quotas and limits for Virtual Private Cloud (VPC) networking.

Quotas

Use the Google Cloud Console to request additional quota.

Per project

This table highlights important global quotas for VPC resources in each project. For other quotas, see the Quotas page in the Cloud Console.

To monitor per-project quotas using Cloud Monitoring, set up monitoring for the metric serviceruntime.googleapis.com/quota/allocation/usage on the Consumer Quota resource type. Set additional label filters (service, quota_metric) to get to the quota type. For details on monitoring quota metrics, see Using quota metrics.

Quota Description
Internet egress bandwidth Per-region internet egress bandwidth from Google Cloud VMs in all VPC networks of the project.
Networks Includes the default network, which you can remove.
Subnets Applies to all subnets in all networks in the project.
Routes Counts custom static routes defined in all VPC networks in the project. It does not include the following types of routes:
  • Subnet routes in VPC networks in the project
  • Custom dynamic routes learned by Cloud Routers in the project
  • Peering subnet routes imported into VPC networks in the project
  • Peering custom routes imported into VPC networks in the project
Cloud Routers The number of Cloud Routers that you can create within your project, in any network and region. Networks also have a limit on the number of Cloud Routers in any given region. For details, see Cloud Router quotas and limits.
Firewall rules The number of firewall rules that you can create for all VPC networks in your project.
Forwarding rules This quota is only for forwarding rules for external HTTP(S) Load Balancing, SSL Proxy Load Balancing, TCP Proxy Load Balancing, and Classic VPN gateways.
For forwarding rule use cases other than these, see the following rows.
External TCP/UDP Network Load Balancing forwarding rules Forwarding rules for use by external TCP/UDP network load balancers (both backend service and target pool architectures).
External protocol forwarding rules Forwarding rules for external protocol forwarding to target instances.
Internal Traffic Director forwarding rules Forwarding rules for Traffic Director.
Internal forwarding rules See per network quotas for all types of internal forwarding rules used by Internal HTTP(S) Load Balancing, Internal TCP/UDP Load Balancing, and internal protocol forwarding.
Internal IP addresses The number of static regional internal IP addresses that you can reserve in each region in your project.
Global internal IP addresses The number of allocated ranges that you can reserve for private services access. Each range is a contiguous internal IP address range.
Static IP addresses The number of static regional external IP addresses that you can reserve in each region in your project.
Static IP addresses global The number of static global external IP addresses that you can reserve in your project.
Packet Mirroring policies The number of Packet Mirroring policies that you can create in your project, in any network and region. If you need to increase this quota, contact your Google Cloud sales team.

Per network

This table highlights important network quotas. For other quotas, see the Quotas page in the Cloud Console.

Information on monitoring the available metrics using Cloud Monitoring is available at Using quota metrics.

Quota Description
VM instances per network

This limit might be lower when you use VPC Network Peering to connect the network to other networks. For details, see VPC Network Peering limits.

Quota name:
INSTANCES_PER_NETWORK_GLOBAL

Available metrics:

  • compute.googleapis.com/quota/instances_per_vpc_network/limit
  • compute.googleapis.com/quota/instances_per_vpc_network/usage
  • compute.googleapis.com/quota/instances_per_vpc_network/exceeded
Maximum number of VM instances per subnet No separate restriction.
Assigned alias IP ranges per network

An alias IP range is either a single IP address (/32) or a CIDR block (for example, a /24 or /16) assigned to a network interface of a VM. Alias IP addresses can come from either the primary or secondary IP ranges of a subnet.

For the purposes of this quota, Google Cloud does not consider the size of the range's netmask. It only counts the number of alias IP ranges assigned to all VMs in the network.

In addition to this quota, there is a per-VM limit on the number of alias IP ranges per network interface.

Quota name:
ALIASES_PER_NETWORK_GLOBAL

Available metrics:

  • compute.googleapis.com/quota/ip_aliases_per_vpc_network/limit
  • compute.googleapis.com/quota/ip_aliases_per_vpc_network/usage
  • compute.googleapis.com/quota/ip_aliases_per_vpc_network/exceeded
Subnet IP ranges (primary and secondary) per VPC network

The total number of primary and secondary subnet IP ranges assigned to all subnets in a VPC network.

Quota name:
SUBNET_RANGES_PER_NETWORK

Available metrics:

  • compute.googleapis.com/quota/subnet_ranges_per_vpc_network/limit
  • compute.googleapis.com/quota/subnet_ranges_per_vpc_network/usage
  • compute.googleapis.com/quota/subnet_ranges_per_vpc_network/exceeded
Internal load balancer forwarding rules per VPC network

The maximum number of forwarding rules for internal load balancers.

  • Internal TCP/UDP Load Balancing
  • Internal HTTP(S) Load Balancing

This quota applies to the total number of forwarding rules for internal load balancing; it does not apply to each region individually.

If your network uses VPC Network Peering to connect to other networks, see VPC Network Peering limits.

Quota name:
INTERNAL_FORWARDING_RULES_PER_NETWORK

Available metrics:

  • compute.googleapis.com/quota/internal_lb_forwarding_rules_per_vpc_network/limit
  • compute.googleapis.com/quota/internal_lb_forwarding_rules_per_vpc_network/usage
  • compute.googleapis.com/quota/internal_lb_forwarding_rules_per_vpc_network/exceeded
Forwarding rules for internal protocol forwarding

The maximum number of forwarding rules for internal protocol forwarding.

This limit applies to the total number of forwarding rules for internal protocol forwarding; it does not apply to each region individually.

If your network uses VPC Network Peering to connect to other networks, see VPC Network Peering limits.

Quota name:
INTERNAL_FORWARDING_RULES_WITH_TARGET_INSTANCE_PER_NETWORK

Available metrics:

  • compute.googleapis.com/quota/internal_protocol_forwarding_rules_per_vpc_network/limit
  • compute.googleapis.com/quota/internal_protocol_forwarding_rules_per_vpc_network/usage
  • compute.googleapis.com/quota/internal_protocol_forwarding_rules_per_vpc_network/exceeded
Forwarding rules for Private Service Connect for Google APIs

The maximum number of forwarding rules for Private Service Connect.

This limit applies to the total number of forwarding rules for Private Service Connect in all regions.

See per project for additional important details about how many global internal addresses you can create.

Quota name:
PSC_GOOGLE_APIS_FORWARDING_RULES_PER_NETWORK

Available metrics:

  • compute.googleapis.com/quota/psc_google_apis_forwarding_rules_per_vpc_network/limit
  • compute.googleapis.com/quota/psc_google_apis_forwarding_rules_per_vpc_network/usage
  • compute.googleapis.com/quota/psc_google_apis_forwarding_rules_per_vpc_network/exceeded

Limits

Limits cannot generally be increased unless specifically noted.

Per organization

The following limits apply to organizations.

Item Limit Notes
Unassociated hierarchical firewall policies per organization 50

An unassociated policy is a policy that exists in your Google Cloud organization, but which is not associated with a node. There is no limit on the number of policies your organization can have that are associated with nodes, though each node can have only one policy associated.

If you need to increase this limit, contact your Google Cloud sales team.

Hierarchical firewall rule attributes in a hierarchical firewall policy 2000

The number of rule attributes in all rules in a hierarchical firewall policy. The number of rules does not matter, only the total number of attributes in all rules in the policy.

A rule attribute is an IP range, protocol, port or port range, target service account, or target resource. Examples:

  • A rule that specifies a source IP range of 10.100.0.1/32 and destination ports of tcp:5000-6000 counts as three attributes, one for the IP range, one for the protocol, and one for the port range.
  • A rule that specifies source ranges of 10.100.0.1/32 and 10.100.1.1/32 and destination protocols and ports of tcp:80, tcp:443, udp:4000-5000, and icmp count as nine, one each for the two IP ranges, and one each for the four protocols, and one each for the three ports or port ranges.

To view how many attributes your policy has, see Describe a policy. If you need to increase this limit, contact your Google Cloud sales team.

Shared VPC project limits

The following limits apply to projects that participate in Shared VPC.

Item Limit Notes
Number of service projects that can be attached to a host project 1,000 If you need to increase this limit, contact your Google Cloud sales team.
Number of Shared VPC host projects in a single organization 100 If you need to increase this limit, contact your Google Cloud sales team.
Number of host projects to which a service project can attach 1 This limit cannot be increased.

Per network

The following limits apply to VPC networks. These limits are enforced by using quotas internally. When per-network limits are exceeded, you will see QUOTA_EXCEEDED errors with the internal quota names.

Item Limit Notes
Subnet IP ranges
Primary IP ranges per subnet 1 Each subnet must have exactly one primary IP range (CIDR block). This range is used for VM primary internal IP addresses, VM alias IP ranges, and the IP addresses of internal load balancers. This limit cannot be increased.
Maximum number of secondary IP ranges per subnet 30 Optionally, you can define up to thirty secondary CIDR blocks per subnet. These secondary IP ranges can only be used for alias IP ranges. This limit cannot be increased.
Maximum number of source tags per firewall rule 30 The maximum number of network tags that you can specify as source tags when creating an ingress firewall rule. This limit cannot be increased.
Maximum number of target tags per firewall rule 70 The maximum number of network tags that you can specify as target tags when creating an egress or ingress firewall rule. This limit cannot be increased.
Maximum number of source service accounts per firewall rule 10 The maximum number of source service accounts that you can specify when creating an ingress firewall rule. This limit cannot be increased.
Maximum number of target service accounts per firewall rule 10 The maximum number of target service accounts that you can specify when creating an egress or ingress firewall rule. This limit cannot be increased.
Maximum number of source ranges per firewall rule 256 The maximum number of source IP ranges that you can specify when creating an ingress firewall rule. This limit cannot be increased.
Maximum number of destination ranges per firewall rule 256 The maximum number of destination IP ranges that you can specify when creating an egress firewall rule. This limit cannot be increased.

VPC Network Peering limits

The following limits apply to VPC networks connected by using VPC Network Peering. Each limit applies to a peering group, which is a collection of VPC networks that are directly peered to each another. From the perspective of a given VPC network, it and all of its peer networks are in one peering group. Peering groups do not include the peers of peer networks.

These limits can sometimes be increased. Contact your Google Cloud sales team if you have questions about increasing them.

Item Limit Notes
Peering group
Maximum number of connections to a single VPC network 25 The maximum number of networks that can connect to a given VPC network using VPC Network Peering.
Maximum number of subnet routes in a peering group No separate restriction The number of subnet routes that can be exchanged is limited by the maximum number of subnet IP ranges (primary and secondary) per peering group, described later in this document.
Maximum number of static routes in a peering group 300 The maximum number of static routes that can be exchanged among networks in a peering group when importing and exporting custom routes. Google Cloud prevents you from creating a peering connection to a network if that would cause the peering group to exceed this limit.
Maximum number of dynamic routes in a peering group 300 The maximum number of dynamic routes that Cloud Routers can apply to all networks of a peering group when importing and exporting custom routes. If the number of dynamic routes exceeds this limit, Google Cloud adjusts how it imports dynamic routes for a given network:
  • Google Cloud drops imported dynamic routes from peered networks. Google Cloud uses an internal algorithm to drop dynamic routes, which means Google Cloud might drop older ones and not just the recently added routes. You cannot predict which imported dynamic routes will be dropped. Instead, you should reduce the number of dynamic routes in the peering group.
  • Subject to Cloud Router limits, Google Cloud never drops dynamic routes that are learned by Cloud Routers in the local network.
  • If a peering connection causes this limit to be exceeded, Google Cloud still allows you to create the peering connection without warning.
Instances
Maximum number of VM instances

15,000 per network

15,500 per peering group

Google Cloud lets you create a new instance in a given VPC network as long as all of the following are true:

  • You have not exceeded the per network maximum defined by this limit.
  • You have not exceeded the per peering group maximum defined by this limit.

For examples, see VPC Network Peering and maximum VMs.

Error code for limit exceeded:
INSTANCES_PER_NETWORK_WITH_PEERING_LIMITS_EXCEEDED

Subnet IP ranges
Maximum number of subnet IP ranges (primary and secondary) 400

The maximum number of primary and secondary subnet IP ranges that can be assigned to subnets in all networks of a peering group.

Error code for limit exceeded:
SUBNET_RANGES_PER_NETWORK_LIMITS_EXCEEDED_PEERING

Internal load balancing

Maximum number of forwarding rules for:

  • Internal TCP/UDP Load Balancing
  • Internal HTTP(S) Load Balancing

75 per network

175 per peering group

You can create new regional internal forwarding rules for internal load balancing if all of the following conditions are true:

  • You have not exceeded the per network maximum defined by this quota.
  • For internal load balancing, the number of internal forwarding rules must be less than the effective number of forwarding rules in the peering group. The effective number is a calculation that is described in VPC Network Peering and internal forwarding rules.

Error code for limit exceeded:
INTERNAL_FORWARDING_RULES_WITH_PEERING_LIMITS_EXCEEDED

Protocol forwarding
Maximum number of forwarding rules for internal protocol forwarding

50 per network

100 per peering group

You can create new regional internal forwarding rules for protocol forwarding if all of the following conditions are true:

  • You have not exceeded the per network maximum defined by this quota.
  • The number of internal forwarding rules, for protocol forwarding, in the peering group, is less than an effective number of forwarding rules in the peering group, which is calculated as described in VPC Network Peering and internal forwarding rules.

Error code for limit exceeded:
INTERNAL_FORWARDING_RULES_WITH_TARGET_INSTANCE_LIMITS_EXCEEDED_PEERING

Maximum number of assigned alias IP ranges in a peering group 15,000

An alias IP range is either a single IP address (/32) or a CIDR block (for example, a /24 or /16) assigned to a network interface of a VM. Alias IP addresses can come from either the primary or secondary IP ranges of a subnet.

For the purposes of this limit, Google Cloud does not consider the size of the range's netmask. It only counts the number of alias IP ranges assigned to all VMs in the network.

In addition to this quota, there is a per-VM limit on the number of alias IP ranges per network interface.

Error code for limit exceeded:
ALIASES_PER_NETWORK_PEERING_LIMITS_EXCEEDED

VPC Network Peering and maximum VMs

Up to 15,500 VM instances are allowed among the networks in a peering group. As clarifying examples, suppose network-b is peered with two other networks, network-a and network-c:

  • If network-b has 5,000 VMs, the total number of VMs that you can create in both network-aand network-c combined must be less than or equal to 10,500.
  • If network-b has 500 VMs, the total number of VMs that you can create in both network-aand network-c combined must be less than or equal to 15,000.

VPC Network Peering and internal forwarding rules

From the perspective of a given VPC network, Google Cloud calculates an effective number of forwarding rules for the internal load balancers in the peering group using this method:

  • Step 1. For the given network, find the greater of these two limits:

    • Maximum number of forwarding rules for the internal load balancers in the given network
    • Number of forwarding rules for the internal load balancers in the peering group
  • Step 2. For each of the remaining networks in the peering group, find the greater of these two limits:

    • Maximum number of forwarding rules for the internal load balancers in the peer network
    • Number of forwarding rules for the internal load balancers in the peering group
  • Step 3. Find the smallest value from the list created by Step 2.

  • Step 4. Take the greater of the two numbers from Step 1 and Step 3. This number is the effective number of forwarding rules for the internal load balancers that can be created in the peering group from the perspective of the given network.

Suppose that you have four VPC networks, network-a, network-b, network-c, and network-d:

  • network-a is peered with network-b, and network-b is peered with network-a
  • network-a is peered with network-c, and network-c is peered with network-a
  • network-c is peered with network-d, and network-d is peered with network-c

And each network has the following limits:

Network Maximum number of forwarding rules for the internal load balancers in the given network Number of forwarding rules for the internal load balancers in the peering group
network-a 160 150
network-b 75 80
network-c 75 75
network-d 75 95

From the perspective of each VPC network, Google Cloud calculates the effective number of forwarding rules for the internal load balancers in that peering group:

  • From the perspective of network-a, its peering group contains network-a, network-b, and network-c. The effective number of forwarding rules for the internal load balancers in the peering group is calculated as follows:

    1. In network-a: max(160,150) = 160
    2. In the remaining peer networks:
      • network-b: max(75,80) = 80
      • network-c: max(75,75) = 75
    3. min(80,75) = 75
    4. max(160,75) = 160
      • Effective number of forwarding rules for the internal load balancers: per peering group from the perspective of network-a: 160
  • From the perspective of network-b, its peering group contains network-b and network-a. The effective number of forwarding rules for the internal load balancers in the peering group is calculated as follows:

    1. In network-b: max(75,80) = 80
    2. In the remaining peer networks:
      • network-a: max(160,150) = 160
    3. min(160) = 160
    4. max(80,160) = 160
      • Effective number of forwarding rules for the internal load balancers per peering group from the perspective of network-b: 160
  • From the perspective of network-c, its peering group contains network-c, network-a, and network-d. The effective number of forwarding rules for the internal load balancers in the peering group is calculated as follows:

    1. In network-c: max(75,75) = 75
    2. In the remaining peer networks:
      • network-a: max(160,150) = 160
      • network-d: max(75,95) = 95
    3. min(160,95) = 95
    4. max(75,95) = 95
      • Effective number of forwarding rules for the internal load balancers per peering group from the perspective of network-c: 95
  • From the perspective of network-d, its peering group contains network-d, and network-c. The effective number of forwarding rules for the internal load balancers in the peering group is calculated as follows:

    1. In network-d: max(75,95) = 95
    2. In the remaining peer networks:
      • network-c: max(75,75) = 75
    3. min(75) = 75
    4. max(95,75) = 95
      • Effective number of forwarding rules for the internal load balancers per peering group from the perspective of network-d: 95

Per instance

The following limits apply to VM instances. Unless otherwise noted, these limits cannot be increased. For quotas relevant to VMs, see Compute Engine quotas.

Item Limit Notes
Maximum Transmission Unit (MTU) 1,460 or 1,500 bytes, depending on VPC configuration Instances using larger MTU sizes can experience dropped packets. You cannot increase this MTU value.
Maximum number of network interfaces 8 Network interfaces are defined at instance creation time, and cannot be changed by editing the instance later.
Maximum number of alias IP ranges per network interface 10

The number of alias IP ranges that you can assign to a network interface as long as you don't exceed the quota for the total number of assigned alias IP ranges in the VPC network.

Google Cloud does not consider the size of the alias IP range's netmask. For example, an individual /24 range is a single alias IP range and an individual /23 range is also a single alias IP range.

If you need to increase this limit, contact your Google Cloud sales team.

Network interfaces per VPC network 1 Each network interface must be connected to a unique VPC network. An instance can only have one network interface in a given VPC network.
Maximum duration for idle TCP connections 10 minutes VPC networks automatically drop idle TCP connections after ten minutes. You cannot change this limit, but you can use TCP keepalives to prevent connections to instances from becoming idle. For details, see Compute Engine tips and troubleshooting.
Maximum egress data rate to an internal IP address destination Depends on the machine type of the VM See Egress to internal IP address destinations and machine types in the Compute Engine documentation.
Maximum egress data rate to an external IP address destination

all flows: about 7 Gbps (gigabits per second) sustained

single flow: 3 Gbps sustained

See Egress to external IP address destinations in the Compute Engine documentation.
Maximum ingress data rate to an internal IP address destination No artificial limit See Ingress to internal IP address destinations in the Compute Engine documentation.
Maximum ingress data rate to an external IP address destination

no more than 20 Gbps

no more than 1,800,000 packets per second

See Ingress to external IP address destinations in the Compute Engine documentation.

Connection logging limits

The maximum number of connections that can be logged per VM instance depends on its machine type. Connection logging limits are expressed as the maximum number of connections that can be logged in a five-second interval.

Instance machine type Maximum number of connections logged in a 5-second interval
f1-micro 100 connections
g1-small 250 connections
Machine types with 1–8 vCPUs 500 connections per vCPU
Machine types with more than 8 vCPUs 4,000 (500×8) connections

Hybrid connectivity

Use the following links to find quotas and limits for Cloud VPN, Cloud Interconnect, and Cloud Router:

管理配額

由於各方面因素的考量,Virtual Private Cloud 對資源用量實施配額限制。舉例來說,限制配額可以預防用量突然暴增的情況,進而保障 Google Cloud 使用者社群的權益。採用Google Cloud免費方案探索的使用者也能透過配額,確保不會超出試用範圍。

所有專案最初的配額均相同,您可以要求額外配額來變更配額數量。某些配額可能會依據您使用產品的狀況而自動增加。

權限

如要查看配額或要求增加配額,身分與存取權管理 (IAM) 成員需具有下列其中一種角色。

工作 必要角色
查看專案的配額 專案擁有者或編輯者「或」配額檢視者
修改配額,要求額外配額 專案擁有者或編輯者配額管理員或具有 serviceusage.quotas.update 權限的自訂角色

查看配額

主控台

  1. 在 Cloud Console 中,前往「配額」頁面。

    前往配額頁面

  2. 使用篩選表格搜尋要更新的配額。 如果不知道配額名稱,請改用本頁面上的連結。

gcloud

如果您使用 gcloud 指令列工具,請執行下列指令來查看配額。請將 PROJECT_ID 替換為您的專案 ID。

      gcloud compute project-info describe --project PROJECT_ID

如要查看特定區域的配額用量,請執行下列指令:

      gcloud compute regions describe example-region

超出配額時產生錯誤

一旦超出 gcloud 指令的配額上限,gcloud 就會輸出 quota exceeded 錯誤訊息並傳回結束代碼 1

一旦超出 API 要求的配額上限,Google Cloud 就會傳回下列 HTTP 狀態碼:HTTP 413 Request Entity Too Large

申請更多配額

您可以透過 Cloud Console 中的「配額」頁面申請更多配額。處理配額要求需要花費 24 至 48 小時。

主控台

  1. 在 Cloud Console 中,前往「配額」頁面。

    前往配額頁面

  2. 「配額」頁面中,選擇您要變更的配額項目。
  3. 按一下頁面頂端的 [編輯配額]
  4. 輸入您的姓名、電子郵件地址和電話號碼,然後按一下 [下一步]
  5. 輸入您的配額要求,然後按一下 [完成]
  6. 提交要求。

資源可用性

如果特定類型的資源可以使用,則每項配額代表您能針對該資源建立的最大數量。請特別留意,配額「並不」保證資源可用性。即使您有可用的配額,如果資源無法提供使用,您也無法建立新的資源。

舉例來說,您可能有足夠的配額在 us-central1 區域中建立全新地區性外部 IP 位址,但如果該區域中沒有可用的外部 IP 位址,則無法建立。區域的資源可用性也會影響您建立新資源的能力。

整個區域的資源皆無法提供使用的狀況很罕見。然而,可用區內的資源有時可能會耗盡,不過一般來說並不會對該資源類型的服務水準協議 (SLA) 造成影響。如需更多資訊,請參閱與該資源相關的 SLA。