Quotas and limits
This document lists the quotas and limits that apply toVirtual Private Cloud (VPC) networking.
Google Cloud uses quotas to help ensure fairness and reducespikes in resource use and availability. A quota restricts how much of aGoogle Cloud resource your Google Cloud project can use. Quotasapply to a range of resource types, including hardware, software, and networkcomponents. For example, quotas can restrict the number of API calls to aservice, the number of load balancers used concurrently by your project, or thenumber of projects that you can create. Quotas protect the community ofGoogle Cloud users by preventing the overloading of services. Quotas alsohelp you to manage your own Google Cloud resources.
The Cloud Quotas system does the following:
- Monitors your consumption of Google Cloud products and services
- Restricts your consumption of those resources
- Provides a way torequest changes to the quota value andautomate quota adjustments
In most cases, when you attempt to consume more of a resource than its quotaallows, the system blocks access to the resource, and the task thatyou're trying to perform fails.
Quotas generally apply at the Google Cloud projectlevel. Your use of a resource in one project doesn't affectyour available quota in another project. Within a Google Cloud project, quotasare shared across all applications and IP addresses.
For more information, see theCloud Quotas overview.
There are alsosystem limits on VPC resources. System limits can't be changed.
Quotas
To change a quota, seerequesting additional quota.
Per project
This table highlights important global quotas for VPC resourcesin each project. For other quotas, see theQuotas page in the Google Cloud console.
To monitor per-project quotas using Cloud Monitoring, set up monitoringfor the metricserviceruntime.googleapis.com/quota/allocation/usage on theConsumer Quota resource type. Set additional label filters (service,quota_metric) to get to the quota type. For information about monitoring quotametrics, including finding limit names and metric names, seeUse quotametrics. Each quota has a limit and ausage value.
| Quota | Description |
|---|---|
| Network bandwidth | |
| GCE VM to internet egress bandwidth Mbps | Total egress bandwidth from Google Cloud VMs in one region todestinations outside of a VPC network (using the default internet gateway). This quota's usage is charged to the project that contains the Compute Engine VMs that emit the packets. Excludes traffic sent to Google APIs and services by usingPrivate Google Access. Excludes traffic sent to Google APIs and services fromVMs with external IP addresses. |
| Inter-region network egress bandwidth (Mbps) from Compute instances | Total egress bandwidth from Google Cloud VMs in one region todestinations that are routable within a VPC network (using next hops that are not the default internet gateway). This quota's usage is charged to the project that contains the Compute Engine VMs that emit the packets. |
| Shared VPC | |
| Shared VPC service projects per host project | Number of Shared VPC service projects that can be attached to a Shared VPC host project. In addition to this quota, seeShared VPC project limits. |
| General | |
| Networks | Includes thedefault network, which you can remove. |
| Policy-based routes | The number of policy-based routes that you can create in your project. |
| Routers | The number of Cloud Routers that you can create within your project, in any network and region. Networks also have alimit on the number of Cloud Routers in any givenregion. For details, seeCloud Router quotas and limits. |
| Packet Mirrorings | The number of Packet Mirroring policies that you can create in your project, in any network and region. |
| Load balancer and protocol forwarding rules SeeForwarding rules in the load balancing quotas documentation. | |
| Internal IP addresses | |
| Internal IP addresses | The number of static regional internal IPv4 addresses that you can reserve in each region in your project. |
| Regional static internal IPv6 address ranges | The number of static regional internal IPv6 address ranges that you can reserve in each region in your project. |
| Static global internal IPv4 addresses | The number of static global internal IPv4 address ranges that you can reserve in your project, such asallocated IPv4 address ranges for private services access and IPv4 addresses reserved forPrivate Service Connect endpoints that are used to access global Google APIs. For IP address ranges, each range is a contiguous internal IP address range. |
| Internal ranges | The number of internal range resources that you can reserve in your project. |
| External IP addresses | |
| Static IP addresses | The number of static regional external IPv4 addresses that you can reserve in each region in your project. |
| Regional static external IPv6 address ranges | The number of static regional external IPv6 address ranges that you can reserve in each region in your project. |
| Static IP addresses global | The number of static global external IP addresses that you can reserve in your project. |
| In-use IP addresses | The number of static and ephemeral regional external IP addresses that you can use in your project simultaneously. |
| In-use IP addresses global | The number of static and ephemeral global external IP addresses that you can use in your project simultaneously. |
| Address move requests per minute | The system limit for the global number of address move requests that you can make per minute. |
| Address move requests per minute per region | The system limit for the number of address move requests that you can make per minute per region. |
| Bring your own IP (BYOIP) | |
| Static BYOIP IP addresses | The number ofbring your own IP regional external IP addresses that you can reserve in each region in your project.
|
| Static BYOIP IP addresses global | The number ofbring your own IP global external IP addresses that you can create in your project.
|
| Public advertised prefixes | The number of public advertised prefixes (PAPs) that you can create in your project.
|
| Public V2 advertised prefixes create requests per minute | The number of create requests for regional public advertised prefixes that you can make per minute. This quota applies to both v1 and v2 public advertised prefixes.
|
| Public V2 advertised prefixes delete requests per minute | The number of delete requests for regional public advertised prefixes that you can make per minute. This quota applies to both v1 and v2 public advertised prefixes.
|
| Public V2 advertised prefixes announce requests per minute | The number of announce requests that you can make per minute for regional public advertised prefixes.
|
| Regional public delegated prefixes | The number of regional public delegated prefixes (PDPs) that you can create in each region.
|
| Global public delegated prefixes | The number of global public delegated prefixes that you can create.
|
| Regional public delegated prefixes create requests per minute per region | The number of create requests for regional public delegated prefixes that you can make per minute per region.
|
| Regional public delegated prefixes delete requests per minute per region | The number of delete requests for regional public delegated prefixes that you can make per minute per region.
|
| Regional public delegated prefixes announce requests per minute per region | The number of announce requests that you can make per minute per region for regional public delegated prefixes. This quota does not apply to withdraw requests.
|
| Public delegated prefix with variable prefix length | The number of regional IPv6 public delegated prefixes that you can create, per project per region.
|
| Private Service Connect | |
| PSC internal LB forwarding rules | The maximum number of Private Service Connect endpoints (forwarding rules) that a service consumer can create to connect to producer services. This quota is per region, per project. Quota name: |
| Number of Regional Endpoints per project per region | The maximum number of Private Service Connect endpoints that a service consumer can create to connect to regional endpoints. This quota is per region, per project. Quota name: |
| Service attachments | The maximum number of Private Service Connect service attachments that a service producer can create. This quota is per region, per project. Quota name: |
| Network attachments | The maximum number of network attachments that a Private Service Connect consumer can create. This quota is per region, per project. Quota name: |
| Service Connection Policies per project per region | The maximum number of service connection policies that a service consumer can create. This quota is per region, per project. Quota name: |
| Service Connection Maps per project per region | The maximum number of service connection maps that a service producer can create. This quota is per region, per project. Quota name: |
| Health aggregation policies | The maximum number of health aggregation policies that you can create in your project. Quota name: |
| Health sources | The maximum number of health sources that you can create in your project. Quota name: |
| Composite health checks | The maximum number of composite health checks that you can create in your project. Quota name: |
Per network
This table highlights important network quotas. For other quotas, see theQuotas page in the Google Cloud console.
Information on monitoring the available metrics using Cloud Monitoring isavailable atUse quota metrics. Eachquota has a limit and a usage value.
Note: You can request an increase for a per-network quota's limit by using theGoogle Cloud console. If the edit option is not available for a quota,file asupport case to ask if the quota's limit can be increased.A per-network quota usually has a corresponding per-peering group quotaapplicable when VPC Network Peering is used. Per-peering group quotas havethe concept of aneffective limit.
| Quota | Description |
|---|---|
| Instances & alias IP ranges | |
| Instances per VPC network | The total number of VM network interfaces (NICs) in the VPC network. Quota name: Available metrics:
|
| IP aliases per VPC network | The total number ofalias IP ranges used by VM network interfaces (NICs) in the VPC network. This quota counts the number of alias IP ranges without regard to each range's size (subnet mask). In addition to this quota, there is a limit on thenumber of alias IP ranges per network interface. Quota name: Available metrics:
|
| Subnet IP address ranges | |
| Subnetwork ranges per VPC network | The total number ofsubnet IP address ranges used by subnets in the VPC network. Includes primary IPv4 address ranges, secondary IPv4 address ranges, and IPv6 address ranges. Quota name: Available metrics:
|
| Subnetwork ranges per peering group | From the perspective of a VPC network, the total number of subnet IP address ranges used by subnets local to the VPC network and in its directly connected peers. Includes primary IPv4 address ranges, secondary IPv4 address ranges, and IPv6 address ranges. Quota name: Available metrics:
|
| VPC Network Peering | |
| Peerings per VPC network | From the perspective of a VPC network, the total number of other VPC networks it can connect to by usingVPC Network Peering. Quota name: Available metrics:
|
| Static and dynamic routes | |
| Static routes per network | From the perspective of all regions of a VPC network, the total number ofstatic routes local to the VPC network. This quota applies to the aggregate of IPv4 and IPv6 static routes. Quota name: Available metrics:
|
| Static routes per peering group | From the perspective of all regions of a VPC network, the total number ofstatic routes local to the VPC network and in its directly connected peers. This quota applies to the aggregate of IPv4 and IPv6 static routes. Quota name: Available metrics:
|
| Dynamic routes per region per peering group | From the perspective ofeach region in a VPC network, the total number ofdynamic routes local to the VPC network and in its directly connected peers. This quota applies to the aggregate of IPv4 and IPv6 dynamic routes. Quota name: Available metrics:
If the number of dynamic routes exceeds this limit, Google Cloud adjusts how it imports dynamic routes according to the following rules:
|
| Load balancer and protocol forwarding rules SeeForwarding rules in the load balancing quotas documentation. | |
| Private Service Connect | |
| PSC Google APIs forwarding rules per VPC network | The maximum number of Private Service Connect endpoints (forwarding rules) that can be used to access Google APIs. This quota applies to thetotal number of forwarding rules used to access Google APIs in all regions. This quota can't be increased. Seeper project for additional important details about how many global internal addresses you can create. Quota name: Available metrics:
|
| PSC propagated connections per VPC network | The maximum number of Private Service Connectpropagated connections that can exist in a consumer'sVPC network. This quota can't be increased. Quota name: Available metrics:
|
| PSC ILB consumer forwarding rules per producer VPC network | The maximum number of Private Service Connectendpoints andpropagated connections that can access a service producer VPC network. This quota applies to thetotal number of endpoints and propagated connections that access services in all regions of the service producer VPC network. Endpoints contribute to this quota until they are deleted, even if the associated service attachment is deleted or configured to reject the connection. Propagated connections contribute to this quota until the associated endpoint is deleted, even if connection propagation is disabled on the hub or the propagated connection's spoke is deleted. Quota name: Available metrics:
|
Deprecated quotas
Google Cloud no longer enforces the following quotas:
Subnetworks:TheSubnetwork ranges per VPCnetwork quota is the replacement.
Routes:TheStatic routes per network quota isthe replacement.
Instances per peeringgroup:Instead, Google Cloud enforces theInstances per VPCnetwork quota in each VPC network.
IP aliases per peeringgroup:Instead, Google Cloud enforces theIP aliases per VPCnetwork quota in each VPC network.
Limits
Limits can't generally be increased unless specifically noted.
Shared VPC limits
The number of service projects that can be attached to a host project is aconfigurableper-project quota. In addition to that quota, thefollowing limits apply toShared VPC.
| Item | Limit | Notes |
|---|---|---|
| Number of Shared VPC host projects in a single organization | 100 | To request an update to this limit,file a support case. |
| Number of host projects to which a service project can attach | 1 | This limit can't be increased. |
Per network
The following limits apply to VPC networks. These limits areenforced by using quotas internally. When per-network limits are exceeded, youseeQUOTA_EXCEEDED errors with the internal quota names.
| Item | Limit | Notes |
|---|---|---|
| Subnet IP ranges | ||
| Primary IP ranges per subnet | 1 | IPv4-only and dual-stack subnets must have exactly one primary IPv4 range (CIDR block). This limit can't be increased. For more information, seeIPv4 subnet ranges. |
| Maximum number of secondary IP ranges per subnet | 170 | IPv4-only and dual-stack subnets can optionally have subnet secondary IPv4 address ranges. This limit can't be increased. For more information, seeIPv4 subnet ranges. |
| Routes | ||
| Maximum number of network tags per route | 256 | The maximum number of network tags that you can associate with a static route. This limit can't be increased. |
IP address limits
| Item | Limit | Notes |
|---|---|---|
| Public delegated prefixes per public advertised prefix | 10 | The number of public delegated prefixes (PDPs) that you can create from a public advertised prefix (PAP). |
| Allocated IP address ranges per private connection | 5,000 | The maximum number of IP address ranges that you can associate with aprivate connection. |
Per instance
The following limits apply to VM instances. Unless otherwise noted, theselimitscan't be increased. Forquotas relevant to VMs, seeCompute Engine quotas.
| Item | Limit | Notes |
|---|---|---|
| Maximum Transmission Unit (MTU) | Between 1,300 bytes and 8,896 bytes (inclusive). Common values include 1460 bytes (default), 1500 bytes (standard Ethernet), and 8896 bytes (jumbo frames). | For more information, seeMaximum transmission unit. |
| Maximum number of network interfaces | Depends on the machine type of the VM | SeeMaximum number of network interfaces. |
| Maximum number of alias IP ranges per network interface | 150 | The number of alias IP ranges that you can assign to a network interface as long as you don't exceed thequota for the total number of assigned alias IP ranges in the VPC network. Google Cloud doesnot consider thesize of the alias IP range's netmask. For example, an individual |
| Network interfaces per VPC network | 1 | Each network interface must be connected to a unique VPC network. An instance can only have one network interface in a given VPC network. |
| Maximum duration for idle TCP connections | 10 minutes | VPC networks automatically drop idle TCP connections after ten minutes. You can't change this limit, but you can useTCP keepalives to prevent connections to instances from becoming idle. For details, see Compute Engine tips and troubleshooting. |
| Maximum egress data rate to an internal IP address destination | Depends on the machine type of the VM | See Egress to internal IP address destinations andmachine types in the Compute Engine documentation. |
| Maximum egress data rate to an external IP address destination | all flows: about 7 Gbps (gigabits per second) sustained or 25 Gbps with per VM Tier_1 networking performance single flow: 3 Gbps sustained | See Egress to external IP address destinations in the Compute Engine documentation. |
| Maximum ingress data rate to an internal IP address destination | No artificial limit | See Ingress to internal IP address destinations in the Compute Engine documentation. |
| Maximum ingress data rate to an external IP address destination | no more than 30 Gbps no more than 1,800,000 packets per second | See Ingress to external IP address destinations in the Compute Engine documentation. |
Connection logging limits
The maximum number of connections that can be logged per VM instance depends onitsmachine type. Connection logging limits areexpressed as the maximum number of connections that can be logged in a five-secondinterval.
Important: Firewall log entries are created on a best effort basis according tothe following table. It is possible for entries to not be logged during periods ofheavy traffic, even if the maximum number of logged connections for a machinetype has not been reached.| Instance machine type | Maximum number of connections logged in a 5-second interval |
|---|---|
| f1-micro | 100 connections |
| g1-small | 250 connections |
| Machine types with 1–8 vCPUs | 500 connections per vCPU |
| Machine types with more than 8 vCPUs | 4,000 (500×8) connections |
Hybrid connectivity
Use the following links to find quotas and limits for Cloud VPN,Cloud Interconnect, and Cloud Router:
Effective limits for per-peering group quotas
Each per-peering group quota has the concept of aneffective limit. Thissection describes how the quota's effective limit is calculated. The effectivelimit is always greater than or equal to the value of the per-peering groupquota's limit.
Most per-peering group quotas have a corresponding network quota—forexample,SUBNET_RANGES_PER_PEERING_GROUP andSUBNET_RANGES_PER_NETWORK. Theeffective limit calculation described in this section applies to all per-peeringgroup quotas, even those that don't have a corresponding per-network quota.
A per-peering group quota's effective limit is calculated in the following way:
Step 1. Select a VPC network. When VPC Network Peeringis used, each network has its own peering group. A network's peering groupconsists of the VPC network itself and all otherVPC networks that are directly connected to it throughVPC Network Peering. Effective limit calculations are repeated for eachper-peering group quotaon a network by network basis.
Step 2. For the selected VPC network, find thegreater ofthese limits:
- the limit for the per-peering group quota
- the limit for the corresponding per-network quota
If no corresponding per-network quota exists, use the per-peering groupquota's limit.
Step 3. Create a list consisting of thegreater of these two limits ineach peer network:
- the limit for the per-peering group quota
- the limit for the corresponding per-network quota
If no corresponding per-network quota exists, use the per-peering groupquota's limit.
Step 4. Find thesmallest value from the list created by Step 3.
Step 5. Take thegreater of the two values from Step 2 and Step 4.This number is theeffective limit for the per-peering group quota fromthe perspective of the selected VPC network.
Effective limits example
Suppose that you have four VPC networks,network-a,network-b,network-c, andnetwork-d. Because there are fourVPC networks, there are also four peering groups, one from theperspective of each network.
Suppose the network peering connections are as follows:
network-ais peered withnetwork-b, andnetwork-bis peered withnetwork-anetwork-ais peered withnetwork-c, andnetwork-cis peered withnetwork-anetwork-cis peered withnetwork-d, andnetwork-dis peered withnetwork-c
Suppose the limits for two corresponding quotas are set as follows:
| Network | Limit forINTERNAL_FORWARDING_RULES_PER_PEERING_GROUP | Limit forINTERNAL_FORWARDING_RULES_PER_NETWORK |
|---|---|---|
network-a | 500 | 600 |
network-b | 350 | 300 |
network-c | 300 | 300 |
network-d | 400 | 300 |
The effective limits for eachINTERNAL_FORWARDING_RULES_PER_PEERING_GROUPquota are as follows:
Peering group for
network-a—direct peers arenetwork-bandnetwork-c.- In
network-a:max(500,600) = 600 - List of maxima for direct peers:
network-b:max(350,300) = 350network-c:max(300,300) = 300
- Minimum of the list of direct peers:
min(350,300) = 300 - Effective limit for
INTERNAL_FORWARDING_RULES_PER_PEERING_GROUPinnetwork-a:max(600,300) = 600
- In
Peering group for
network-b—one direct peer,network-a.- In
network-b:max(350,300) = 350 - List of maxima for direct peers:
network-a:max(500,600) = 600
- Minimum of the list of direct peers:
min(600) = 600 - Effective limit for
INTERNAL_FORWARDING_RULES_PER_PEERING_GROUPinnetwork-b:max(350,600) = 600
- In
Peering group for
network-c—direct peers arenetwork-aandnetwork-d.- In
network-c:max(300,300) = 300 - List of maxima for direct peers:
network-a:max(500,600) = 600network-d:max(400,300) = 400
- Minimum of the list of direct peers:
min(600,400) = 400 - Effective limit for
INTERNAL_FORWARDING_RULES_PER_PEERING_GROUPinnetwork-c:max(300,400) = 400
- In
Peering group for
network-d—one direct peer,network-c.- In
network-d:max(400,300) = 400 - List of maxima for direct peers:
network-c:max(300,300) = 300
- Minimum of the list of direct peers:
min(300) = 300 - Effective limit for
INTERNAL_FORWARDING_RULES_PER_PEERING_GROUPinnetwork-d:max(400,300) = 400
- In
Manage quotas
Virtual Private Cloud enforces quotas on resource usage for various reasons. For example, quotas protect the community of Google Cloud users by preventing unforeseen spikes in usage. Quotas also help users who are exploring Google Cloud with thefree tier to stay within their trial.
All projects start with the same quotas, which you can change byrequesting additional quota. Some quotas might increase automatically based on your use of a product.
Permissions
To view quotas or request quota increases, Identity and Access Management (IAM) principals need one of the following roles.
| Task | Required role |
|---|---|
| Check quotas for a project | One of the following:
|
| Modify quotas, request additional quota | One of the following:
|
Check your quota
Console
- In the Google Cloud console, go to theQuotas page.
- To search for the quota that you want to update, use theFilter table. If you don't know the name of the quota, use the links on this page instead.
gcloud
Using the Google Cloud CLI, run the following command to check your quotas. ReplacePROJECT_ID with your own project ID.
gcloud compute project-info describe --projectPROJECT_ID
To check your used quota in a region, run the following command:
gcloud compute regions describe example-region
Errors when exceeding your quota
If you exceed a quota with agcloud command,gcloud outputs aquota exceeded error message and returns with the exit code1.
If you exceed a quota with an API request, Google Cloud returns the following HTTP status code:413 Request Entity Too Large.
Request additional quota
To adjust most quotas, use the Google Cloud console. For more information, seeRequest a quota adjustment.
Resource availability
Each quota represents a maximum number for a particular type of resource that you can create, if that resource is available. It's important to note that quotasdon't guarantee resource availability. Even if you have available quota, you can't create a new resource if it is not available.
For example, you might have sufficient quota to create a new regional, external IP address in a given region. However, that is not possible if there are no available external IP addresses in that region. Zonal resource availability can also affect your ability to create a new resource.
Situations where resources are unavailable in an entire region are rare. However, resources within a zone can be depleted from time to time, typically without impact to the service level agreement (SLA) for the type of resource. For more information, review the relevant SLA for the resource.
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2026-02-18 UTC.