This document lists the quotas and limits that apply to Cloud Next Generation Firewall. For more information on quotas, see Virtual Private Cloud quotas.
A quota restricts how much of a shared Google Cloud resource your Google Cloud project can use, including hardware, software, and network components. Therefore, quotas are a part of a system that does the following:
- Monitors your use or consumption of Google Cloud products and services.
- Restricts your consumption of those resources, for reasons that include ensuring fairness and reducing spikes in usage.
- Maintains configurations that automatically enforce prescribed restrictions.
- Provides a means to request or make changes to the quota.
In most cases, when a quota is exceeded, the system immediately blocks access to the relevant Google resource, and the task that you're trying to perform fails. In most cases, quotas apply to each Google Cloud project and are shared across all applications and IP addresses that use that Google Cloud project.
There are also limits on Cloud NGFW resources. These limits are unrelated to the quota system. Limits cannot be changed unless otherwise stated.
Quotas
This section lists the quotas that apply to Cloud Next Generation Firewall.
You can view the quotas and limits associated with Virtual Private Cloud (VPC) on the VPC quotas and limits page.
Per project
Per-project quotas are adjustable quotas. You can request a change for a per-project quota by using the Google Cloud console. To learn more about how to request quota change, see Requesting additional quota. If the edit option is not available for a quota, file a support case to ask if the quota can be increased or decreased.
To monitor per-project quotas that use Cloud Monitoring, set up monitoring
for the metric serviceruntime.googleapis.com/quota/allocation/usage on the
Consumer Quota resource type. Set additional label filters (service,
quota_metric) to get to the quota type. For information about monitoring quota
metrics, see Chart and monitor quota metrics.
Each quota has a limit and a usage value.
The following table highlights important global quotas for Cloud NGFW resources in each project. For other quotas, see the Quotas page in the Google Cloud console.
| Quota | Description |
|---|---|
| VPC firewall rules | The number of VPC firewall rules that you can create for all VPC networks in your project. |
| Global address groups per project | The number of global address groups that you can define in a project. |
| Regional address groups per project per region | The number of regional address groups that you can define for a project in a region. |
| Global network firewall policies | The number of Global network firewall policies in a project. |
| Regional network firewall policies | The number of Regional network firewall policies per region in a project. |
Per organization
This table highlights important global quotas for Cloud NGFW resources in each organization. To request an update to these quotas, file a support case.
| Item | Default quota | Notes |
|---|---|---|
| Unassociated hierarchical firewall policies per organization | 50 | An unassociated hierarchical firewall policy exists in your Google Cloud organization but is not associated with a resource. There is no limit on the number of policies your organization can have associated with resources, though each resource can have only one associated policy. |
Per firewall policy
The following quotas apply to firewall policies.
| Quota | Description |
|---|---|
| Hierarchical firewall policies | |
| Rule attribute count per hierarchical firewall policy | This quota is the sum of rule attributes from all rules in a hierarchical firewall policy. The default limit is 2,000. To request a quota increase, file a support case. For more information, see Rule attribute count details. |
| Domain names (FQDNs) per hierarchical firewall policy | This quota is the sum of all source domain names from all ingress rules in the policy plus the sum of all destination domain names from all egress rules in the policy. The default limit is 100. To request a quota increase, file a support case. |
| Global network firewall policies | |
| Rule attributes per global network firewall policy | The sum of rule attributes from all rules in a global network firewall policy. For more information, see Rule attribute count details. |
| Domain names (FQDNs) per global network firewall policy | The number of domain names that you can include in all rules of a global network firewall policy. This quota is the sum of all source domain names from all ingress rules in the policy plus the sum of all destination domain names from all egress rules in the policy. |
| Regional network firewall policies | |
| Rule attributes per regional network firewall policy | The sum of rule attributes from all rules in a regional network firewall policy. For more information, see Rule attribute count details. |
| Domain names (FQDNs) per regional network firewall policy | The number of domain names (FQDNs) that you can include in all rules of a regional network firewall policy: This quota is the sum of all source domain names from all ingress rules in the policy plus the sum of all destination domain names from all egress rules in the policy. |
Rule attribute count details
Each firewall policy supports a maximum total number of rule attributes. The sum of rule attribute counts for all firewall rules in a firewall policy is the rule attribute count for that firewall policy.
The following example rules illustrate how Google Cloud counts rule attributes on a per firewall rule basis. To learn about how Google Cloud calculates the rule attribute count for each firewall policy, see Describe a policy.
| Example firewall rule | Rule attribute count | Explanation |
|---|---|---|
Ingress allow firewall rule with source IP address range
10.100.0.1/32, tcp protocol, and
5000-6000 port range.
|
3 | One source range; one protocol, one port range. |
Ingress deny firewall rule with source IP address ranges
10.0.0.0/8, 192.168.0.0/16, destination IP
address range 100.64.0.7/32, tcp and
udp protocols, port ranges 53-53 and
5353-5353.
|
11 | There are four protocol and port combinations: tcp:53-53,
tcp:5353-5353, udp:53-53, and
udp:5353-5353. Each protocol and port combination uses two
attributes. One attribute each for the two source IP address ranges, one
attribute for the destination IP address range, and eight attributes for the
protocol and port combinations produces an attribute count of 11. |
Egress deny firewall rule with source IP address range
100.64.0.7/32, destination IP address range
10.100.0.1/32, 10.100.1.1/32, tcp:80,
tcp:443, and udp:4000-5000.
|
9 | Protocol and port combinations expand to three: tcp:80-80,
tcp:443-443, and udp:4000-5000. Each protocol and
port combination uses two attributes. One attribute for the source range,
one attribute each for the two destination IP address ranges, and six
attributes for the protocol and port combinations produces an attribute
count of 9. |
Limits
Limits cannot be increased unless specifically noted.
Per organization
The following limits apply to organizations.
| Item | limit | Notes |
|---|---|---|
| Global address groups per organization | 100 | The maximum number of global address groups that you can create per organization. |
| Regional address groups per organization per region | 100 | The maximum number of regional address groups that you can create per organization in a region. |
| Organization address groups | 100 | The maximum number of address groups that you can create per organization regardless of location (global or regional). |
| Maximum address group capacity | 1,000 | The maximum capacity of an address group per organization or project. |
| Maximum secure tag keys per organization or per project | 1,000 | The maximum number of secure tag keys that you can create per organization or project. For more information, see Tag limits. |
| Maximum secure tag values per key per organization or per project | 1,000 | The maximum number of secure tag values that you can add per key in an organization or project. For more information, see Tag limits. |
| Maximum secure tags key-value pairs per resource per organization | 50 | The maximum number of secure tag key-value pairs that you can add per resource in an organization or project. For more information, see Tag limits.
For network limits, see Per network limits. |
| Threat prevention security profiles per organization | 40 | The maximum number of security profiles of type threat prevention that you can create per organization. |
| Security profile groups per organization | 40 | The maximum number of security profile groups that use a threat prevention security profile that you can create per organization. |
| Firewall endpoints per zone per organization | 10 | The maximum number of firewall endpoints that you can create per zone per organization. |
Per network
The following limits apply to VPC networks.
| Item | Limit | Notes |
|---|---|---|
| Maximum global network firewall policies per network | 1 | The maximum number of global network firewall policies that you can associate with a VPC network. |
| Maximum regional network firewall policies per region per network | 1 | The maximum number of regional network firewall policies that you can associate with a combination of VPC network and region. |
| Maximum number of domain names (FQDNs) per network | 1,000 | The maximum total number of domain names that can be used in firewall rules that come from hierarchical firewall policies, global network firewall policies, and regional network firewall policies associated with a VPC network. |
| Firewall endpoints per zone per network | 1 | The maximum number of firewall endpoints that you can assign per zone per network. |
Per firewall rule
The following limits apply to firewall rules:
| Item | Limit | Notes |
|---|---|---|
| Maximum number of source secure tags per ingress firewall policy rule | 256 | Applicable only to ingress firewall policy rule—the maximum number of secure tags that you can use as source tags in the firewall rule. This limit cannot be increased. |
| Maximum number of target secure tags per firewall policy rule | 256 | Applicable only to firewall policy rule—the maximum number of secure tags that you can use as target tags in the firewall rule. This limit cannot be increased. |
| Maximum number of source network tags per ingress VPC firewall rule | 30 | Applicable only to ingress VPC firewall rules—the maximum number of network tags that you can use as source tags in the firewall rule. This limit cannot be increased. |
| Maximum number of target network tags per VPC firewall rule | 70 | Applicable only to VPC firewall rules—the maximum number of network tags that you can use as target tags in the firewall rule. This limit cannot be increased. |
| Maximum number of source service accounts per ingress VPC firewall rule | 10 | Applicable only to ingress VPC firewall rules—the maximum number of service accounts that you can use as sources in the firewall rule. This limit cannot be increased. |
| Maximum number of target service accounts per firewall rule | 10 | The maximum number of service accounts that you can use as targets in a VPC firewall rule or rule in a firewall policy. This limit cannot be increased. |
| Maximum number of source IP address ranges per firewall rule | 5,000 | The maximum number of source IP address ranges that you can specify in a VPC firewall rule or rule in a firewall policy. IP address ranges are either IPv4 only or IPv6 only. This limit cannot be increased. |
| Maximum number of destination IP address ranges per firewall rule | 5,000 | The maximum number of destination IP address ranges that you can specify in a VPC firewall rule or rule in a firewall policy. IP address ranges are either IPv4 only or IPv6 only. This limit cannot be increased. |
| Maximum number of source address groups per ingress firewall rule in a firewall policy | 10 | The maximum number of source address groups that you can specify in an ingress firewall rule in a firewall policy. This limit cannot be increased. |
| Maximum number of destination address groups per firewall rule in a firewall policy | 10 | The maximum number of destination address groups that you can specify in an egress firewall rule in a firewall policy. This limit cannot be increased. |
| Maximum number of domain names (FQDNs) per firewall rule in a firewall policy | 100 | The number of domain names (FQDNs) that you can include in a rule of a firewall policy. This limit cannot be increased. |
Per firewall endpoint
The following limits apply to firewall endpoints.
| Item | Default quota | Notes |
|---|---|---|
| Associations per firewall endpoint | 50 | The maximum number of VPC networks that you can associate with a firewall endpoint. You can create additional firewall endpoints in the same zone to overcome this limit. |
Per security profile
The following limits apply to security profiles.
| Item | Default quota | Notes |
|---|---|---|
| Number of threat overrides per security profile | 100 | The maximum number of threat overrides you can add in a threat prevention security profile. |
Per VM network interface
The following limits apply to VM network interfaces:
| Item | Limit | Notes |
|---|---|---|
| Maximum secure tags per VM interface | 10 | The maximum number of secure tags that you can add per VM per NIC. |
Managing quotas
Cloud Next Generation Firewall enforces quotas on resource usage for various reasons. For example, quotas protect the community of Google Cloud users by preventing unforeseen spikes in usage. Quotas also help users who are exploring Google Cloud with the free tier to stay within their trial.
All projects start with the same quotas, which you can change by requesting additional quota. Some quotas may increase automatically based on your use of a product.
Permissions
To view quotas or request quota increases, Identity and Access Management (IAM) principals need one of the following roles.
| Task | Required role |
|---|---|
| Check quotas for a project | One of the following:
|
| Modify quotas, request additional quota | One of the following:
|
Checking your quota
Console
- In the Google Cloud console, go to the Quotas page.
- To search for the quota that you want to update, use the Filter table. If you don't know the name of the quota, use the links on this page instead.
gcloud
Using the Google Cloud CLI, run the following command to
check your quotas. Replace PROJECT_ID with your own project ID.
gcloud compute project-info describe --project PROJECT_ID
To check your used quota in a region, run the following command:
gcloud compute regions describe example-region
Errors when exceeding your quota
If you exceed a quota with a gcloud command,
gcloud outputs a quota exceeded error
message and returns with the exit code 1.
If you exceed a quota with an API request, Google Cloud returns the
following HTTP status code: HTTP 413 Request Entity Too Large.
Requesting additional quota
To increase or decrease most quotas, use the Google Cloud console. For more information, see Request a higher quota.
Console
- In the Google Cloud console, go to the Quotas page.
- On the Quotas page, select the quotas that you want to change.
- At the top of the page, click Edit quotas.
- Fill out your name, email, and phone number, and then click Next.
- Fill in your quota request, and then click Done.
- Submit your request. Quota requests take 24 to 48 hours to process.
Resource availability
Each quota represents a maximum number for a particular type of resource that you can create, if that resource is available. It's important to note that quotas do not guarantee resource availability. Even if you have available quota, you can't create a new resource if it is not available.
For example, you might have sufficient quota to create a new regional, external IP address
in the us-central1 region. However, that is not possible if there are no
available external IP addresses in that region. Zonal resource
availability can also affect your ability to create a new resource.
Situations where resources are unavailable in an entire region are rare. However, resources within a zone can be depleted from time to time, typically without impact to the service level agreement (SLA) for the type of resource. For more information, review the relevant SLA for the resource.