Quotas and limits
This document lists the quotas and system limits that apply to Cloud NAT.
- Quotas have default values, but you can typically request adjustments.
- System limits are fixed values that can't be changed.
A given quota or limit is calculated per resource. Quotas and limits may be per project, per network, per region, or per another resource. NAT IP addresses can't be shared between NAT gateways.
Cloud de Confiance by S3NS uses quotas to help ensure fairness and reduce spikes in resource use and availability. A quota restricts how much of a Cloud de Confiance resource your Cloud de Confiance project can use. Quotas apply to a range of resource types, including hardware, software, and network components. For example, quotas can restrict the number of API calls to a service, the number of load balancers used concurrently by your project, or the number of projects that you can create. Quotas protect the community of Cloud de Confiance users by preventing the overloading of services. Quotas also help you to manage your own Cloud de Confiance resources.
The Cloud Quotas system does the following:
- Monitors your consumption of Cloud de Confiance products and services
- Restricts your consumption of those resources
- Provides a way to request changes to the quota value and automate quota adjustments
In most cases, when you attempt to consume more of a resource than its quota allows, the system blocks access to the resource, and the task that you're trying to perform fails.
Quotas generally apply at the Cloud de Confiance project level. Your use of a resource in one project doesn't affect your available quota in another project. Within a Cloud de Confiance project, quotas are shared across all applications and IP addresses.
For more information, see the Cloud Quotas overview.
There are also system limits on Cloud NAT resources. System limits can't be changed.
Quotas
For quotas that affect Cloud NAT, see the Cloud Router quotas page.
Limits
| Item | Limit | Notes |
|---|---|---|
| NAT gateways | 50 per Cloud Router | Each network supports up to 5 Cloud Router instances per region, so you can have up to 250 Cloud NAT gateways per region per Virtual Private Cloud (VPC) network. For Cloud Router quotas, see the Cloud Router documentation. |
| NAT IP addresses per gateway | 300 manual addresses 2,500 auto-allocated addresses |
The maximum number of external IP addresses that you can have on a NAT gateway. However, this value depends on the static IP addresses and in-use IP addresses VPC per-project quotas. |
| Subnet ranges | 50 per gateway | The maximum number of subnets that you can associate with a gateway when you configure a custom list of subnet ranges. The number of subnet ranges might be more than the limit because each subnet can have a primary IPv4 range and one or more secondary ranges. If you have configured NAT for primary ranges for all subnets or primary and secondary ranges for all subnets, this limit doesn't apply. |
| NAT rules | 150 per gateway 2,500 per Cloud Router |
If this limit is exceeded, the API returns an error. |
| Active IP addresses per NAT rule | 300 | |
| Characters in CEL expressions per rule | 2,048 | |
| Characters in CEL expressions per Cloud Router instance | 500,000 |
Limitations
Some servers such as legacy DNS servers require UDP port randomization among 64,000 ports for enhanced security. Because Cloud NAT selects a random port from one of 64 or a user-configured number of ports, it is best to assign an external IP address to these servers instead of using Cloud NAT. Because Cloud NAT doesn't allow connections initiated from outside, most of these servers are required to use an external IP address anyway.
Cloud NAT isn't available for legacy networks.
Cloud NAT doesn't provide application-level gateway (ALG) capabilities—Cloud NAT doesn't update the IP address and port information in the packet data for application layer protocols such as FTP and SIP.
Cloud NAT gateways implement NAT connection tracking tables for each VM network interface on which it provides NAT services. Entries in each connection tracking table are 5-tuple hashes for the gateway's supported protocols.
Entries in each connection tracking table persist for about as long as the relevant NAT timeout. For more information about NAT timeouts, see NAT timeouts.
The maximum number of connection tracking table entries for all NAT connections associated with a VM is 65,535. This maximum covers connections, in aggregate, for all protocols that the gateway supports, across all network interfaces of the VM.
Small idle connection timeouts might not work.
NAT mappings are checked every 30 seconds for expiration and configuration change. Even if a connection timeout value of 5 seconds is used, the connection may not be available for up to 30 seconds in the worst case, and 15 seconds in the average case.