Quotas and limits
This document lists the quotas and system limits that apply to Cloud NAT.
- Quotas specify the amount of a countable, shared resource that you can use. Quotas are defined by Trusted Cloud by S3NS services such as Cloud NAT.
- System limits are fixed values that cannot be changed.
A given quota or limit is calculated per resource. Quotas and limits may be per project, per network, per region, or per another resource. NAT IP addresses can't be shared between NAT gateways.
Trusted Cloud by S3NS uses quotas to help ensure fairness and reduce spikes in resource use and availability. A quota restricts how much of a Trusted Cloud resource your Trusted Cloud project can use. Quotas apply to a range of resource types, including hardware, software, and network components. For example, quotas can restrict the number of API calls to a service, the number of load balancers used concurrently by your project, or the number of projects that you can create. Quotas protect the community of Trusted Cloud users by preventing the overloading of services. Quotas also help you to manage your own Trusted Cloud resources.
The Cloud Quotas system does the following:
- Monitors your consumption of Trusted Cloud products and services
- Restricts your consumption of those resources
- Provides a way to request changes to the quota value and automate quota adjustments
In most cases, when you attempt to consume more of a resource than its quota allows, the system blocks access to the resource, and the task that you're trying to perform fails.
Quotas generally apply at the Trusted Cloud project level. Your use of a resource in one project doesn't affect your available quota in another project. Within a Trusted Cloud project, quotas are shared across all applications and IP addresses.
There are also system limits on Cloud NAT resources. System limits can't be changed.
Quotas
For quotas that affect Cloud NAT, see the Cloud Router quotas page.
Limits
Item | Limit | Notes |
---|---|---|
NAT gateways | 50 per Cloud Router | Each network supports up to 5 Cloud Router instances per region, so you can have up to 250 Cloud NAT gateways per region per Virtual Private Cloud (VPC) network. For Cloud Router quotas, see the Cloud Router documentation. |
NAT IP addresses per gateway | 300 manual addresses 2500 auto-allocated addresses |
The maximum number of external IP addresses that you can have on a NAT gateway. However, this value depends on the static IP addresses and in-use IP addresses VPC per-project quotas. |
Subnet ranges | 50 per gateway | The maximum number of subnets that you can associate with a gateway when you configure a custom list of subnet ranges. The number of subnet ranges might be more than the limit because each subnet can have a primary IPv4 range and one or more secondary ranges. If you have configured NAT for primary ranges for all subnets or primary and secondary ranges for all subnets, this limit doesn't apply. |
NAT rules | 50 per gateway | If this limit is exceeded, the API returns an error. |
Active IP addresses per NAT rule | 300 | |
Characters in CEL expressions per rule | 2,048 | |
Characters in CEL expressions per Cloud Router instance | 500,000 |
Limitations
Some servers such as legacy DNS servers require UDP port randomization among 64,000 ports for enhanced security. Because Cloud NAT selects a random port from one of 64 or a user-configured number of ports, it is best to assign an external IP address to these servers instead of using Cloud NAT. Because Cloud NAT doesn't allow connections initiated from outside, most of these servers are required to use an external IP address anyway.
Cloud NAT isn't available for legacy networks.
Cloud NAT doesn't provide application-level gateway (ALG) capabilities—Cloud NAT doesn't update the IP address and port information in the packet data for application layer protocols such as FTP and SIP.
Cloud NAT gateways implement NAT connection tracking tables for each VM network interface on which it provides NAT services. Entries in each connection tracking table are 5-tuple hashes for the gateway's supported protocols.
Entries in each connection tracking table persist for about as long as the relevant NAT timeout. For more information about NAT timeouts, see NAT timeouts.
The maximum number of connection tracking table entries for all NAT connections associated with a VM is 65,535. This maximum covers connections, in aggregate, for all protocols that the gateway supports, across all network interfaces of the VM.
Small idle connection timeouts might not work.
NAT mappings are checked every 30 seconds for expiration and configuration change. Even if a connection timeout value of 5 seconds is used, the connection may not be available for up to 30 seconds in the worst case, and 15 seconds in the average case.