Help Center/Cloud Firewall/Drawer/Quota Limits

Updated on 2026-01-15 GMT+08:00

Quota Limits

Up to 20,000 protection policies (including protection rules, blacklist items, and whitelist items) can be added to a firewall instance.

Rule quota: Used quota/Total quota

Used quota: The number of configured protection rules, including all the protection rules for EIP, NAT, and VPC border protection.
Total quota: 20,000 (including protection rules, blacklist items, and whitelist items)

Example: The following policies are configured for a firewall: 100 EIP rules, 80 NAT rules, 50 VPC border rules, 30 blacklist rules, and 20 whitelist rules.

The quota usage of protection rules is (100 + 80 + 50)/20000 =230/20000.

The number of protection rules that can still be added is 20,000 – 230 (protection rules) – 30 (blacklist items) – 20 (whitelist items) =19,720.

A maximum of 2,000 blacklist items can be added to a firewall instance.

Blacklist quota: Used quota/Total quota

Used quota: The number of configured blacklist items, including all the blacklist items for EIP, NAT, and VPC border protection.
Total quota: 2,000. In addition, the allowed maximum quota of protection rules, blacklist items, and whitelist items is 20,000.

Example: A firewall has 1,000 protection rules and 300 blacklist items.

Blacklist quota usage: 300/2,000

If no more blacklist or whitelist items are added, the maximum number of protection rules that can still be added is 20,000 – 1,000 (protection rules) – 300 (blacklist items) =18,700.

A maximum of 2,000 whitelist items can be added to a firewall instance.

Whitelist quota: Used quota/Total quota

Used quota: The number of configured whitelist items, including all the blacklist items for EIP, NAT, and VPC border protection.
Total quota: 2,000. In addition, the allowed maximum quota of protection rules, blacklist items, and whitelist items is 20,000.

Example: A firewall has 1,000 protection rules and 500 whitelist items.

Whitelist quota usage: 500/2,000

If no more blacklist or whitelist items are added, the maximum number of protection rules that can still be added is 20,000 – 1,000 (protection rules) – 500 (whitelist items) =18,500.

A firewall instance can have up to 3,000 IP address groups.

A firewall instance can have up to 30,000 IP address members.

IP address group quota usage: Used quota/Total quota

Used quota: The number of configured user-defined address groups.
Total quota: 3,000

IP address quota usage: Used quota/Total quota

Used quota: The total number of IP addresses configured in all user-defined address groups.
Total quota: 30,000

Example: 10 IP address groups are configured for a firewall, and each IP address group contains 100 IP addresses. (A total of 1,000 IP addresses are configured.)

The maximum number of IP address groups that can still be configured is 3,000 - 10 =2,990. The maximum number of IP addresses that can still be configured is 30,000 - 1,000 =29,000.

A firewall instance can have up to 500 application domain name groups.

A firewall instance can have up to 60,000 application domain name group members.

Domain name group quota usage: Used quota/Total quota

Used quota: The number of configured application domain name groups.
Total quota: 500

Domain name quota usage: Used quota/Total quota

Used quota: The total number of domain names configured in all application domain name groups.
Total quota: 60,000

Example: 10 application domain name groups are configured for a firewall, and each IP address group contains 100 IP addresses. (A total of 1,000 IP addresses are configured.)

The maximum number of application domain name groups that can still be configured is 500 - 10 =490. The maximum number of application domain names that can still be configured is 60,000 - 1000 =59,000.

A firewall instance can have up to 1,000 network domain name groups.

A firewall instance can have up to 1,000 network domain name group members.

Domain name group quota usage: Used quota/Total quota

Used quota: The number of configured network domain name groups.
Total quota: 1,000

Domain name quota usage: Used quota/Total quota

Used quota: The total number of domain names configured in all network domain name groups.
Total quota: 1,000

Example: 10 network domain name groups are configured for a firewall, and each IP address group contains 20 IP addresses. (A total of 200 IP addresses are configured.)

The maximum number of network domain name groups that can still be configured is 1,000 - 10 =990. The maximum number of network domain names that can still be configured is 1,000-200 =800.

The domain names in network domain name groups and those referenced by ACLs are both counted.

A firewall instance can have up to 512 service groups.

A firewall instance can have up to 900 service members.

Service group quota usage: Used quota/Total quota

Used quota: The number of configured user-defined service groups.
Total quota: 512

Service quota usage: Used quota/Total quota

Used quota: The total number of services configured in all user-defined service groups.
Total quota: 900

Example: 10 service groups are configured for a firewall, and each IP address group contains 20 services. (A total of 200 services are configured.)

The maximum number of service groups that can still be configured is 512 - 10 =502. The maximum number of services that can still be configured is 900 - 200 =700.

Previous topic: Protection Rules

Feedback

Was this page helpful?

Helpful Not helpful

Provide feedback

Thank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.

The system is busy. Please try again later.

For any further questions, feel free to contact us through the chatbot.

Chatbot