Azure subscription and service limits, quotas, and constraints

This document lists some of the most common Microsoft Azure limits, which are also sometimes called quotas.

To learn more about Azure pricing, see Azure pricing overview. There, you can estimate your costs by using the pricing calculator. You also can go to the pricing details page for a particular service, for example, Windows VMs. For tips to help manage your costs, see Prevent unexpected costs with Azure billing and cost management.

Managing limits

Note

Some services have adjustable limits.

When a service doesn't have adjustable limits, the following tables use the header Limit. In those cases, the default and the maximum limits are the same.

When the limit can be adjusted, the tables include Default limit and Maximum limit headers. The limit can be raised above the default limit but not above the maximum limit.

If you want to raise the limit or quota above the default limit, open an online customer support request at no charge.

The terms soft limit and hard limit often are used informally to describe the current, adjustable limit (soft limit) and the maximum limit (hard limit). If a limit isn't adjustable, there won't be a soft limit, only a hard limit.

Free Trial subscriptions aren't eligible for limit or quota increases. If you have a Free Trial subscription, you can upgrade to a Pay-As-You-Go subscription. For more information, see Upgrade your Azure Free Trial subscription to a Pay-As-You-Go subscription and the Free Trial subscription FAQ.

Some limits are managed at a regional level.

Let's use vCPU quotas as an example. To request a quota increase with support for vCPUs, you must decide how many vCPUs you want to use in which regions. You then request an increase in vCPU quotas for the amounts and regions that you want. If you need to use 30 vCPUs in West Europe to run your application there, you specifically request 30 vCPUs in West Europe. Your vCPU quota isn't increased in any other region--only West Europe has the 30-vCPU quota.

As a result, decide what your quotas must be for your workload in any one region. Then request that amount in each region into which you want to deploy. For help in how to determine your current quotas for specific regions, see Resolve errors for resource quotas.

General limits

For limits on resource names, see Naming rules and restrictions for Azure resources.

For information about Resource Manager API read and write limits, see Throttling Resource Manager requests.

Management group limits

The following limits apply to management groups.

Resource	Limit
Management groups per Azure AD tenant	10,000
Subscriptions per management group	Unlimited.
Levels of management group hierarchy	Root level plus 6 levels1
Direct parent management group per management group	One
Management group level deployments per location	8002
Locations of Management group level deployments	10

¹The 6 levels don't include the subscription level.

²If you reach the limit of 800 deployments, delete deployments from the history that are no longer needed. To delete management group level deployments, use Remove-AzManagementGroupDeployment or az deployment mg delete.

Subscription limits

The following limits apply when you use Azure Resource Manager and Azure resource groups.

Resource	Limit
Subscriptions associated with an Azure Active Directory tenant	Unlimited
Coadministrators per subscription	Unlimited
Resource groups per subscription	980
Azure Resource Manager API request size	4,194,304 bytes
Tags per subscription1	50
Unique tag calculations per subscription2	80,000
Subscription-level deployments per location	8003
Locations of Subscription-level deployments	10

¹You can apply up to 50 tags directly to a subscription. However, the subscription can contain an unlimited number of tags that are applied to resource groups and resources within the subscription. The number of tags per resource or resource group is limited to 50.

²Resource Manager returns a list of tag name and values in the subscription only when the number of unique tags is 80,000 or less. A unique tag is defined by the combination of resource ID, tag name, and tag value. For example, two resources with the same tag name and value would be calculated as two unique tags. You still can find a resource by tag when the number exceeds 80,000.

³Deployments are automatically deleted from the history as you near the limit. For more information, see Automatic deletions from deployment history.

Resource group limits

Resource	Limit
Resources per resource group	Resources aren't limited by resource group. Instead, they're limited by resource type in a resource group. See next row.
Resources per resource group, per resource type	800 - Some resource types can exceed the 800 limit. See Resources not limited to 800 instances per resource group.
Deployments per resource group in the deployment history	8001
Resources per deployment	800
Management locks per unique scope	20
Number of tags per resource or resource group	50
Tag key length	512
Tag value length	256

¹Deployments are automatically deleted from the history as you near the limit. Deleting an entry from the deployment history doesn't affect the deployed resources. For more information, see Automatic deletions from deployment history.

Template limits

Value	Limit
Parameters	256
Variables	256
Resources (including copy count)	800
Outputs	64
Template expression	24,576 chars
Resources in exported templates	200
Template size	4 MB
Parameter file size	4 MB

You can exceed some template limits by using a nested template. For more information, see Use linked templates when you deploy Azure resources. To reduce the number of parameters, variables, or outputs, you can combine several values into an object. For more information, see Objects as parameters.

You may get an error with a template or parameter file of less than 4 MB, if the total size of the request is too large. For more information about how to simplify your template to avoid a large request, see Resolve errors for job size exceeded.

Active Directory limits

Here are the usage constraints and other service limits for the Azure AD service.

Category	Limit
Tenants	A single user can belong to a maximum of 500 Azure AD tenants as a member or a guest. A single user can create a maximum of 200 directories.
Domains	You can add no more than 5,000 managed domain names. If you set up all of your domains for federation with on-premises Active Directory, you can add no more than 2,500 domain names in each tenant.
Resources	By default, a maximum of 50,000 Azure AD resources can be created in a single tenant by users of the Azure Active Directory Free edition. If you have at least one verified domain, the default Azure AD service quota for your organization is extended to 300,000 Azure AD resources. The Azure AD service quota for organizations created by self-service sign-up remains 50,000 Azure AD resources, even after you perform an internal admin takeover and the organization is converted to a managed tenant with at least one verified domain. This service limit is unrelated to the pricing tier limit of 500,000 resources on the Azure AD pricing page. To go beyond the default quota, you must contact Microsoft Support. A non-admin user can create no more than 250 Azure AD resources. Both active resources and deleted resources that are available to restore count toward this quota. Only deleted Azure AD resources that were deleted fewer than 30 days ago are available to restore. Deleted Azure AD resources that are no longer available to restore count toward this quota at a value of one-quarter for 30 days. If you have developers who are likely to repeatedly exceed this quota in the course of their regular duties, you can create and assign a custom role with permission to create a limitless number of app registrations.
Schema extensions	String-type extensions can have a maximum of 256 characters. Binary-type extensions are limited to 256 bytes. Only 100 extension values, across all types and all applications, can be written to any single Azure AD resource. Only User, Group, TenantDetail, Device, Application, and ServicePrincipal entities can be extended with string-type or binary-type single-valued attributes.
Applications	A maximum of 100 users and service principals can be owners of a single application. A user, group, or service principal can have a maximum of 1,500 app role assignments. The limitation is on the service principal, user, or group across all app roles and not on the number of assignments on a single app role. An app configured for password-based single sign-on can have a maximum of 48 groups assigned with credentials configured. A user can have credentials configured for a maximum of 48 apps using password-based single sign-on. This limit only applies for credentials configured when the user is directly assigned the app, not when the user is a member of a group which is assigned. See additional limits in Validation differences by supported account types.
Application manifest	A maximum of 1,200 entries can be added to the application manifest. See additional limits in Validation differences by supported account types.
Groups	A non-admin user can create a maximum of 250 groups in an Azure AD organization. Any Azure AD admin who can manage groups in the organization can also create an unlimited number of groups (up to the Azure AD object limit). If you assign a role to a user to remove the limit for that user, assign a less privileged, built-in role such as User Administrator or Groups Administrator. An Azure AD organization can have a maximum of 5,000 dynamic groups and dynamic administrative units combined. A maximum of 500 role-assignable groups can be created in a single Azure AD organization (tenant). A maximum of 100 users can be owners of a single group. Any number of Azure AD resources can be members of a single group. A user can be a member of any number of groups. When security groups are being used in combination with SharePoint Online, a user can be a part of 2,049 security groups in total. This includes both direct and indirect group memberships. When this limit is exceeded, authentication and search results become unpredictable. By default, the number of members in a group that you can synchronize from your on-premises Active Directory to Azure Active Directory by using Azure AD Connect is limited to 50,000 members. If you need to sync a group membership that's over this limit, you must onboard the Azure AD Connect Sync V2 endpoint API. Nested groups in Azure AD are not supported within all scenarios. When you select a list of groups, you can assign a group expiration policy to a maximum of 500 Microsoft 365 groups. There is no limit when the policy is applied to all Microsoft 365 groups. At this time, the following scenarios are supported with nested groups: One group can be added as a member of another group, and you can achieve group nesting. Group membership claims. When an app is configured to receive group membership claims in the token, nested groups in which the signed-in user is a member are included. Conditional access (when a conditional access policy has a group scope). Restricting access to self-serve password reset. Restricting which users can do Azure AD Join and device registration. The following scenarios are not supported with nested groups: App role assignment, for both access and provisioning. Assigning groups to an app is supported, but any groups nested within the directly assigned group won't have access. Group-based licensing (assigning a license automatically to all members of a group). Microsoft 365 Groups.
Application Proxy	A maximum of 500 transactions* per second per Application Proxy application. A maximum of 750 transactions per second for the Azure AD organization. *A transaction is defined as a single HTTP request and response for a unique resource. When clients are throttled, they'll receive a 429 response (too many requests).
Access Panel	There's no limit to the number of applications per user that can be displayed in the Access Panel, regardless of the number of assigned licenses.
Reports	A maximum of 1,000 rows can be viewed or downloaded in any report. Any additional data is truncated.
Administrative units	An Azure AD resource can be a member of no more than 30 administrative units. An Azure AD organization can have a maximum of 5,000 dynamic groups and dynamic administrative units combined.
Azure AD roles and permissions	A maximum of 100 Azure AD custom roles can be created in an Azure AD organization. A maximum of 150 Azure AD custom role assignments for a single principal at any scope. A maximum of 100 Azure AD built-in role assignments for a single principal at non-tenant scope (such as an administrative unit or Azure AD object). There is no limit to Azure AD built-in role assignments at tenant scope. A group can't be added as a group owner. A user's ability to read other users' tenant information can be restricted only by the Azure AD organization-wide switch to disable all non-admin users' access to all tenant information (not recommended). For more information, see To restrict the default permissions for member users. It might take up to 15 minutes or you might have to sign out and sign back in before admin role membership additions and revocations take effect.

API Management limits

Resource	Limit
Maximum number of scale units	12 per region1
Cache size	5 GiB per unit2
Concurrent back-end connections3 per HTTP authority	2,048 per unit4
Maximum cached response size	2 MiB
Maximum policy document size	256 KiB5
Maximum custom gateway domains per service instance6	20
Maximum number of CA certificates per service instance7	10
Maximum number of service instances per subscription8	20
Maximum number of subscriptions per service instance8	500
Maximum number of client certificates per service instance8	50
Maximum number of APIs per service instance8	50
Maximum number of API management operations per service instance8	1,000
Maximum total request duration8	30 seconds
Maximum request payload size8	1 GiB
Maximum buffered payload size8	2 MiB
Maximum request URL size9	16,384 bytes
Maximum length of URL path segment10	260 characters
Maximum size of API schema used by validation policy10	4 MB
Maximum number of schemas10	100
Maximum size of request or response body in validate-content policy10	100 KB
Maximum number of self-hosted gateways11	25
Maximum number of active WebSocket connections per unit	100
Maximum number of tags supported by an API Management resource	15

¹ Scaling limits depend on the pricing tier. For details on the pricing tiers and their scaling limits, see API Management pricing.
² Per unit cache size depends on the pricing tier. To see the pricing tiers and their scaling limits, see API Management pricing.
³ Connections are pooled and reused unless explicitly closed by the back end.
⁴ This limit is per unit of the Basic, Standard, and Premium tiers. The Developer tier is limited to 1,024. This limit doesn't apply to the Consumption tier.
⁵ This limit applies to the Basic, Standard, and Premium tiers. In the Consumption tier, policy document size is limited to 16 KiB.
⁶ Multiple custom domains are supported in the Developer and Premium tiers only.
⁷ CA certificates are not supported in the Consumption tier.
⁸ This limit applies to the Consumption tier only. There are no limits in these categories for other tiers.
⁹ Applies to the Consumption tier only. Includes an up to 2048-bytes long query string.
¹⁰ To increase this limit, contact support.
¹¹ Self-hosted gateways are supported in the Developer and Premium tiers only. The limit applies to the number of self-hosted gateway resources. To raise this limit contact support. Note, that the number of nodes (or replicas) associated with a self-hosted gateway resource is unlimited in the Premium tier and capped at a single node in the Developer tier.

App Service limits

Resource	Free	Shared	Basic	Standard	Premium (v1-v3)	Isolated
Web, mobile, or API apps per Azure App Service plan1	10	100	Unlimited2	Unlimited2	Unlimited2	Unlimited2
App Service plan	10 per region	10 per resource group	100 per resource group	100 per resource group	100 per resource group	100 per resource group
Compute instance type	Shared	Shared	Dedicated3	Dedicated3	Dedicated3	Dedicated3
Scale out (maximum instances)	1 shared	1 shared	3 dedicated3	10 dedicated3	20 dedicated for v1; 30 dedicated for v2 and v3.3	100 dedicated4
Storage5	1 GB5	1 GB5	10 GB5	50 GB5	250 GB5	1 TB12 The available storage quota is 999 GB.
CPU time (5 minutes)6	3 minutes	3 minutes	Unlimited, pay at standard rates	Unlimited, pay at standard rates	Unlimited, pay at standard rates	Unlimited, pay at standard rates
CPU time (day)6	60 minutes	240 minutes	Unlimited, pay at standard rates	Unlimited, pay at standard rates	Unlimited, pay at standard rates	Unlimited, pay at standard rates
Memory (1 hour)	1,024 MB per App Service plan	1,024 MB per app	N/A	N/A	N/A	N/A
Bandwidth	165 MB	Unlimited, data transfer rates apply	Unlimited, data transfer rates apply	Unlimited, data transfer rates apply	Unlimited, data transfer rates apply	Unlimited, data transfer rates apply
Application architecture	32-bit	32-bit	32-bit/64-bit	32-bit/64-bit	32-bit/64-bit	32-bit/64-bit
Web sockets per instance7	5	35	350	Unlimited	Unlimited	Unlimited
Outbound IP connections per instance	600	600	Depends on instance size8	Depends on instance size8	Depends on instance size8	16,000
Concurrent debugger connections per application	1	1	1	5	5	5
App Service Certificates per subscription	Not supported	Not supported	10	10	10	10
Custom domains per app	0 (azurewebsites.net subdomain only)	500	500	500	500	500
Custom domain SSL support	Not supported, wildcard certificate for *.azurewebsites.net available by default	Not supported, wildcard certificate for *.azurewebsites.net available by default	Unlimited SNI SSL connections	Unlimited SNI SSL and 1 IP SSL connections included	Unlimited SNI SSL and 1 IP SSL connections included	Unlimited SNI SSL and 1 IP SSL connections included
Hybrid connections			5 per plan	25 per plan	220 per app	220 per app
Virtual Network Integration				X	X	X
Private Endpoints					100 per app
Integrated load balancer		X	X	X	X	X9
Access restrictions	512 rules per app	512 rules per app	512 rules per app	512 rules per app	512 rules per app	512 rules per app
Always On			X	X	X	X
Scheduled backups				Scheduled backups every 2 hours, a maximum of 12 backups per day (manual + scheduled)	Scheduled backups every hour, a maximum of 50 backups per day (manual + scheduled)	Scheduled backups every hour, a maximum of 50 backups per day (manual + scheduled)
Autoscale				X	X	X
WebJobs10	X	X	X	X	X	X
Endpoint monitoring			X	X	X	X
Staging slots per app				5	20	20
Testing in Production				X	X	X
Diagnostic Logs	X	X	X	X	X	X
Kudu	X	X	X	X	X	X
Authentication and Authorization	X	X	X	X	X	X
App Service Managed Certificates11			X	X	X	X
SLA			99.95%	99.95%	99.95%	99.95%

¹ Apps and storage quotas are per App Service plan unless noted otherwise.

² The actual number of apps that you can host on these machines depends on the activity of the apps, the size of the machine instances, and the corresponding resource utilization.

³ Dedicated instances can be of different sizes. For more information, see App Service pricing.

⁴ More are allowed upon request.

⁵ The storage limit is the total content size across all apps in the same App service plan. The total content size of all apps across all App service plans in a single resource group and region cannot exceed 500 GB. The file system quota for App Service hosted apps is determined by the aggregate of App Service plans created in a region and resource group.

⁶ These resources are constrained by physical resources on the dedicated instances (the instance size and the number of instances).

⁷ If you scale an app in the Basic tier to two instances, you have 350 concurrent connections for each of the two instances. For Standard tier and above, there are no theoretical limits to web sockets, but other factors can limit the number of web sockets. For example, maximum concurrent requests allowed (defined by maxConcurrentRequestsPerCpu) are: 7,500 per small VM, 15,000 per medium VM (7,500 x 2 cores), and 75,000 per large VM (18,750 x 4 cores).

⁸ The maximum IP connections are per instance and depend on the instance size: 1,920 per B1/S1/P1V3 instance, 3,968 per B2/S2/P2V3 instance, 8,064 per B3/S3/P3V3 instance.

⁹ App Service Isolated SKUs can be internally load balanced (ILB) with Azure Load Balancer, so there's no public connectivity from the internet. As a result, some features of an ILB Isolated App Service must be used from machines that have direct access to the ILB network endpoint.

¹⁰ Run custom executables and/or scripts on demand, on a schedule, or continuously as a background task within your App Service instance. Always On is required for continuous WebJobs execution. There's no predefined limit on the number of WebJobs that can run in an App Service instance. There are practical limits that depend on what the application code is trying to do.

¹¹ Only issuing standard certificates (wildcard certificates aren't available). Limited to only one free certificate per custom domain.

¹² Total storage usage across all apps deployed in a single App Service Environment (regardless of how they're allocated across different resource groups).

Automation limits

Process automation

Resource	Limit	Notes
Maximum number of new jobs that can be submitted every 30 seconds per Azure Automation account (nonscheduled jobs)	100	When this limit is reached, the subsequent requests to create a job fail. The client receives an error response.
Maximum number of concurrent running jobs at the same instance of time per Automation account (nonscheduled jobs)	200	When this limit is reached, the subsequent requests to create a job fail. The client receives an error response.
Maximum storage size of job metadata for a 30-day rolling period	10 GB (approximately 4 million jobs)	When this limit is reached, the subsequent requests to create a job fail.
Maximum job stream limit	1 MiB	A single stream cannot be larger than 1 MiB.
Maximum number of modules that can be imported every 30 seconds per Automation account	5
Maximum size of a module	100 MB
Maximum size of a node configuration file	1 MB	Applies to state configuration
Job run time, Free tier	500 minutes per subscription per calendar month
Maximum amount of disk space allowed per sandbox1	1 GB	Applies to Azure sandboxes only.
Maximum amount of memory given to a sandbox1	400 MB	Applies to Azure sandboxes only.
Maximum number of network sockets allowed per sandbox1	1,000	Applies to Azure sandboxes only.
Maximum runtime allowed per runbook1	3 hours	Applies to Azure sandboxes only.
Maximum number of Automation accounts in a subscription	No limit
Maximum number of system hybrid runbook workers per Automation Account	4,000
Maximum number of user hybrid runbook workers per Automation Account	4,000
Maximum number of concurrent jobs that can be run on a single Hybrid Runbook Worker	50
Maximum runbook job parameter size	512 kilobytes
Maximum runbook parameters	50	If you reach the 50-parameter limit, you can pass a JSON or XML string to a parameter and parse it with the runbook.
Maximum webhook payload size	512 kilobytes
Maximum days that job data is retained	30 days
Maximum PowerShell workflow state size	5 MB	Applies to PowerShell workflow runbooks when checkpointing workflow.
Maximum number of tags supported by an Automation account	15

¹A sandbox is a shared environment that can be used by multiple jobs. Jobs that use the same sandbox are bound by the resource limitations of the sandbox.

Change Tracking and Inventory

The following table shows the tracked item limits per machine for change tracking.

Resource	Limit	Notes
File	500
File size	5 MB
Registry	250
Windows software	250	Doesn't include software updates.
Linux packages	1,250
Services	250
Daemon	250

Update Management

The following table shows the limits for Update Management.

Resource	Limit	Notes
Number of machines per update deployment	1000
Number of dynamic groups per update deployment	500

Azure App Configuration

Resource	Limit	Comment
Configuration stores for Free tier	1 store per subscription
Configuration stores for Standard tier	Unlimited stores per subscription
Configuration store requests for Free tier	1,000 requests per day	Once the quota is exhausted, HTTP status code 429 will be returned for all requests until the end of the day
Configuration store requests for Standard tier	30,000 per hour	Once the quota is exhausted, requests may return HTTP status code 429 indicating Too Many Requests - until the end of the hour
Storage for Free tier	10 MB
Storage for Standard tier	1 GB
Keys and Values	10 KB	For a single key-value item, including all metadata

Azure Cache for Redis limits

Resource	Limit
Cache size	1.2 TB
Databases	64
Maximum connected clients	40,000
Azure Cache for Redis replicas, for high availability	3
Shards in a premium cache with clustering	10

Azure Cache for Redis limits and sizes are different for each pricing tier. To see the pricing tiers and their associated sizes, see Azure Cache for Redis pricing.

For more information on Azure Cache for Redis configuration limits, see Default Redis server configuration.

Because configuration and management of Azure Cache for Redis instances is done by Microsoft, not all Redis commands are supported in Azure Cache for Redis. For more information, see Redis commands not supported in Azure Cache for Redis.

Azure Cloud Services limits

Resource	Limit
Web or worker roles per deployment1	25
Instance input endpoints per deployment	25
Input endpoints per deployment	25
Internal endpoints per deployment	25
Hosted service certificates per deployment	199

¹Each Azure Cloud Service with web or worker roles can have two deployments, one for production and one for staging. This limit refers to the number of distinct roles, that is, configuration. This limit doesn't refer to the number of instances per role, that is, scaling.

Azure Cognitive Search limits

Pricing tiers determine the capacity and limits of your search service. Tiers include:

• Free multi-tenant service, shared with other Azure subscribers, is intended for evaluation and small development projects.
• Basic provides dedicated computing resources for production workloads at a smaller scale, with up to three replicas for highly available query workloads.
• Standard, which includes S1, S2, S3, and S3 High Density, is for larger production workloads. Multiple levels exist within the Standard tier so that you can choose a resource configuration that best matches your workload profile.

Limits per subscription

You can create multiple services, limited only by the number of services allowed at each tier. For example, you could create up to 16 services at the Basic tier and another 16 services at the S1 tier within the same subscription. For more information about tiers, see Choose an SKU or tier for Azure Cognitive Search.

Maximum service limits can be raised upon request. If you need more services within the same subscription, file a support request.

Resource	Free1	Basic	S1	S2	S3	S3 HD	L1	L2
Maximum services	1	16	16	8	6	6	6	6
Maximum scale in search units (SU)2	N/A	3 SU	36 SU	36 SU	36 SU	36 SU	36 SU	36 SU

¹ Free is based on infrastructure that's shared with other customers. Because the hardware isn't dedicated, scale-up isn't supported on the free tier.

² Search units are billing units, allocated as either a replica or a partition. You need both resources for storage, indexing, and query operations. To learn more about SU computations, see Scale resource levels for query and index workloads.

Limits per search service

A search service is constrained by disk space or by a hard limit on the maximum number of indexes or indexers, whichever comes first. The following table documents storage limits. For maximum object limits, see Limits by resource.

Resource	Free	Basic1	S1	S2	S3	S3 HD	L1	L2
Service level agreement (SLA)2	No	Yes	Yes	Yes	Yes	Yes	Yes	Yes
Storage per partition	50 MB	2 GB	25 GB	100 GB	200 GB	200 GB	1 TB	2 TB
Partitions per service	N/A	1	12	12	12	3	12	12
Partition size	N/A	2 GB	25 GB	100 GB	200 GB	200 GB	1 TB	2 TB
Replicas	N/A	3	12	12	12	12	12	12

¹ Basic has one fixed partition. Additional search units can be used to add replicas for larger query volumes.

² Service level agreements are in effect for billable services on dedicated resources. Free services and preview features have no SLA. For billable services, SLAs take effect when you provision sufficient redundancy for your service. Two or more replicas are required for query (read) SLAs. Three or more replicas are required for query and indexing (read-write) SLAs. The number of partitions isn't an SLA consideration.

To learn more about limits on a more granular level, such as document size, queries per second, keys, requests, and responses, see Service limits in Azure Cognitive Search.

Azure Cognitive Services limits

The following limits are for the number of Cognitive Services resources per Azure subscription. There is a limit of only one allowed 'Free' account, per Cognitive Service type, per subscription. Each of the Cognitive Services may have other limitations, for more information, see Azure Cognitive Services.

Type	Limit	Example
A mixture of Cognitive Services resources	Maximum of 200 total Cognitive Services resources per region.	100 Computer Vision resources in West US, 50 Speech Service resources in West US, and 50 Text Analytics resources in West US.
A single type of Cognitive Services resources.	Maximum of 100 resources per region	100 Computer Vision resources in West US 2, and 100 Computer Vision resources in East US.

Azure Cosmos DB limits

For Azure Cosmos DB limits, see Limits in Azure Cosmos DB.

Azure Data Explorer limits

The following table describes the maximum limits for Azure Data Explorer clusters.

Resource	Limit
Clusters per region per subscription	20
Instances per cluster	1000
Number of databases in a cluster	10,000
Number of follower clusters (data share consumers) per leader cluster (data share producer)	100

The following table describes the limits on management operations performed on Azure Data Explorer clusters.

Scope	Operation	Limit
Cluster	read (for example, get a cluster)	500 per 5 minutes
Cluster	write (for example, create a database)	1000 per hour

Azure Database for MySQL

For Azure Database for MySQL limits, see Limitations in Azure Database for MySQL.

Azure Database for PostgreSQL

For Azure Database for PostgreSQL limits, see Limitations in Azure Database for PostgreSQL.

Azure Functions limits

Resource	Consumption plan	Premium plan	Dedicated plan	ASE	Kubernetes
Default timeout duration (min)	5	30	301	30	30
Max timeout duration (min)	10	unbounded7	unbounded2	unbounded	unbounded
Max outbound connections (per instance)	600 active (1200 total)	unbounded	unbounded	unbounded	unbounded
Max request size (MB)3	100	100	100	100	Depends on cluster
Max query string length3	4096	4096	4096	4096	Depends on cluster
Max request URL length3	8192	8192	8192	8192	Depends on cluster
ACU per instance	100	210-840	100-840	210-2508	AKS pricing
Max memory (GB per instance)	1.5	3.5-14	1.75-14	3.5 - 14	Any node is supported
Max instance count (Windows/Linux)	200/100	100/20	varies by SKU9	1009	Depends on cluster
Function apps per plan	100	100	unbounded4	unbounded	unbounded
App Service plans	100 per region	100 per resource group	100 per resource group	-	-
Deployment slots per app10	2	3	1-209	20	n/a
Storage5	5 TB	250 GB	50-1000 GB	1 TB	n/a
Custom domains per app	5006	500	500	500	n/a
Custom domain SSL support	unbounded SNI SSL connection included	unbounded SNI SSL and 1 IP SSL connections included	unbounded SNI SSL and 1 IP SSL connections included	unbounded SNI SSL and 1 IP SSL connections included	n/a

¹ By default, the timeout for the Functions 1.x runtime in an App Service plan is unbounded.
² Requires the App Service plan be set to Always On. Pay at standard rates.
³ These limits are set in the host.
⁴ The actual number of function apps that you can host depends on the activity of the apps, the size of the machine instances, and the corresponding resource utilization.
⁵ The storage limit is the total content size in temporary storage across all apps in the same App Service plan. Consumption plan uses Azure Files for temporary storage.
⁶ When your function app is hosted in a Consumption plan, only the CNAME option is supported. For function apps in a Premium plan or an App Service plan, you can map a custom domain using either a CNAME or an A record.
⁷ Guaranteed for up to 60 minutes.
⁸ Workers are roles that host customer apps. Workers are available in three fixed sizes: One vCPU/3.5 GB RAM; Two vCPU/7 GB RAM; Four vCPU/14 GB RAM.
⁹ See App Service limits for details.
¹⁰ Including the production slot.

For more information, see Functions Hosting plans comparison.

Azure Health Data Services

Azure Health Data Services limits

Health Data Services is a set of managed API services based on open standards and frameworks. Health Data Services enables workflows to improve healthcare and offers scalable and secure healthcare solutions. Health Data Services includes Fast Healthcare Interoperability Resources (FHIR) service, the Digital Imaging and Communications in Medicine (DICOM) service, and MedTech service.

FHIR service is an implementation of the FHIR specification within Health Data Services. It enables you to combine in a single workspace one or more FHIR service instances with optional DICOM and MedTech service instances. Azure API for FHIR is generally available as a stand-alone service offering.

FHIR service in Azure Health Data Services has a limit of 4 TB for structured storage.

Quota Name	Default Limit	Maximum Limit	Notes
Workspace	10	Contact support	Limit per subscription
FHIR	10	Contact support	Limit per workspace
DICOM	10	Contact support	Limit per workspace
MedTech	10	N/A	Limit per workspace, can't be increased

Azure API for FHIR service limits

Azure API for FHIR is a managed, standards-based, compliant API for clinical health data that enables solutions for actionable analytics and machine learning.

Quota Name	Default Limit	Maximum Limit	Notes
Request Units (RUs)	10,000 RUs	Contact support Maximum available is 1,000,000.	You need a minimum of 400 RUs or 40 RUs/GB, whichever is larger.
Concurrent connections	15 concurrent connections on two instances (for a total of 30 concurrent requests)	Contact support
Azure API for FHIR Service Instances per Subscription	10	Contact support

Azure Kubernetes Service limits

Resource	Limit
Maximum clusters per subscription	5000
Maximum nodes per cluster with Virtual Machine Availability Sets and Basic Load Balancer SKU	100
Maximum nodes per cluster with Virtual Machine Scale Sets and Standard Load Balancer SKU	1000 (across all node pools)
Maximum node pools per cluster	100
Maximum pods per node: Basic networking with Kubenet	Maximum: 250 Azure CLI default: 110 Azure Resource Manager template default: 110 Azure portal deployment default: 30
Maximum pods per node: Advanced networking with Azure Container Networking Interface	Maximum: 250 Default: 30
Open Service Mesh (OSM) AKS addon	Kubernetes Cluster Version: 1.19+ OSM controllers per cluster: 1 Pods per OSM controller: 500 Kubernetes service accounts managed by OSM: 50

Kubernetes Control Plane tier	Limit
Paid tier	Automatically scales out based on the load
Free tier	Limited resources with inflight requests limit of 50 mutating and 100 read-only calls

Azure Load Testing limits

For Azure Load Testing limits, see Service limits in Azure Load Testing.

Azure Machine Learning limits

The latest values for Azure Machine Learning Compute quotas can be found in the Azure Machine Learning quota page

Azure Maps limits

The following table shows the usage limit for the Azure Maps S0 pricing tier. Usage limit depends on the pricing tier.

Resource	S0 pricing tier limit
Maximum request rate per subscription	50 requests per second

The following table shows the cumulative data size limit for Azure Maps accounts in an Azure subscription. The Azure Maps Data service is available only at the S1 pricing tier.

Resource	Limit
Maximum storage per Azure subscription	1 GB
Maximum size per file upload	100 MB

For more information on the Azure Maps pricing tiers, see Azure Maps pricing.

Azure Monitor limits

Alerts

Resource	Default limit	Maximum limit
Metric alerts (classic)	100 active alert rules per subscription.	Call support
Metric alerts	5,000 active alert rules per subscription in Azure public, Azure China 21Vianet and Azure Government clouds. If you are hitting this limit, explore if you can use same type multi-resource alerts. 5,000 metric time-series per alert rule.	Call support.
Activity log alerts	100 active alert rules per subscription (cannot be increased).	Same as default
Log alerts	5000 active alert rules per subscription. Out of which 100 active alert rules with 1-minute frequency. 1000 active alert rules per resource. 6000 time series per alert rule.	Call support
Alert processing rules	1000 active rules per subscription.	Call support
Alert rules and alert processing rules description length	Log search alerts 4096 characters All other 2048 characters	Same as default

Alerts API

Azure Monitor Alerts have several throttling limits to protect against users making an excessive number of calls. Such behavior can potentially overload the system backend resources and jeopardize service responsiveness. The following limits are designed to protect customers from interruptions and ensure consistent service level. The user throttling and limits are designed to impact only extreme usage scenario and should not be relevant for typical usage.

Resource	Default limit	Maximum limit
Alerts - Get Summary	50 calls per minute per subscription	Same as default
Alerts - Get All (not "Get By Id")	100 calls per minute per subscription	Same as default
All other alerts calls	1000 calls per minute per subscription	Same as default

Action groups

You may have an unlimited number of action groups in a subscription.

Resource	Default limit	Maximum limit
Azure app push	10 Azure app actions per action group.	Same as Default
Email	1,000 email actions in an action group. No more than 100 emails in an hour. Also see the rate limiting information.	Same as Default
Email ARM role	10 Email ARM role actions per action group.	Same as Default
Event Hub	10 Event Hub actions per action group.	Same as Default
ITSM	10 ITSM actions in an action group.	Same as Default
Logic app	10 logic app actions in an action group.	Same as Default
Runbook	10 runbook actions in an action group.	Same as Default
Secure Webhook	10 secure webhook actions in an action group. Maximum number of webhook calls is 1500 per minute per subscription. Other limits are available at action-specific information.	Same as Default
SMS	10 SMS actions in an action group. No more than 1 SMS message every 5 minutes. Also see the rate limiting information.	Same as Default
Voice	10 voice actions in an action group. No more than 1 voice call every 5 minutes. Also see the rate limiting information.	Same as Default
Webhook	10 webhook actions in an action group. Maximum number of webhook calls is 1500 per minute per subscription. Other limits are available at action-specific information.	Same as Default

Autoscale

Resource	Default limit	Maximum limit
Autoscale settings	100 per region per subscription.	Same as default
Autoscale profiles	20 profiles per autoscale setting.	Same as default

Log queries and language

General query limits

Limit	Description
Query language	Azure Monitor uses the same Kusto query language as Azure Data Explorer. See Azure Monitor log query language differences for KQL language elements not supported in Azure Monitor.
Azure regions	Log queries can experience excessive overhead when data spans Log Analytics workspaces in multiple Azure regions. See Query limits for details.
Cross resource queries	Maximum number of Application Insights resources and Log Analytics workspaces in a single query limited to 100. Cross-resource query is not supported in View Designer. Cross-resource query in log alerts is supported in the new scheduledQueryRules API. See Cross-resource query limits for details.

User query throttling

Azure Monitor has several throttling limits to protect against users sending an excessive number of queries. Such behavior can potentially overload the system backend resources and jeopardize service responsiveness. The following limits are designed to protect customers from interruptions and ensure consistent service level. The user throttling and limits are designed to impact only extreme usage scenario and should not be relevant for typical usage.

Measure	Limit per user	Description
Concurrent queries	5	A user can run up to 5 concurrent queries, any additional query will be added to a queue. When one of the running queries finishes, the first query in the queue is pulled from the queue and starts running. Note: Alerts queries are not part of this limit.
Time in concurrency queue	3 minutes	If a query sits in the queue for more than 3 minutes without being started, it will be terminated with an HTTP error response with code 429.
Total queries in concurrency queue	200	Once the number of queries in the queue reach 200, the next query will be rejected with an HTTP error code 429. This number is in addition to the five queries that can be running simultaneously.
Query rate	200 queries per 30 seconds	Overall rate of queries that can be submitted by a single user to all workspaces. This limit applies to programmatic queries or queries initiated by visualization parts such as Azure dashboards and the Log Analytics workspace summary page.

• Optimize your queries as described in Optimize log queries in Azure Monitor.
• Dashboards and workbooks can contain multiple queries in a single view that generate a burst of queries every time they load or refresh. Consider breaking them up into multiple views that load on demand.
• In Power BI, consider extracting only aggregated results rather than raw logs.

Log Analytics workspaces

Data collection volume and retention

Pricing tier	Limit per day	Data retention	Comment
Pay-as-you-go (introduced April 2018)	No limit	up to 730 days interactive retention / up to 7 years data archive	Data retention beyond 31 days is available for additional charges. Learn more about Azure Monitor pricing.
Commitment tiers (introduced November 2019)	No limit	up to 730 days interactive retention / up to 7 years data archive	Data retention beyond 31 days is available for additional charges. Learn more about Azure Monitor pricing.
Legacy Per Node (OMS) (introduced April 2016)	No limit	30 to 730 days	Data retention beyond 31 days is available for additional charges. Learn more about Azure Monitor pricing. Access to use tier is limited to subscriptions that contained a Log Analytics workspace or Application Insights resource on April 2, 2018, or are linked to an Enterprise Agreement that started before February 1, 2019 and is still active.
Legacy Standalone tier (introduced April 2016)	No limit	30 to 730 days	Data retention beyond 31 days is available for additional charges. Learn more about Azure Monitor pricing. Access to use tier is limited to subscriptions that contained a Log Analytics workspace or Application Insights resource on April 2, 2018, or are linked to an Enterprise Agreement that started before February 1, 2019 and is still active.
Legacy Free tier (introduced April 2016)	500 MB	7 days	When your workspace reaches the 500 MB per day limit, data ingestion stops and resumes at the start of the next day. A day is based on UTC. Data collected by Microsoft Defender for Cloud isn't included in this 500 MB per day limit and will continue to be collected above this limit. Creating new workspaces in, or moving existing workspaces into, the legacy Free Trial pricing tier is possible only until July 1, 2022.
Legacy Standard tier	No limit	30 days	Retention can't be adjusted. This tier has not been available to any new workspaces since October 1, 2016.
Legacy Premium tier	No limit	365 days	Retention can't be adjusted. This tier has not been available to any new workspaces since October 1, 2016.

Number of workspaces per subscription.

Pricing tier	Workspace limit	Comments
Legacy Free tier	10	This limit can't be increased. Creating new workspaces in, or moving existing workspaces into, the legacy Free Trial pricing tier is possible only until July 1, 2022.
All other tiers	No limit	You're limited by the number of resources within a resource group and the number of resource groups per subscription.

Azure portal

Category	Limit	Comments
Maximum records returned by a log query	30,000	Reduce results using query scope, time range, and filters in the query.

Data Collector API

Category	Limit	Comments
Maximum size for a single post	30 MB	Split larger volumes into multiple posts.
Maximum size for field values	32 KB	Fields longer than 32 KB are truncated.

Query API

Category	Limit	Comments
Maximum records returned in a single query	500,000
Maximum size of data returned	~104 MB (~100 MiB)	The API returns up to 64 MB of compressed data, which translates to up to 100 MB of raw data.
Maximum query running time	10 minutes	See Timeouts for details.
Maximum request rate	200 requests per 30 seconds per Azure AD user or client IP address	See Log queries and language.

Azure Monitor Logs connector

Category	Limit	Comments
Max size of data	~16.7 MB (~16 MiB)	The connector infrastructure dictates that limit is set lower than query API limit
Max number of records	500,000
Max connector timeout	110 second
Max query timeout	100 second
Charts		The Logs page and the connector use different charting libraries for visualization. Some functionality isn't currently available in the connector.

General workspace limits

Category	Limit	Comments
Maximum columns in a table	500
Maximum characters for column name	45

Data ingestion volume rate

Azure Monitor is a high scale data service that serves thousands of customers sending terabytes of data each month at a growing pace. The volume rate limit intends to isolate Azure Monitor customers from sudden ingestion spikes in multitenancy environment. A default ingestion volume rate threshold of 500 MB (compressed) is defined in workspaces, this is translated to approximately 6 GB/min uncompressed -- the actual size can vary between data types depending on the log length and its compression ratio. The volume rate limit applies to data ingested from Azure resources via Diagnostic settings. When volume rate limit is reached, a retry mechanism attempts to ingest the data four times in a period of 30 minutes and drop it if operation fails. It doesn't apply to data ingested from agents or Data Collector API.

When data sent to your workspace is at a volume rate higher than 80% of the threshold configured in your workspace, an event is sent to the Operation table in your workspace every 6 hours while the threshold continues to be exceeded. When ingested volume rate is higher than threshold, some data is dropped and an event is sent to the Operation table in your workspace every 6 hours while the threshold continues to be exceeded. If your ingestion volume rate continues to exceed the threshold or you're expecting to reach it sometime soon, you can request to increase it in by opening a support request.

See Monitor health of Log Analytics workspace in Azure Monitor to create alert rules to be proactively notified when you reach any ingestion limits.

Note

Depending on how long you've been using Log Analytics, you might have access to legacy pricing tiers. Learn more about Log Analytics legacy pricing tiers.

Application Insights

There are some limits on the number of metrics and events per application, that is, per instrumentation key. Limits depend on the pricing plan that you choose.

Resource	Default limit	Maximum limit	Notes
Total data per day	100 GB	Contact support.	You can reduce data by setting a cap. If you need more data, you can increase the limit in the portal, up to 1,000 GB. For capacities greater than 1,000 GB, send email to AIDataCap@microsoft.com.
Throttling	32,000 events/second	Contact support.	The limit is measured over a minute.
Data retention logs	30 to 730 days	730 days	This resource is for Logs.
Data retention metrics	90 days	90 days	This resource is for Metrics Explorer.
Availability multistep test detailed results retention	90 days	90 days	This resource provides detailed results of each step.
Maximum telemetry item size	64 KB	64 KB
Maximum telemetry items per batch	64,000	64,000
Property and metric name length	150	150	See type schemas.
Property value string length	8,192	8,192	See type schemas.
Trace and exception message length	32,768	32,768	See type schemas.
Availability tests count per app	100	100
Profiler and Snapshot data retention	Two weeks	Contact support. Maximum retention limit is six months.
Profiler data sent per day	No limit	No limit
Snapshot data sent per day	30 snapshots per day per monitored app	No limit	The number of snapshots collected per application can be modified through configuration.

For more information about pricing and quotas, see Application Insights billing.

Azure Data Factory limits

Azure Data Factory is a multitenant service that has the following default limits in place to make sure customer subscriptions are protected from each other's workloads. To raise the limits up to the maximum for your subscription, contact support.

Version 2

Resource	Default limit	Maximum limit
Total number of entities, such as pipelines, data sets, triggers, linked services, Private Endpoints, and integration runtimes, within a data factory	5,000	Contact support.
Total CPU cores for Azure-SSIS Integration Runtimes under one subscription	256	Contact support.
Concurrent pipeline runs per data factory that's shared among all pipelines in the factory	10,000	10,000
Concurrent External activity runs per subscription per Azure Integration Runtime region External activities are managed on integration runtime but execute on linked services, including Databricks, stored procedure, Web, and others. This limit does not apply to Self-hosted IR.	3,000	3,000
Concurrent Pipeline activity runs per subscription per Azure Integration Runtime region Pipeline activities execute on integration runtime, including Lookup, GetMetadata, and Delete. This limit does not apply to Self-hosted IR.	1,000	1,000
Concurrent authoring operations per subscription per Azure Integration Runtime region Including test connection, browse folder list and table list, preview data. This limit does not apply to Self-hosted IR.	200	200
Concurrent Data Integration Units1 consumption per subscription per Azure Integration Runtime region	Region group 12: 6,000 Region group 22: 3,000 Region group 32: 1,500 Managed virtual network2: 2,400	Region group 12: 6,000 Region group 22: 3,000 Region group 32: 1,500 Managed virtual network: Contact support.
Maximum activities per pipeline, which includes inner activities for containers	40	40
Maximum number of linked integration runtimes that can be created against a single self-hosted integration runtime	100	Contact support.
Maximum number of node that can be created against a single self-hosted integration runtime	4	Contact support
Maximum parameters per pipeline	50	50
ForEach items	100,000	100,000
ForEach parallelism	20	50
Maximum queued runs per pipeline	100	100
Characters per expression	8,192	8,192
Minimum tumbling window trigger interval	5 min	15 min
Maximum timeout for pipeline activity runs	7 days	7 days
Bytes per object for pipeline objects3	200 KB	200 KB
Bytes per object for dataset and linked service objects3	100 KB	2,000 KB
Bytes per payload for each activity run4	896 KB	896 KB
Data Integration Units1 per copy activity run	256	256
Write API calls	1,200/h	1,200/h This limit is imposed by Azure Resource Manager, not Azure Data Factory.
Read API calls	12,500/h	12,500/h This limit is imposed by Azure Resource Manager, not Azure Data Factory.
Monitoring queries per minute	1,000	1,000
Maximum time of data flow debug session	8 hrs	8 hrs
Concurrent number of data flows per integration runtime	50	Contact support.
Concurrent number of data flows per integration runtime in managed vNet	20	Contact support.
Concurrent number of data flow debug sessions per user per factory	3	3
Data Flow Azure IR TTL limit	4 hrs	4 hrs
Meta Data Entity Size limit in a factory	2 GB	Contact support.

¹ The data integration unit (DIU) is used in a cloud-to-cloud copy operation, learn more from Data integration units (version 2). For information on billing, see Azure Data Factory pricing.

² Azure Integration Runtime is globally available to ensure data compliance, efficiency, and reduced network egress costs.

Region group	Regions
Region group 1	Central US, East US, East US 2, North Europe, West Europe, West US, West US 2
Region group 2	Australia East, Australia Southeast, Brazil South, Central India, Japan East, North Central US, South Central US, Southeast Asia, West Central US
Region group 3	Other regions

If managed virtual network is enabled, the data integration unit (DIU) in all region groups are 2,400.

³ Pipeline, data set, and linked service objects represent a logical grouping of your workload. Limits for these objects don't relate to the amount of data you can move and process with Azure Data Factory. Data Factory is designed to scale to handle petabytes of data.

⁴ The payload for each activity run includes the activity configuration, the associated dataset(s) and linked service(s) configurations if any, and a small portion of system properties generated per activity type. Limit for this payload size doesn't relate to the amount of data you can move and process with Azure Data Factory. Learn about the symptoms and recommendation if you hit this limit.

Version 1

Resource	Default limit	Maximum limit
Pipelines within a data factory	2,500	Contact support.
Data sets within a data factory	5,000	Contact support.
Concurrent slices per data set	10	10
Bytes per object for pipeline objects1	200 KB	200 KB
Bytes per object for data set and linked service objects1	100 KB	2,000 KB
Azure HDInsight on-demand cluster cores within a subscription2	60	Contact support.
Cloud data movement units per copy activity run3	32	32
Retry count for pipeline activity runs	1,000	MaxInt (32 bit)

¹ Pipeline, data set, and linked service objects represent a logical grouping of your workload. Limits for these objects don't relate to the amount of data you can move and process with Azure Data Factory. Data Factory is designed to scale to handle petabytes of data.

² On-demand HDInsight cores are allocated out of the subscription that contains the data factory. As a result, the previous limit is the Data Factory-enforced core limit for on-demand HDInsight cores. It's different from the core limit that's associated with your Azure subscription.

³ The cloud data movement unit (DMU) for version 1 is used in a cloud-to-cloud copy operation, learn more from Cloud data movement units (version 1). For information on billing, see Azure Data Factory pricing.

Resource	Default lower limit	Minimum limit
Scheduling interval	15 minutes	15 minutes
Interval between retry attempts	1 second	1 second
Retry timeout value	1 second	1 second

Web service call limits

Azure Resource Manager has limits for API calls. You can make API calls at a rate within the Azure Resource Manager API limits.

Azure NetApp Files

Azure NetApp Files has a regional limit for capacity. The standard capacity limit for each subscription is 25 TiB, per region, across all service levels. To increase the capacity, use the Service and subscription limits (quotas) support request.

To learn more about the limits for Azure NetApp Files, see Resource limits for Azure NetApp Files.

Azure Policy limits

There's a maximum count for each object type for Azure Policy. For definitions, an entry of Scope means the management group or subscription. For assignments and exemptions, an entry of Scope means the management group, subscription, resource group, or individual resource.

Where	What	Maximum count
Scope	Policy definitions	500
Scope	Initiative definitions	200
Tenant	Initiative definitions	2,500
Scope	Policy or initiative assignments	200
Scope	Exemptions	1000
Policy definition	Parameters	20
Initiative definition	Policies	1000
Initiative definition	Parameters	300
Policy or initiative assignments	Exclusions (notScopes)	400
Policy rule	Nested conditionals	512
Remediation task	Resources	50,000
Policy definition, initiative, or assignment request body	Bytes	1,048,576

Policy rules have additional limits to the number of conditions and their complexity. See Policy rule limits for more details.

Azure Quantum limits

Provider Limits & Quota

The Azure Quantum Service supports both first and third-party service providers. Third-party providers own their limits and quotas. Users can view offers and limits in the Azure portal when configuring third-party providers.

You can find the published quota limits for Microsoft's first party Optimization Solutions provider below.

Learn & Develop SKU

Resource	Limit
CPU-based concurrent jobs	up to 51 concurrent jobs
FPGA-based concurrent jobs	up to 21 concurrent jobs
CPU-based solver hours	20 hours per month
FPGA-based solver hours	1 hour per month

While on the Learn & Develop SKU, you cannot request an increase on your quota limits. Instead you should switch to the Performance at Scale SKU.

Performance at Scale SKU

Resource	Default Limit	Maximum Limit
CPU-based concurrent jobs	up to 1001 concurrent jobs	same as default limit
FPGA-based concurrent jobs	up to 101 concurrent jobs	same as default limit
Solver hours	1,000 hours per month	up to 50,000 hours per month

Reach out to Azure Support to request a limit increase.

For more information, please review the Azure Quantum pricing page. Review the relevant provider pricing pages in the Azure portal for details on third-party offerings.

¹ Describes the number of jobs that can be queued at the same time.

Azure RBAC limits

The following limits apply to Azure role-based access control (Azure RBAC).

Area	Resource	Limit
Azure role assignments
	Azure role assignments per Azure subscription The role assignments limit for a subscription is currently being increased. For more information, see Troubleshoot Azure RBAC.	2,000
	Azure role assignments per management group	500
	Size of description for Azure role assignments	2 KB
	Size of condition for Azure role assignments	8 KB
Azure custom roles
	Azure custom roles per tenant	5,000
	Azure custom roles per tenant (for Azure Germany and Azure China 21Vianet)	2,000
	Size of role name for Azure custom roles	512 chars
	Size of description for Azure custom roles	2 KB
	Number of assignable scopes for Azure custom roles	2,000

Azure SignalR Service limits

Resource	Default limit	Maximum limit
Azure SignalR Service units per instance for Free tier	1	1
Azure SignalR Service units per instance for Standard tier	100	100
Azure SignalR Service units per subscription per region for Free tier	5	5
Total Azure SignalR Service unit counts per subscription per region	150	Unlimited
Concurrent connections per unit for Free tier	20	20
Concurrent connections per unit for Standard tier	1,000	1,000
Included messages per unit per day for Free tier	20,000	20,000
Additional messages per unit per day for Free tier	0	0
Included messages per unit per day for Standard tier	1,000,000	1,000,000
Additional messages per unit per day for Standard tier	Unlimited	Unlimited

To request an update to your subscription's default limits, open a support ticket.

For more information about how connections and messages are counted, see Messages and connections in Azure SignalR Service.

If your requirements exceed the limits, switch from Free tier to Standard tier and add units. For more information, see How to scale an Azure SignalR Service instance?.

If your requirements exceed the limits of a single instance, add instances. For more information, see How to scale SignalR Service with multiple instances?.

Azure Virtual Desktop Service limits

The following table describes the maximum limits for Azure Virtual Desktop.

Azure Virtual Desktop Object	Parent Container Object	Service Limit
Workspace	Azure Active Directory Tenant	1300
HostPool	Workspace	400
Application group	Azure AD Tenant	5001
RemoteApp	Application group	500
Role Assignment	Any Azure Virtual Desktop Object	200
Session Host	HostPool	10,000

¹If you require over 500 Application groups then please raise a support ticket via the Azure portal.

All other Azure resources used in Azure Virtual Desktop such as Virtual Machines, Storage, Networking etc. are all subject to their own resource limitations documented in the relevant sections of this article. To visualise the relationship between all the Azure Virtual Desktop objects, review this article Relationships between Azure Virtual Desktop logical components.

To get started with Azure Virtual Desktop, use the getting started guide. For deeper architectural content for Azure Virtual Desktop, use the Azure Virtual Desktop section of the Cloud Adoption Framework. For pricing information for Azure Virtual Desktop, add "Azure Virtual Desktop" within the Compute section of the Azure Pricing Calculator.

Azure VMware Solution limits

The following table describes the maximum limits for Azure VMware Solution.

Resource	Limit
vSphere clusters per private cloud	12
Minimum number of ESXi hosts per cluster	3
Maximum number of ESXi hosts per cluster	16
ESXi hosts per private cloud	96
vCenter Servers per private cloud	1
HCX site pairings	25 (any edition)
Azure VMware Solution ExpressRoute max linked private clouds	4 The virtual network gateway used determines the actual max linked private clouds. For more details, see About ExpressRoute virtual network gateways
Azure VMware Solution ExpressRoute port speed	10 Gbps The virtual network gateway used determines the actual bandwidth. For more details, see About ExpressRoute virtual network gateways
Public IPs exposed via vWAN	100
vSAN capacity limits	75% of total usable (keep 25% available for SLA)

For other VMware-specific limits, use the VMware configuration maximum tool!.

Backup limits

For a summary of Azure Backup support settings and limitations, see Azure Backup Support Matrices.

Batch limits

Resource	Default limit	Maximum limit
Azure Batch accounts per region per subscription	1-3	50
Dedicated cores per Batch account	90-900	Contact support
Low-priority cores per Batch account	10-100	Contact support
Active jobs and job schedules per Batch account (completed jobs have no limit)	100-300	1,0001
Pools per Batch account	20-100	5001
Private endpoint connections per Batch account	100	100

¹To request an increase beyond this limit, contact Azure Support.

Note

Default limits vary depending on the type of subscription you use to create a Batch account. Cores quotas shown are for Batch accounts in Batch service mode. View the quotas in your Batch account.

Important

To help us better manage capacity during the global health pandemic, the default core quotas for new Batch accounts in some regions and for some types of subscription have been reduced from the above range of values, in some cases to zero cores. When you create a new Batch account, check your core quota and request a core quota increase, if required. Alternatively, consider reusing Batch accounts that already have sufficient quota.

Classic deployment model limits

If you use classic deployment model instead of the Azure Resource Manager deployment model, the following limits apply.

Resource	Default limit	Maximum limit
vCPUs per subscription1	20	10,000
Coadministrators per subscription	200	200
Storage accounts per subscription2	100	100
Cloud services per subscription	20	200
Local networks per subscription	10	500
DNS servers per subscription	9	100
Reserved IPs per subscription	20	100
Affinity groups per subscription	256	256
Subscription name length (characters)	64	64

¹Extra small instances count as one vCPU toward the vCPU limit despite using a partial CPU core.

²The storage account limit includes both Standard and Premium storage accounts.

Container Instances limits

Resource	Actual Limit
Standard sku container groups per region per subscription	100
Dedicated sku container groups per region per subscription	01
Number of containers per container group	60
Number of volumes per container group	20
Standard sku cores (CPUs) per region per subscription	100
Standard sku cores (CPUs) for K80 GPU per region per subscription	0
Standard sku cores (CPUs) for V100 GPU per region per subscription	0
Ports per IP	5
Container instance log size - running instance	4 MB
Container instance log size - stopped instance	16 KB or 1,000 lines
Container group creates per hour	3001
Container group creates per 5 minutes	1001
Container group deletes per hour	3001
Container group deletes per 5 minutes	1001

¹To request a limit increase, create an Azure Support request. Free subscriptions including Azure Free Account and Azure for Students aren't eligible for limit or quota increases. If you have a free subscription, you can upgrade to a Pay-As-You-Go subscription.
²Default limit for Pay-As-You-Go subscription. Limit may differ for other category types.

Container Registry limits

The following table details the features and limits of the Basic, Standard, and Premium service tiers.

Resource	Basic	Standard	Premium
Included storage1 (GiB)	10	100	500
Storage limit (TiB)	20	20	20
Maximum image layer size (GiB)	200	200	200
Maximum manifest size (MiB)	4	4	4
ReadOps per minute2, 3	1,000	3,000	10,000
WriteOps per minute2, 4	100	500	2,000
Download bandwidth2 (Mbps)	30	60	100
Upload bandwidth 2 (Mbps)	10	20	50
Webhooks	2	10	500
Geo-replication	N/A	N/A	Supported
Availability zones	N/A	N/A	Supported
Content trust	N/A	N/A	Supported
Private link with private endpoints	N/A	N/A	Supported
• Private endpoints	N/A	N/A	200
Public IP network rules	N/A	N/A	100
Service endpoint VNet access	N/A	N/A	Preview
• Virtual network rules	N/A	N/A	100
Customer-managed keys	N/A	N/A	Supported
Repository-scoped permissions	N/A	N/A	Preview
• Tokens	N/A	N/A	20,000
• Scope maps	N/A	N/A	20,000
• Repositories per scope map	N/A	N/A	500

¹ Storage included in the daily rate for each tier. Additional storage may be used, up to the registry storage limit, at an additional daily rate per GiB. For rate information, see Azure Container Registry pricing. If you need storage beyond the registry storage limit, please contact Azure Support.

²ReadOps, WriteOps, and Bandwidth are minimum estimates. Azure Container Registry strives to improve performance as usage requires.

³A docker pull translates to multiple read operations based on the number of layers in the image, plus the manifest retrieval.

⁴A docker push translates to multiple write operations, based on the number of layers that must be pushed. A docker push includes ReadOps to retrieve a manifest for an existing image.

⁵ Individual actions of content/delete, content/read, content/write, metadata/read, metadata/write corresponds to the limit of Repositories per scope map.

Content Delivery Network limits

Resource	Limit
Azure Content Delivery Network profiles	25
Content Delivery Network endpoints per profile	25
Custom domains per endpoint	25
Maximum origin group per profile	10
Maximum origin per origin group	10
Maximum number of rules per CDN endpoint	25
Maximum number of match conditions per rule	10
Maximum number of actions per rule	5

A Content Delivery Network subscription can contain one or more Content Delivery Network profiles. A Content Delivery Network profile can contain one or more Content Delivery Network endpoints. You might want to use multiple profiles to organize your Content Delivery Network endpoints by internet domain, web application, or some other criteria.

Data Lake Analytics limits

Azure Data Lake Analytics makes the complex task of managing distributed infrastructure and complex code easy. It dynamically provisions resources, and you can use it to do analytics on exabytes of data. When the job completes, it winds down resources automatically. You pay only for the processing power that was used. As you increase or decrease the size of data stored or the amount of compute used, you don't have to rewrite code. To raise the default limits for your subscription, contact support.

Resource	Limit	Comments
Maximum number of concurrent jobs	20
Maximum number of analytics units (AUs) per account	250	Use any combination of up to a maximum of 250 AUs across 20 jobs. To increase this limit, contact Microsoft Support.
Maximum script size for job submission	3 MB
Maximum number of Data Lake Analytics accounts per region per subscription	5	To increase this limit, contact Microsoft Support.

Data Factory limits

Azure Data Factory is a multitenant service that has the following default limits in place to make sure customer subscriptions are protected from each other's workloads. To raise the limits up to the maximum for your subscription, contact support.

Version 2

Resource	Default limit	Maximum limit
Total number of entities, such as pipelines, data sets, triggers, linked services, Private Endpoints, and integration runtimes, within a data factory	5,000	Contact support.
Total CPU cores for Azure-SSIS Integration Runtimes under one subscription	256	Contact support.
Concurrent pipeline runs per data factory that's shared among all pipelines in the factory	10,000	10,000
Concurrent External activity runs per subscription per Azure Integration Runtime region External activities are managed on integration runtime but execute on linked services, including Databricks, stored procedure, Web, and others. This limit does not apply to Self-hosted IR.	3,000	3,000
Concurrent Pipeline activity runs per subscription per Azure Integration Runtime region Pipeline activities execute on integration runtime, including Lookup, GetMetadata, and Delete. This limit does not apply to Self-hosted IR.	1,000	1,000
Concurrent authoring operations per subscription per Azure Integration Runtime region Including test connection, browse folder list and table list, preview data. This limit does not apply to Self-hosted IR.	200	200
Concurrent Data Integration Units1 consumption per subscription per Azure Integration Runtime region	Region group 12: 6,000 Region group 22: 3,000 Region group 32: 1,500 Managed virtual network2: 2,400	Region group 12: 6,000 Region group 22: 3,000 Region group 32: 1,500 Managed virtual network: Contact support.
Maximum activities per pipeline, which includes inner activities for containers	40	40
Maximum number of linked integration runtimes that can be created against a single self-hosted integration runtime	100	Contact support.
Maximum number of node that can be created against a single self-hosted integration runtime	4	Contact support
Maximum parameters per pipeline	50	50
ForEach items	100,000	100,000
ForEach parallelism	20	50
Maximum queued runs per pipeline	100	100
Characters per expression	8,192	8,192
Minimum tumbling window trigger interval	5 min	15 min
Maximum timeout for pipeline activity runs	7 days	7 days
Bytes per object for pipeline objects3	200 KB	200 KB
Bytes per object for dataset and linked service objects3	100 KB	2,000 KB
Bytes per payload for each activity run4	896 KB	896 KB
Data Integration Units1 per copy activity run	256	256
Write API calls	1,200/h	1,200/h This limit is imposed by Azure Resource Manager, not Azure Data Factory.
Read API calls	12,500/h	12,500/h This limit is imposed by Azure Resource Manager, not Azure Data Factory.
Monitoring queries per minute	1,000	1,000
Maximum time of data flow debug session	8 hrs	8 hrs
Concurrent number of data flows per integration runtime	50	Contact support.
Concurrent number of data flows per integration runtime in managed vNet	20	Contact support.
Concurrent number of data flow debug sessions per user per factory	3	3
Data Flow Azure IR TTL limit	4 hrs	4 hrs
Meta Data Entity Size limit in a factory	2 GB	Contact support.

¹ The data integration unit (DIU) is used in a cloud-to-cloud copy operation, learn more from Data integration units (version 2). For information on billing, see Azure Data Factory pricing.

² Azure Integration Runtime is globally available to ensure data compliance, efficiency, and reduced network egress costs.

Region group	Regions
Region group 1	Central US, East US, East US 2, North Europe, West Europe, West US, West US 2
Region group 2	Australia East, Australia Southeast, Brazil South, Central India, Japan East, North Central US, South Central US, Southeast Asia, West Central US
Region group 3	Other regions

If managed virtual network is enabled, the data integration unit (DIU) in all region groups are 2,400.

³ Pipeline, data set, and linked service objects represent a logical grouping of your workload. Limits for these objects don't relate to the amount of data you can move and process with Azure Data Factory. Data Factory is designed to scale to handle petabytes of data.

⁴ The payload for each activity run includes the activity configuration, the associated dataset(s) and linked service(s) configurations if any, and a small portion of system properties generated per activity type. Limit for this payload size doesn't relate to the amount of data you can move and process with Azure Data Factory. Learn about the symptoms and recommendation if you hit this limit.

Version 1

Resource	Default limit	Maximum limit
Pipelines within a data factory	2,500	Contact support.
Data sets within a data factory	5,000	Contact support.
Concurrent slices per data set	10	10
Bytes per object for pipeline objects1	200 KB	200 KB
Bytes per object for data set and linked service objects1	100 KB	2,000 KB
Azure HDInsight on-demand cluster cores within a subscription2	60	Contact support.
Cloud data movement units per copy activity run3	32	32
Retry count for pipeline activity runs	1,000	MaxInt (32 bit)

¹ Pipeline, data set, and linked service objects represent a logical grouping of your workload. Limits for these objects don't relate to the amount of data you can move and process with Azure Data Factory. Data Factory is designed to scale to handle petabytes of data.

² On-demand HDInsight cores are allocated out of the subscription that contains the data factory. As a result, the previous limit is the Data Factory-enforced core limit for on-demand HDInsight cores. It's different from the core limit that's associated with your Azure subscription.

³ The cloud data movement unit (DMU) for version 1 is used in a cloud-to-cloud copy operation, learn more from Cloud data movement units (version 1). For information on billing, see Azure Data Factory pricing.

Resource	Default lower limit	Minimum limit
Scheduling interval	15 minutes	15 minutes
Interval between retry attempts	1 second	1 second
Retry timeout value	1 second	1 second

Web service call limits

Azure Resource Manager has limits for API calls. You can make API calls at a rate within the Azure Resource Manager API limits.

Data Lake Storage limits

Azure Data Lake Storage Gen2 is not a dedicated service or storage account type. It is the latest release of capabilities that are dedicated to big data analytics. These capabilities are available in a general-purpose v2 or BlockBlobStorage storage account, and you can obtain them by enabling the Hierarchical namespace feature of the account. For scale targets, see these articles.

• Scale targets for Blob storage.
• Scale targets for standard storage accounts.

Azure Data Lake Storage Gen1 is a dedicated service. It's an enterprise-wide hyper-scale repository for big data analytic workloads. You can use Data Lake Storage Gen1 to capture data of any size, type, and ingestion speed in one single place for operational and exploratory analytics. There's no limit to the amount of data you can store in a Data Lake Storage Gen1 account.

Resource	Limit	Comments
Maximum number of Data Lake Storage Gen1 accounts, per subscription, per region	10	To request an increase for this limit, contact support.
Maximum number of access ACLs, per file or folder	32	This is a hard limit. Use groups to manage access with fewer entries.
Maximum number of default ACLs, per file or folder	32	This is a hard limit. Use groups to manage access with fewer entries.

Data Share limits

Azure Data Share enables organizations to simply and securely share data with their customers and partners.

Resource	Limit
Maximum number of Data Share resources per Azure subscription	100
Maximum number of sent shares per Data Share resource	200
Maximum number of received shares per Data Share resource	100
Maximum number of invitations per sent share	200
Maximum number of share subscriptions per sent share	200
Maximum number of datasets per share	200
Maximum number of snapshot schedules per share	1

Database Migration Service Limits

Azure Database Migration Service is a fully managed service designed to enable seamless migrations from multiple database sources to Azure data platforms with minimal downtime.

Resource	Limit	Comments
Maximum number of services per subscription, per region	10	To request an increase for this limit, contact support.

Device Update for IoT Hub limits

Note

When a given resource or operation doesn't have adjustable limits, the default and the maximum limits are the same. When the limit can be adjusted, the table includes different values for Default limit and Maximum limit headers. The limit can be raised above the default limit but not above the maximum limit. If you want to raise the limit or quota above the default limit, open an online customer support request.

This table provides the limits for the Device Update for IoT Hub resource in Azure Resource Manager:

Resource	Default Limit	Maximum Limit	Adjustable?
Accounts per subscription	2	25	Yes
Instances per account	2	25	Yes
Length of account name	Minimum: 3 Maximum: 24	Minimum: 3 Maximum: 24	No
Length of instance name	Minimum: 3 Maximum: 36	Minimum: 3 Maximum: 36	No

This table provides the various limits associated with the operations within Device Update for IoT Hub:

Operation	Default Limit	Maximum Limit	Adjustable?
Number of devices per instance	10,000	10,000	No
Number of update providers per instance	25	25	No
Number of update names per provider per instance	25	25	No
Number of update versions per update provider and name per instance	100	100	No
Total number of updates per instance	100	100	No
Maximum single update file size	2 GB	2 GB	No
Maximum combined size of all files in a single import action	2 GB	2 GB	No
Number of device groups per instance	75	75	No

Digital Twins limits

Note

Some areas of this service have adjustable limits, and others do not. This is represented in the tables below with the Adjustable? column. When the limit can be adjusted, the Adjustable? value is Yes.

Functional limits

The following table lists the functional limits of Azure Digital Twins.

Tip

For modeling recommendations to operate within these functional limits, see Modeling best practices.

Area	Capability	Default limit	Adjustable?
Azure resource	Number of Azure Digital Twins instances in a region, per subscription	10	Yes
Digital twins	Number of twins in an Azure Digital Twins instance	1,000,000	Yes
Digital twins	Number of incoming relationships to a single twin	5,000	No
Digital twins	Number of outgoing relationships from a single twin	5,000	No
Digital twins	Maximum size (of JSON body in a PUT or PATCH request) of a single twin	32 KB	No
Digital twins	Maximum request payload size	32 KB	No
Digital twins	Maximum size of a string property value (UTF-8)	4 KB	No
Digital twins	Maximum size of a propery name	1 KB	No
Routing	Number of endpoints for a single Azure Digital Twins instance	6	No
Routing	Number of routes for a single Azure Digital Twins instance	6	Yes
Models	Number of models within a single Azure Digital Twins instance	10,000	Yes
Models	Number of models that can be uploaded in a single API call	250	No
Models	Maximum size (of JSON body in a PUT or PATCH request) of a single model	1 MB	No
Models	Number of items returned in a single page	100	No
Query	Number of items returned in a single page	1000	Yes
Query	Number of AND / OR expressions in a query	50	Yes
Query	Number of array items in an IN / NOT IN clause	50	Yes
Query	Number of characters in a query	8,000	Yes
Query	Number of JOINS in a query	5	Yes

Rate limits

The following table reflects the rate limits of different APIs.

API	Capability	Default limit	Adjustable?
Models API	Number of requests per second	100	Yes
Digital Twins API	Number of read requests per second	1,000	Yes
Digital Twins API	Number of patch requests per second	1,000	Yes
Digital Twins API	Number of create/delete operations per second across all twins and relationships	50	Yes
Digital Twins API	Number of create/update/delete operations per second on a single twin or its incoming/outgoing relationships	10	No
Digital Twins API	Number of outstanding operations on a single twin or its incoming/outgoing relationships	500	No
Query API	Number of requests per second	500	Yes
Query API	Query Units per second	4,000	Yes
Event Routes API	Number of requests per second	100	Yes

Other limits

Limits on data types and fields within DTDL documents for Azure Digital Twins models can be found within its spec documentation in GitHub: Digital Twins Definition Language (DTDL) - version 2.

Query latency details are described in Query language. Limitations of particular query language features can be found in the query reference documentation.

Event Grid limits

The following limits apply to Azure Event Grid topics (system, custom, and partner topics).

Note

These limits are per region.

Resource	Limit
Custom topics per Azure subscription	100. When the limit is reached, you can consider a different region or consider using domains, which can support 100,000 topics.
Event subscriptions per topic	500 This limit can't be increased.
Publish rate for a custom or a partner topic (ingress)	5,000 events/sec or 5 MB/sec (whichever is met first)
Event size	1 MB This limit can't be increased.
Number of incoming events per batch	5,000 This limit can't be increased.
Private endpoint connections per topic	64 This limit can't be increased.
IP Firewall rules per topic	16

The following limits apply to Azure Event Grid domains.

Resource	Limit
Topics per event domain	100,000
Event subscriptions per topic within a domain	500 This limit can't be increased.
Domain scope event subscriptions	50 This limit can't be increased.
Publish rate for an event domain (ingress)	5,000 events/sec or 5 MB/sec (whichever is met first)
Event Domains per Azure Subscription	100
Private endpoint connections per domain	64
IP Firewall rules per domain	16

Event Hubs limits

The following tables provide quotas and limits specific to Azure Event Hubs. For information about Event Hubs pricing, see Event Hubs pricing.

Common limits for all tiers

The following limits are common across all tiers.

Limit	Notes	Value
Size of an event hub name	-	256 characters
Size of a consumer group name	Kafka protocol doesn't require the creation of a consumer group.	Kafka: 256 characters AMQP: 50 characters
Number of non-epoch receivers per consumer group	-	5
Number of authorization rules per namespace	Subsequent requests for authorization rule creation are rejected.	12
Number of calls to the GetRuntimeInformation method	-	50 per second
Number of virtual networks (VNet)	-	128
Number of IP Config rules	-	128
Maximum length of a schema group name		50
Maximum length of a schema name		100
Size in bytes per schema		1 MB
Number of properties per schema group		1024
Size in bytes per schema group property key		256
Size in bytes per schema group property value		1024

Basic vs. standard vs. premium vs. dedicated tiers

The following table shows limits that may be different for basic, standard, premium, and dedicated tiers.

Note

• In the table, CU is capacity unit, PU is processing unit, and TU is throughput unit.
• You can configure TUs for a basic or standard tier namespace or PUs for a premium tier namespace.
• When you create a dedicated cluster, 1 CU is assigned to the cluster. To have more CUs for the cluster, submit a ticket.

Limit	Basic	Standard	Premium	Dedicated
Maximum size of Event Hubs publication	256 KB	1 MB	1 MB	1 MB
Number of consumer groups per event hub	1	20	100	1000 No limit per CU
Number of brokered connections per namespace	100	5,000	10000 per PU For example, if the namespace is assigned 3 PUs, the limit is 30000.	100, 000 per CU
Maximum retention period of event data	1 day	7 days	90 days	90 days
Maximum TUs or PUs or CUs	40 TUs	40 TUs	16 PUs	20 CUs
Number of partitions per event hub	32	32	100 per event hub, but there is a limit of 200 per PU at the namespace level. For example, if a namespace is assigned 2 PUs, the limit for total number of partitions in all event hubs in the namespace is 2 * 200 = 400.	1024 per event hub 2000 per CU
Number of namespaces per subscription	1000	1000	1000	1000 (50 per CU)
Number of event hubs per namespace	10	10	100 per PU	1000
Capture	N/A	Pay per hour	Included	Included
Size of the schema registry (namespace) in mega bytes	N/A	25	100	1024
Number of schema groups in a schema registry or namespace	N/A	1 - excluding the default group	100 1 MB per schema	1000 1 MB per schema
Number of schema versions across all schema groups	N/A	25	1000	10000
Throughput per unit	Ingress - 1 MB/s or 1000 events per second Egress – 2 MB/s or 4096 events per second	Ingress - 1 MB/s or 1000 events per second Egress – 2 MB/s or 4096 events per second	No limits per PU *	No limits per CU *

* Depends on various factors such as resource allocation, number of partitions, storage, and so on.

Note

You can publish events individually or batched. The publication limit (according to SKU) applies regardless of whether it is a single event or a batch. Publishing events larger than the maximum threshold will be rejected.

IoT Central limits

IoT Central limits the number of applications you can deploy in a subscription to 10. If you need to increase this limit, contact Microsoft support.

IoT Hub limits

The following table lists the limits associated with the different service tiers S1, S2, S3, and F1. For information about the cost of each unit in each tier, see Azure IoT Hub pricing.

Resource	S1 Standard	S2 Standard	S3 Standard	F1 Free
Messages/day	400,000	6,000,000	300,000,000	8,000
Maximum units	200	200	10	1

Note

If you anticipate using more than 200 units with an S1 or S2 tier hub or 10 units with an S3 tier hub, contact Microsoft Support.

The following table lists the limits that apply to IoT Hub resources.

Resource	Limit
Maximum paid IoT hubs per Azure subscription	50
Maximum free IoT hubs per Azure subscription	1
Maximum number of characters in a device ID	128
Maximum number of device identities returned in a single call	1,000
IoT Hub message maximum retention for device-to-cloud messages	7 days
Maximum size of device-to-cloud message	256 KB
Maximum size of device-to-cloud batch	AMQP and HTTP: 256 KB for the entire batch MQTT: 256 KB for each message
Maximum messages in device-to-cloud batch	500
Maximum size of cloud-to-device message	64 KB
Maximum TTL for cloud-to-device messages	2 days
Maximum delivery count for cloud-to-device messages	100
Maximum cloud-to-device queue depth per device	50
Maximum delivery count for feedback messages in response to a cloud-to-device message	100
Maximum TTL for feedback messages in response to a cloud-to-device message	2 days
Maximum size of device twin	8 KB for tags section, and 32 KB for desired and reported properties sections each
Maximum length of device twin string key	1 KB
Maximum length of device twin string value	4 KB
Maximum depth of object in device twin	10
Maximum size of direct method payload	128 KB
Job history maximum retention	30 days
Maximum concurrent jobs	10 (for S3), 5 for (S2), 1 (for S1)
Maximum additional endpoints (beyond built-in endpoints)	10 (for S1, S2, and S3)
Maximum message routing rules	100 (for S1, S2, and S3)
Maximum number of concurrently connected device streams	50 (for S1, S2, S3, and F1 only)
Maximum device stream data transfer	300 MB per day (for S1, S2, S3, and F1 only)

Note

If you need more than 50 paid IoT hubs in an Azure subscription, contact Microsoft Support.

Note

Currently, the total number of devices plus modules that can be registered to a single IoT hub is capped at 1,000,000. If you want to increase this limit, contact Microsoft Support.

IoT Hub throttles requests when the following quotas are exceeded.

Throttle	Per-hub value
Identity registry operations (create, retrieve, list, update, and delete), individual or bulk import/export	83.33/sec/unit (5,000/min/unit) (for S3). 1.67/sec/unit (100/min/unit) (for S1 and S2).
Device connections	6,000/sec/unit (for S3), 120/sec/unit (for S2), 12/sec/unit (for S1). Minimum of 100/sec.
Device-to-cloud sends	6,000/sec/unit (for S3), 120/sec/unit (for S2), 12/sec/unit (for S1). Minimum of 100/sec.
Cloud-to-device sends	83.33/sec/unit (5,000/min/unit) (for S3), 1.67/sec/unit (100/min/unit) (for S1 and S2).
Cloud-to-device receives	833.33/sec/unit (50,000/min/unit) (for S3), 16.67/sec/unit (1,000/min/unit) (for S1 and S2).
File upload operations	83.33 file upload initiations/sec/unit (5,000/min/unit) (for S3), 1.67 file upload initiations/sec/unit (100/min/unit) (for S1 and S2). 10 concurrent file uploads per device.
Direct methods	24 MB/sec/unit (for S3), 480 KB/sec/unit (for S2), 160 KB/sec/unit (for S1). Based on 8-KB throttling meter size.
Device twin reads	500/sec/unit (for S3), Maximum of 100/sec or 10/sec/unit (for S2), 100/sec (for S1)
Device twin updates	250/sec/unit (for S3), Maximum of 50/sec or 5/sec/unit (for S2), 50/sec (for S1)
Jobs operations (create, update, list, and delete)	83.33/sec/unit (5,000/min/unit) (for S3), 1.67/sec/unit (100/min/unit) (for S2), 1.67/sec/unit (100/min/unit) (for S1).
Jobs per-device operation throughput	50/sec/unit (for S3), maximum of 10/sec or 1/sec/unit (for S2), 10/sec (for S1).
Device stream initiation rate	5 new streams/sec (for S1, S2, S3, and F1 only).

IoT Hub Device Provisioning Service limits

Note

Some areas of this service have adjustable limits. This is represented in the tables below with the Adjustable? column. When the limit can be adjusted, the Adjustable? value is Yes.

The actual value to which a limit can be adjusted may vary based on each customer’s deployment. Multiple instances of DPS may be required for very large deployments.

If your business requires raising an adjustable limit or quota above the default limit, you can submit a request for additional resources by opening a support ticket. Requesting an increase does not guarantee that it will be granted, as it needs to be reviewed on a case-by-case basis. Please contact Microsoft support as early as possible during your implementation, to be able to determine if your request could be approved and plan accordingly.

The following table lists the limits that apply to Azure IoT Hub Device Provisioning Service resources.

Resource	Limit	Adjustable?
Maximum device provisioning services per Azure subscription	10	Yes
Maximum number of registrations	1,000,000	Yes
Maximum number of individual enrollments	1,000,000	Yes
Maximum number of enrollment groups (X.509 certificate)	100	Yes
Maximum number of enrollment groups (symmetric key)	100	No
Maximum number of CAs	25	No
Maximum number of linked IoT hubs	50	No
Maximum size of message	96 KB	No

Tip

If the hard limit on symmetric key enrollment groups is a blocking issue, it is recommended to use individual enrollments as a workaround.

The Device Provisioning Service has the following rate limits.

Rate	Per-unit value	Adjustable?
Operations	200/min/service	Yes
Device registrations	200/min/service	Yes
Device polling operation	5/10 sec/device	No

Key Vault limits

Azure Key Vault service supports two resource types: Vaults and Managed HSMs. The following two sections describe the service limits for each of them respectively.

Resource type: vault

This section describes service limits for resource type vaults.

Key transactions (maximum transactions allowed in 10 seconds, per vault per region¹):

Key type	HSM key CREATE key	HSM key All other transactions	Software key CREATE key	Software key All other transactions
RSA 2,048-bit	10	2,000	20	4,000
RSA 3,072-bit	10	500	20	1,000
RSA 4,096-bit	10	250	20	500
ECC P-256	10	2,000	20	4,000
ECC P-384	10	2,000	20	4,000
ECC P-521	10	2,000	20	4,000
ECC SECP256K1	10	2,000	20	4,000

Note

In the previous table, we see that for RSA 2,048-bit software keys, 4,000 GET transactions per 10 seconds are allowed. For RSA 2,048-bit HSM-keys, 2,000 GET transactions per 10 seconds are allowed.

The throttling thresholds are weighted, and enforcement is on their sum. For example, as shown in the previous table, when you perform GET operations on RSA HSM-keys, it's eight times more expensive to use 4,096-bit keys compared to 2,048-bit keys. That's because 2,000/250 = 8.

In a given 10-second interval, an Azure Key Vault client can do only one of the following operations before it encounters a 429 throttling HTTP status code:

• 4,000 RSA 2,048-bit software-key GET transactions
• 2,000 RSA 2,048-bit HSM-key GET transactions
• 250 RSA 4,096-bit HSM-key GET transactions
• 248 RSA 4,096-bit HSM-key GET transactions and 16 RSA 2,048-bit HSM-key GET transactions

Secrets, managed storage account keys, and vault transactions:

Transactions type	Maximum transactions allowed in 10 seconds, per vault per region1
All transactions	4,000

For information on how to handle throttling when these limits are exceeded, see Azure Key Vault throttling guidance.

¹ A subscription-wide limit for all transaction types is five times per key vault limit.

Backup keys, secrets, certificates

When you back up a key vault object, such as a secret, key, or certificate, the backup operation will download the object as an encrypted blob. This blob cannot be decrypted outside of Azure. To get usable data from this blob, you must restore the blob into a key vault within the same Azure subscription and Azure geography

Transactions type	Maximum key vault object versions allowed
Back up individual key, secret, certificate	500

Note

Attempting to backup a key, secret, or certificate object with more versions than above limit will result in an error. It is not possible to delete previous versions of a key, secret, or certificate.

Limits on count of keys, secrets and certificates:

Key Vault does not restrict the number of keys, secrets or certificates that can be stored in a vault. The transaction limits on the vault should be taken into account to ensure that operations are not throttled.

Key Vault does not restrict the number of versions on a secret, key or certificate, but storing a large number of versions (500+) can impact the performance of backup operations. See Azure Key Vault Backup.

Resource type: Managed HSM

This section describes service limits for resource type managed HSM.

Object limits

Item	Limits
Number of HSM instances per subscription per region	5
Number of keys per HSM instance	5000
Number of versions per key	100
Number of custom role definitions per HSM instance	50
Number of role assignments at HSM scope	50
Number of role assignments at each individual key scope	10

Transaction limits for administrative operations (number of operations per second per HSM instance)

Operation	Number of operations per second
All RBAC operations (includes all CRUD operations for role definitions and role assignments)	5
Full HSM Backup/Restore (only one concurrent backup or restore operation per HSM instance supported)	1

Transaction limits for cryptographic operations (number of operations per second per HSM instance)

• Each Managed HSM instance constitutes three load balanced HSM partitions. The throughput limits are a function of underlying hardware capacity allocated for each partition. The tables below show maximum throughput with at least one partition available. Actual throughput may be up to 3x higher if all three partitions are available.
• Throughput limits noted assume that one single key is being used to achieve maximum throughput. For example, if a single RSA-2048 key is used the maximum throughput will be 1100 sign operations. If you use 1100 different keys with one transaction per second each, they will not be able to achieve the same throughput.

RSA key operations (number of operations per second per HSM instance)

Operation	2048-bit	3072-bit	4096-bit
Create Key	1	1	1
Delete Key (soft-delete)	10	10	10
Purge Key	10	10	10
Backup Key	10	10	10
Restore Key	10	10	10
Get Key Information	1100	1100	1100
Encrypt	10000	10000	6000
Decrypt	1100	360	160
Wrap	10000	10000	6000
Unwrap	1100	360	160
Sign	1100	360	160
Verify	10000	10000	6000

EC key operations (number of operations per second per HSM instance)

This table describes number of operations per second for each curve type.

Operation	P-256	P-256K	P-384	P-521
Create Key	1	1	1	1
Delete Key (soft-delete)	10	10	10	10
Purge Key	10	10	10	10
Backup Key	10	10	10	10
Restore Key	10	10	10	10
Get Key Information	1100	1100	1100	1100
Sign	260	260	165	56
Verify	130	130	82	28

AES key operations (number of operations per second per HSM instance)

• Encrypt and Decrypt operations assume a 4KB packet size.
• Throughput limits for Encrypt/Decrypt apply to AES-CBC and AES-GCM algorithms.
• Throughput limits for Wrap/Unwrap apply to AES-KW algorithm.

Operation	128-bit	192-bit	256-bit
Create Key	1	1	1
Delete Key (soft-delete)	10	10	10
Purge Key	10	10	10
Backup Key	10	10	10
Restore Key	10	10	10
Get Key Information	1100	1100	1100
Encrypt	8000	8000	8000
Decrypt	8000	8000	8000
Wrap	9000	9000	9000
Unwrap	9000	9000	9000

Managed identity limits

• Each managed identity counts towards the object quota limit in an Azure AD tenant as described in Azure AD service limits and restrictions.

• The rate at which managed identities can be created have the following limits:

  1. Per Azure AD Tenant per Azure region: 400 create operations per 20 seconds.
  2. Per Azure Subscription per Azure region : 80 create operations per 20 seconds.

• The rate at which a user-assigned managed identity can be assigned with an Azure resource :

  1. Per Azure AD Tenant per Azure region: 400 assignment operations per 20 seconds.
  2. Per Azure Subscription per Azure region : 300 assignment operations per 20 seconds.

Media Services limits

Note

For resources that aren't fixed, open a support ticket to ask for an increase in the quotas. Don't create additional Azure Media Services accounts in an attempt to obtain higher limits.

Account limits

Resource	Default Limit
Media Services accounts in a single subscription	100 (fixed)

Asset limits

Resource	Default Limit
Assets per Media Services account	1,000,000

Storage (media) limits

Resource	Default Limit
File size	In some scenarios, there is a limit on the maximum file size supported for processing in Media Services. (1)
Storage accounts	100(2) (fixed)

¹ The maximum size supported for a single blob is currently up to 5 TB in Azure Blob Storage. Additional limits apply in Media Services based on the VM sizes that are used by the service. The size limit applies to the files that you upload and also the files that get generated as a result of Media Services processing (encoding or analyzing). If your source file is larger than 260-GB, your Job will likely fail.

² The storage accounts must be from the same Azure subscription.

Jobs (encoding & analyzing) limits

Resource	Default Limit
Jobs per Media Services account	500,000 (3) (fixed)
Job inputs per Job	50 (fixed)
Job outputs per Job	20 (fixed)
Transforms per Media Services account	100 (fixed)
Transform outputs in a Transform	20 (fixed)
Files per job input	10 (fixed)

³ This number includes queued, finished, active, and canceled Jobs. It does not include deleted Jobs.

Any Job record in your account older than 90 days will be automatically deleted, even if the total number of records is below the maximum quota.

Live streaming limits

Resource	Default Limit
Live Events (4) per Media Services account	5
Live Outputs per Live Event	3 (5)
Max Live Output duration	Size of the DVR window

⁴ For detailed information about Live Event limitations, see Live Event types comparison and limitations.

⁵ Live Outputs start on creation and stop when deleted.

Packaging & delivery limits

Resource	Default Limit
Streaming Endpoints (stopped or running) per Media Services account	2
Dynamic Manifest Filters	100
Streaming Policies	100 (6)
Unique Streaming Locators associated with an Asset at one time	100(7) (fixed)

⁶ When using a custom Streaming Policy, you should design a limited set of such policies for your Media Service account, and re-use them for your StreamingLocators whenever the same encryption options and protocols are needed. You should not be creating a new Streaming Policy for each Streaming Locator.

⁷ Streaming Locators are not designed for managing per-user access control. To give different access rights to individual users, use Digital Rights Management (DRM) solutions.

Protection limits

Resource	Default Limit
Options per Content Key Policy	30
Licenses per month for each of the DRM types on Media Services key delivery service per account	1,000,000

Support ticket

For resources that are not fixed, you may ask for the quotas to be raised, by opening a support ticket. Include detailed information in the request on the desired quota changes, use-case scenarios, and regions required.
Do not create additional Azure Media Services accounts in an attempt to obtain higher limits.

Media Services v2 (legacy)

For limits specific to Media Services v2 (legacy), see Media Services v2 (legacy)

Mobile Services limits

Tier	Free	Basic	Standard
API calls	500,000	1.5 million per unit	15 million per unit
Active devices	500	Unlimited	Unlimited
Scale	N/A	Up to 6 units	Unlimited units
Push notifications	Azure Notification Hubs Free tier included, up to 1 million pushes	Notification Hubs Basic tier included, up to 10 million pushes	Notification Hubs Standard tier included, up to 10 million pushes
Real-time messaging/ Web Sockets	Limited	350 per mobile service	Unlimited
Offline synchronizations	Limited	Included	Included
Scheduled jobs	Limited	Included	Included
Azure SQL Database (required) Standard rates apply for additional capacity	20 MB included	20 MB included	20 MB included
CPU capacity	60 minutes per day	Unlimited	Unlimited
Outbound data transfer	165 MB per day (daily rollover)	Included	Included

For more information on limits and pricing, see Azure Mobile Services pricing.

Multi-Factor Authentication limits

Resource	Default limit	Maximum limit
Maximum number of trusted IP addresses or ranges per subscription	0	50
Remember my devices, number of days	14	60
Maximum number of app passwords	0	No limit
Allow X attempts during MFA call	1	99
Two-way text message timeout seconds	60	600
Default one-time bypass seconds	300	1,800
Lock user account after X consecutive MFA denials	Not set	99
Reset account lockout counter after X minutes	Not set	9,999
Unlock account after X minutes	Not set	9,999

Networking limits

Networking limits - Azure Resource Manager

The following limits apply only for networking resources managed through Azure Resource Manager per region per subscription. Learn how to view your current resource usage against your subscription limits.

Note

We recently increased all default limits to their maximum limits. If there's no maximum limit column, the resource doesn't have adjustable limits. If you had these limits increased by support in the past and don't see updated limits in the following tables, open an online customer support request at no charge

Resource	Limit
Virtual networks	1,000
Subnets per virtual network	3,000
Virtual network peerings per virtual network	500
Virtual network gateways (VPN gateways) per virtual network	1
Virtual network gateways (ExpressRoute gateways) per virtual network	1
DNS servers per virtual network	20
Private IP addresses per virtual network	65,536
Private IP addresses per network interface	256
Private IP addresses per virtual machine	256
Public IP addresses per network interface	256
Public IP addresses per virtual machine	256
Concurrent TCP or UDP flows per NIC of a virtual machine or role instance	500,000
Network interface cards	65,536
Network Security Groups	5,000
NSG rules per NSG	1,000
IP addresses and ranges specified for source or destination in a security group	4,000
Application security groups	3,000
Application security groups per IP configuration, per NIC	20
IP configurations per application security group	4,000
Application security groups that can be specified within all security rules of a network security group	100
User-defined route tables	200
User-defined routes per route table	400
Point-to-site root certificates per Azure VPN Gateway	20
Point-to-site revoked client certificates per Azure VPN Gateway	300
Virtual network TAPs	100
Network interface TAP configurations per virtual network TAP	100

Public IP address limits

Resource	Default limit	Maximum limit
Public IP addresses1,2	10 for Basic.	Contact support.
Static Public IP addresses1	10 for Basic.	Contact support.
Standard Public IP addresses1	10	Contact support.
Public IP addresses per Resource Group	800	Contact support.
Public IP Prefixes	limited by number of Standard Public IPs in a subscription	Contact support.
Public IP prefix length	/28	Contact support.

¹Default limits for Public IP addresses vary by offer category type, such as Free Trial, Pay-As-You-Go, CSP. For example, the default for Enterprise Agreement subscriptions is 1000.

²Public IP addresses limit refers to the total amount of Public IP addresses, including Basic and Standard.

Load balancer limits

The following limits apply only for networking resources managed through Azure Resource Manager per region per subscription. Learn how to view your current resource usage against your subscription limits.

Standard Load Balancer

Resource	Limit
Load balancers	1,000
Rules (Load Balancer + Inbound NAT) per resource	1,500
Rules per NIC (across all IPs on a NIC)	300
Frontend IP configurations	600
Backend pool size	1,000 IP configurations, single virtual network
Backend resources per Load Balancer 1	1,200
High-availability ports rule	1 per internal frontend
Outbound rules per Load Balancer	600
Load Balancers per VM 2	2 (1 Public and 1 internal)

¹ The limit is up to 1,200 resources, in any combination of standalone virtual machine resources, availability set resources, and virtual machine scale-set placement groups. ² An exception to this limit is that 2 public load balancers can be in front of a VM if an IPv4 address config is used for one load balancer and IPv6 address config is used for the second.

Basic Load Balancer

Resource	Limit
Load balancers	1,000
Rules per resource	250
Rules per NIC (across all IPs on a NIC)	300
Frontend IP configurations 3	200
Backend pool size	300 IP configurations, single availability set
Availability sets per Load Balancer	1
Load Balancers per VM	2 (1 Public and 1 internal)

³ The limit for a single discrete resource in a backend pool (standalone virtual machine, availability set, or virtual machine scale-set placement group) is to have up to 250 Frontend IP configurations across a single Basic Public Load Balancer and Basic Internal Load Balancer.

The following limits apply only for networking resources managed through the classic deployment model per subscription. Learn how to view your current resource usage against your subscription limits.

Resource	Default limit	Maximum limit
Virtual networks	100	100
Local network sites	20	50
DNS servers per virtual network	20	20
Private IP addresses per virtual network	4,096	4,096
Concurrent TCP or UDP flows per NIC of a virtual machine or role instance	500,000, up to 1,000,000 for two or more NICs.	500,000, up to 1,000,000 for two or more NICs.
Network Security Groups (NSGs)	200	200
NSG rules per NSG	200	1,000
User-defined route tables	200	200
User-defined routes per route table	400	400
Public IP addresses (dynamic)	500	500
Reserved public IP addresses	500	500
Public IP per deployment	5	Contact support
Private IP (internal load balancing) per deployment	1	1
Endpoint access control lists (ACLs)	50	50

ExpressRoute limits

Resource	Limit
ExpressRoute circuits per subscription	50
ExpressRoute circuits per region per subscription, with Azure Resource Manager	10
Maximum number of IPv4 routes advertised to Azure private peering with ExpressRoute Standard	4,000
Maximum number of IPv4 routes advertised to Azure private peering with ExpressRoute Premium add-on	10,000
Maximum number of IPv6 routes advertised to Azure private peering with ExpressRoute Standard	100
Maximum number of IPv6 routes advertised to Azure private peering with ExpressRoute Premium add-on	100
Maximum number of IPv4 routes advertised from Azure private peering from the VNet address space for an ExpressRoute connection	1,000
Maximum number of IPv6 routes advertised from Azure private peering from the VNet address space for an ExpressRoute connection	1,000
Maximum number of IPv4 routes advertised to Microsoft peering with ExpressRoute Standard	200
Maximum number of IPv4 routes advertised to Microsoft peering with ExpressRoute Premium add-on	200
Maximum number of IPv6 routes advertised to Microsoft peering with ExpressRoute Standard	200
Maximum number of IPv6 routes advertised to Microsoft peering with ExpressRoute Premium add-on	200
Maximum number of ExpressRoute circuits linked to the same virtual network in the same peering location	4
Maximum number of ExpressRoute circuits linked to the same virtual network in different peering locations	16 (For more information, see Gateway SKU.)
Number of virtual network links allowed per ExpressRoute circuit	See the Number of virtual networks per ExpressRoute circuit table.
Maximum number of IPs for ExpressRoute provider circuit with Fastpath	25,000
Maximum number of IPs for ExpressRoute Direct 10Gbps with Fastpath	100,000
Maximum number of IPs for ExpressRoute Direct 100Gbps with Fastpath	200,000

Number of virtual networks per ExpressRoute circuit

Circuit size	Number of virtual network links for Standard	Number of virtual network links with Premium add-on
50 Mbps	10	20
100 Mbps	10	25
200 Mbps	10	25
500 Mbps	10	40
1 Gbps	10	50
2 Gbps	10	60
5 Gbps	10	75
10 Gbps	10	100
40 Gbps*	10	100
100 Gbps*	10	100

*100 Gbps ExpressRoute Direct Only

Note

Global Reach connections count against the limit of virtual network connections per ExpressRoute Circuit. For example, a 10 Gbps Premium Circuit would allow for 5 Global Reach connections and 95 connections to the ExpressRoute Gateways or 95 Global Reach connections and 5 connections to the ExpressRoute Gateways or any other combination up to the limit of 100 connections for the circuit.

Virtual Network Gateway limits

Resource	Limit
VNet Address Prefixes	600 per VPN gateway
Aggregate BGP routes	4,000 per VPN gateway
Local Network Gateway address prefixes	1000 per local network gateway
S2S connections	Depends on the gateway SKU
P2S connections	Depends on the gateway SKU
P2S route limit - IKEv2	256 for non-Windows / 25 for Windows
P2S route limit - OpenVPN	1000
Max. flows	100K for VpnGw1/AZ / 512K for VpnGw2-4/AZ

NAT Gateway limits

The following limits apply to NAT gateway resources managed through Azure Resource Manager per region per subscription. Learn how to view your current resource usage against your subscription limits.

Resource	Limit
Public IP addresses	16 per NAT gateway
NAT gateways	1,000 per subscription per region
Packets processed	1M - 5M packets / second
Simultaneous connections	50,000 connections to the same destination / public IP

Virtual WAN limits

Resource	Limit
VPN (branch) connections per hub	1,000
Aggregate throughput per Virtual WAN Site-to-site VPN gateway	20 Gbps
Throughput per Virtual WAN VPN connection (2 tunnels)	2 Gbps with 1 Gbps/IPsec tunnel
Point-to-site users per hub	100,000
Aggregate throughput per Virtual WAN User VPN (Point-to-site) gateway	200 Gbps
Aggregate throughput per Virtual WAN ExpressRoute gateway	20 Gbps
ExpressRoute circuit connections per hub	8
VNet connections per hub	500 minus total number of hubs in Virtual WAN
Aggregate throughput per Virtual WAN hub router	50 Gbps for VNet to VNet transit
VM workload across all VNets connected to a single Virtual WAN hub	2000 (If you want to raise the limit or quota above the default limit, see hub settings).

Application Gateway limits

The following table applies to v1, v2, Standard, and WAF SKUs unless otherwise stated.

Resource	Limit	Note
Azure Application Gateway	1,000 per subscription
Front-end IP configurations	2	1 public and 1 private
Front-end ports	1001
Back-end address pools	1001
Back-end servers per pool	1,200
HTTP listeners	2001	Limited to 100 active listeners that are routing traffic. Active listeners = total number of listeners - listeners not active. If a default configuration inside a routing rule is set to route traffic (for example, it has a listener, a backend pool, and HTTP settings) then that also counts as a listener. See Frequently asked questions about Application Gateway for additional details.
HTTP load-balancing rules	4001
Back-end HTTP settings	1001
Instances per gateway	V1 SKU - 32 V2 SKU - 125
SSL certificates	1001	1 per HTTP listener
Maximum SSL certificate size	V1 SKU - 10 KB V2 SKU - 16 KB
Authentication certificates	100
Trusted root certificates	100
Request timeout minimum	1 second
Request timeout maximum to private backend	24 hours
Request timeout maximum to external backend	4 minutes
Number of sites	1001	1 per HTTP listener
URL maps per listener	1
Maximum path-based rules per URL map	100
Redirect configurations	1001
Number of rewrite rule sets	400
Number of Header or URL configuration per rewrite rule set	40
Number of conditions per rewrite rule set	40
Concurrent WebSocket connections	Medium gateways 20k2 Large gateways 50k2
Maximum URL length	32 KB
Maximum header size	32 KB
Maximum header field size for HTTP/2	8 KB
Maximum header size for HTTP/2	16 KB
Maximum file upload size (Standard SKU)	V2 - 4 GB V1 - 2 GB
Maximum file upload size (WAF SKU)	V1 Medium - 100 MB V1 Large - 500 MB V2 - 750 MB V2 (with CRS 3.2 or newer) - 4 GB3
WAF body size limit (without files)	V1 or V2 (with CRS 3.1 and older) - 128 KB V2 (with CRS 3.2 or newer) - 2 MB3
Maximum Private Link Configurations	2	1 for public IP, 1 for private IP
Maximum Private Link IP Configurations	8
Maximum WAF custom rules	100
Maximum WAF exclusions per Application Gateway	40

¹ In case of WAF-enabled SKUs, you must limit the number of resources to 40.

² Limit is per Application Gateway instance not per Application Gateway resource.

³ Must define the value via WAF Policy for Application Gateway

Network Watcher limits

Resource	Limit	Note
Azure Network Watcher	1 per region	Network Watcher is created to enable access to the service. Only one instance of Network Watcher is required per subscription per region.
Packet capture sessions	10,000 per region	Number of sessions only, not saved captures.

Private Link limits

The following limits apply to Azure private link:

Resource	Limit
Number of private endpoints per virtual network	1000
Number of private endpoints per subscription	64000
Number of private link services per subscription	800
Number of IP Configurations on a private link service	8 (This number is for the NAT IP addresses used per PLS)
Number of private endpoints on the same private link service	1000
Number of subscriptions allowed in visibility setting on private link service	100
Number of subscriptions allowed in auto-approval setting on private link service	100
Number of private endpoints per key vault	64
Number of key vaults with private endpoints per subscription	400
Number of private DNS zone groups that can be linked to a private endpoint	1
Number of DNS zones in each group	5

Traffic Manager limits

Resource	Limit
Profiles per subscription	200 1
Endpoints per profile	200

¹If you need to increase these limits, contact Azure Support.

Azure Bastion limits

Workload Type*	Session Limit per Instance**
Light	50
Medium	25
Heavy	2

*These workload types are defined here: Remote Desktop workloads
**These limits are based on RDP performance tests for Azure Bastion. The numbers may vary due to other on-going RDP sessions or other on-going SSH sessions.

Azure DNS limits

Public DNS zones

Resource	Limit
Public DNS Zones per subscription	250 1
Record sets per public DNS zone	10,000 1
Records per record set in public DNS zone	20
Number of Alias records for a single Azure resource	20

¹If you need to increase these limits, contact Azure Support.

Private DNS zones

Resource	Limit
Private DNS zones per subscription	1000
Record sets per private DNS zone	25000
Records per record set for private DNS zones	20
Virtual Network Links per private DNS zone	1000
Virtual Networks Links per private DNS zones with auto-registration enabled	100
Number of private DNS zones a virtual network can get linked to with auto-registration enabled	1
Number of private DNS zones a virtual network can get linked	1000
Number of DNS queries a virtual machine can send to Azure DNS resolver, per second	1000 1
Maximum number of DNS queries queued (pending response) per virtual machine	200 1

¹These limits are applied to every individual virtual machine and not at the virtual network level. DNS queries exceeding these limits are dropped.

Azure Firewall limits

Resource	Limit
Data throughput	30 Gbps
Rule limits	10,000 unique source/destinations in network and application rules
Total size of rules within a single Rule Collection Group	2 MB
Number of Rule Collection Groups in a firewall policy	50
Maximum DNAT rules	298 (for firewalls configured with a single Public IP address) The DNAT limitation is due to the underlying platform. The maximum number of DNAT rules is 298. However, any additional public IP addresses reduce the number of the available DNAT rules. For example, two public IP addresses allow for 297 DNAT rules. If a rule's protocol is configured for both TCP and UDP, it counts as two rules.
Minimum AzureFirewallSubnet size	/26
Port range in network and application rules	1 - 65535
Public IP addresses	250 maximum. All public IP addresses can be used in DNAT rules and they all contribute to available SNAT ports.
IP addresses in IP Groups	Maximum of 100 IP Groups per firewall. Maximum 5000 individual IP addresses or IP prefixes per each IP Group.
Route table	By default, AzureFirewallSubnet has a 0.0.0.0/0 route with the NextHopType value set to Internet. Azure Firewall must have direct Internet connectivity. If your AzureFirewallSubnet learns a default route to your on-premises network via BGP, you must override that with a 0.0.0.0/0 UDR with the NextHopType value set as Internet to maintain direct Internet connectivity. By default, Azure Firewall doesn't support forced tunneling to an on-premises network. However, if your configuration requires forced tunneling to an on-premises network, Microsoft will support it on a case by case basis. Contact Support so that we can review your case. If accepted, we'll allow your subscription and ensure the required firewall Internet connectivity is maintained.
FQDNs in network rules	For good performance, do not exceed more than 1000 FQDNs across all network rules per firewall.

Azure Front Door (classic) limits

• In addition to the limits below, there's a composite limit on the number of routing rules, front-end domains, protocols, and paths.

Resource	Classic tier limit
Azure Front Door resources per subscription	100
Front-end hosts, which include custom domains per resource	500
Routing rules per resource	500
Back-end pools per resource	50
Back ends per back-end pool	100
Path patterns to match for a routing rule	25
URLs in a single cache purge call	100
Custom web application firewall rules per policy	100
Web application firewall policy per subscription	100
Web application firewall match conditions per custom rule	10
Web application firewall IP address ranges per custom rule	600
Web application firewall string match values per match condition	10
Web application firewall string match value length	256
Web application firewall POST body parameter name length	256
Web application firewall HTTP header name length	256
Web application firewall cookie name length	256
Web application firewall exclusion limit	100
Web application firewall HTTP request body size inspected	128 KB
Web application firewall custom response body length	32 KB

Azure Front Door Standard and Premium tier service limits

• Maximum 500 total Standard and Premium profiles per subscription.
• In addition to the limits below, there's a composite limit on the number of routes, domains, protocols, and paths.

Resource	Standard tier limit	Premium tier limit
Maximum profiles per subscription	500	500
Maximum endpoint per profile	10	25
Maximum custom domain per profile	100	500
Maximum origin groups per profile	100	200
Maximum origins per profile	100	200
Maximum origin timeout	16 - 240 secs	16 - 240 secs
Maximum routes per profile	100	200
Maximum rule set per profile	100	200
Maximum rules per route	100	100
Path patterns to match for a routing rule	25	50
URLs in a single cache purge call	100	100
Web Application Firewall (WAF) policy per subscription	100	100
WAF custom rules per policy	100	100
WAF match conditions per custom rule	10	10
WAF IP address ranges per match conditions	600	600
WAF string match values per match condition	10	10
WAF string match value length	256	256
WAF POST body parameter name length	256	256
WAF HTTP header name length	256	256
WAF cookie name length	256	256
WAF exclusion per policy	100	100
WAF HTTP request body size inspected	128 KB	128 KB
WAF custom response body length	32 KB	32 KB

Timeout values

Client to Front Door

• Front Door has an idle TCP connection timeout of 61 seconds.

Front Door to application back-end

• After the HTTP request gets forwarded to the back end, Azure Front Door waits for 60 seconds (Standard and Premium) or 30 seconds (classic) for the first packet from the back end. Then it returns a 503 error to the client, or 504 for a cached request. You can configure this value using the originResponseTimeoutSeconds field in Azure Front Door Standard and Premium API, or the sendRecvTimeoutSeconds field in the Azure Front Door (classic) API.

• After the back end receives the first packet, if the origin pauses for any reason in the middle of the response body beyond the originResponseTimeoutSeconds or sendRecvTimeoutSeconds, the response will be canceled.

• Front Door takes advantage of HTTP keep-alive to keep connections open for reuse from previous requests. These connections have an idle timeout of 90 seconds. Azure Front Door would disconnect idle connections after reaching the 90-second idle timeout. This timeout value can't be configured.

Upload and download data limit

	With chunked transfer encoding (CTE)	Without HTTP chunking
Download	There's no limit on the download size.	There's no limit on the download size.
Upload	There's no limit as long as each CTE upload is less than 2 GB.	The size can't be larger than 2 GB.

Other limits

• Maximum URL size - 8,192 bytes - Specifies maximum length of the raw URL (scheme + hostname + port + path + query string of the URL)
• Maximum Query String size - 4,096 bytes - Specifies the maximum length of the query string, in bytes.
• Maximum HTTP response header size from health probe URL - 4,096 bytes - Specified the maximum length of all the response headers of health probes.
• Maximum rules engine action header value character: 640 characters.
• Maximum rules engine condition header value character: 256 characters.
• Maximum ETag header size: 128 bytes
• Maximum endhpoint name for Standard and Premium: 46 characters.

For more information about limits that apply to Rules Engine configurations, see Rules Engine terminology

Notification Hubs limits

Tier	Free	Basic	Standard
Included pushes	1 million	10 million	10 million
Active devices	500	200,000	10 million
Tag quota per installation or registration	60	60	60

For more information on limits and pricing, see Notification Hubs pricing.

Microsoft Purview limits

The latest values for Microsoft Purview quotas can be found in the Microsoft Purview quota page.

Microsoft Sentinel limits

This section lists the most common service limits you might encounter as you use Microsoft Sentinel.

Analytics rule limits

The following limit applies to analytics rules in Microsoft Sentinel.

Description	Limit	Dependency
Number of rules	512 rules	None

Incident limits

The following limits apply to incidents in Microsoft Sentinel.

Description	Limit	Dependency
Investigation experience availability	90 days from the incident last update time	None
Number of automation rules	512 rules	None
Number of actions	20 actions	None
Number of characters per comment	30 K characters	None
Number of comments per incident	100 comments	None
Number of conditions	50 conditions	None

Machine learning-based limits

The following limits apply to machine learning-based features in Microsoft Sentinel like customizable anomalies and Fusion.

Description	Limit	Dependency
Number of anomalies published per anomaly type	Top 3000 ranked by anomaly score	None
Number of alerts and/or anomalies in a single Fusion incident	100 alerts and/or anomalies	None

Notebook limits

The following limits apply to notebooks in Microsoft Sentinel. The limits are related to the dependencies on other services used by notebooks.

Description	Limit	Dependency
Total count of these assets per machine learning workspace: datasets, runs, models, and artifacts	10 million assets	Azure Machine Learning
Default limit for total compute clusters per region. Limit is shared between a training cluster and a compute instance. A compute instance is considered a single-node cluster for quota purposes.	200 compute clusters per region	Azure Machine Learning
Storage accounts per region per subscription	250 storage accounts	Azure Storage
Maximum size of a file share by default	5 TB	Azure Storage
Maximum size of a file share with large file share feature enabled	100 TB	Azure Storage
Maximum throughput (ingress + egress) for a single file share by default	60 MB/sec	Azure Storage
Maximum throughput (ingress + egress) for a single file share with large file share feature enabled	300 MB/sec	Azure Storage

Threat intelligence limits

The following limit applies to threat intelligence in Microsoft Sentinel. The limit is related to the dependency on an API used by threat intelligence.

Description	Limit	Dependency
Indicators per call that use Graph security API	100 indicators	Microsoft Graph security API

Watchlist limits

The following limits apply to watchlists in Microsoft Sentinel. The limits are related to the dependencies on other services used by watchlists.

Description	Limit	Dependency
Upload size for local file	3.8 MB per file	Azure Resource Manager
Line entry in the CSV file	10,240 characters per line	Azure Resource Manager
Upload size for files in Azure Storage	500 MB per file	Azure Storage
Total number of active watchlist items per workspace. When the max count is reached, delete some existing items to add a new watchlist.	10 million active watchlist items	Log Analytics
Refresh of the status for a large watchlist in seconds. Customers won't see the latest progress of an upload until the next refresh.	15 seconds	Azure Cosmos DB
Number of large watchlist uploads per workspace at a time	One large watchlist	Azure Cosmos DB
Number of large watchlist deletions per workspace at a time	One large watchlist	Azure Cosmos DB

User and Entity Behavior Analytics (UEBA) limits

The following limit applies to UEBA in Microsoft Sentinel. The limit for UEBA in Microsoft Sentinel is related to dependencies on another service.

Description	Limit	Dependency
Lowest retention configuration in days for the IdentityInfo table. All data stored on the IdentityInfo table in Log Analytics is refreshed every 14 days.	14 days	Log Analytics

Service Bus limits

The following table lists quota information specific to Azure Service Bus messaging. For information about pricing and other quotas for Service Bus, see Service Bus pricing.

Quota name	Scope	Value	Notes
Maximum number of namespaces per Azure subscription	Namespace	1000 (default and maximum)	Subsequent requests for additional namespaces are rejected.
Queue or topic size	Entity	1, 2, 3, 4 GB or 5 GB In the Premium SKU, and the Standard SKU with partitioning enabled, the maximum queue or topic size is 80 GB. Total size limit for a premium namespace is 1 TB per messaging unit. Total size of all entities in a namespace can't exceed this limit.	Defined upon creation/updation of the queue or topic. Subsequent incoming messages are rejected, and an exception is received by the calling code.
Number of concurrent connections on a namespace	Namespace	Net Messaging: 1,000. AMQP: 5,000.	Subsequent requests for additional connections are rejected, and an exception is received by the calling code. REST operations don't count toward concurrent TCP connections.
Number of concurrent receive requests on a queue, topic, or subscription entity	Entity	5,000	Subsequent receive requests are rejected, and an exception is received by the calling code. This quota applies to the combined number of concurrent receive operations across all subscriptions on a topic.
Number of topics or queues per namespace	Namespace	10,000 for the Basic or Standard tier. The total number of topics and queues in a namespace must be less than or equal to 10,000. For the Premium tier, 1,000 per messaging unit (MU).	Subsequent requests for creation of a new topic or queue on the namespace are rejected. As a result, if configured through the Azure portal, an error message is generated. If called from the management API, an exception is received by the calling code.
Number of partitioned topics or queues per namespace	Namespace	Basic and Standard tiers: 100. Partitioned entities aren't supported in the Premium tier. Each partitioned queue or topic counts toward the quota of 1,000 entities per namespace.	Subsequent requests for creation of a new partitioned topic or queue in the namespace are rejected. As a result, if configured through the Azure portal, an error message is generated. If called from the management API, the exception QuotaExceededException is received by the calling code. If you want to have more partitioned entities in a basic or a standard tier namespace, create additional namespaces.
Maximum size of any messaging entity path: queue or topic	Entity	-	260 characters.
Maximum size of any messaging entity name: namespace, subscription, or subscription rule	Entity	-	50 characters.
Maximum size of a message ID	Entity	-	128
Maximum size of a message session ID	Entity	-	128
Message size for a queue, topic, or subscription entity	Entity	Incoming messages that exceed these quotas are rejected, and an exception is received by the calling code.	256 KB for Standard tier 100 MB for Premium tier. The message size includes the size of properties (system and user) and the size of payload. The size of system properties varies depending on your scenario.
Message property size for a queue, topic, or subscription entity	Entity	The exception SerializationException is generated.	Maximum message property size for each property is 32 KB. Cumulative size of all properties can't exceed 64 KB. This limit applies to the entire header of the brokered message, which has both user properties and system properties, such as sequence number, label, and message ID. Maximum number of header properties in property bag: byte/int.MaxValue.
Number of subscriptions per topic	Entity	Subsequent requests for creating additional subscriptions for the topic are rejected. As a result, if configured through the portal, an error message is shown. If called from the management API, an exception is received by the calling code.	2,000 per-topic for the Standard tier and Premium tier.
Number of SQL filters per topic	Entity	Subsequent requests for creation of additional filters on the topic are rejected, and an exception is received by the calling code.	2,000
Number of correlation filters per topic	Entity	Subsequent requests for creation of additional filters on the topic are rejected, and an exception is received by the calling code.	100,000
Size of SQL filters or actions	Namespace	Subsequent requests for creation of additional filters are rejected, and an exception is received by the calling code.	Maximum length of filter condition string: 1,024 (1 K). Maximum length of rule action string: 1,024 (1 K). Maximum number of expressions per rule action: 32.
Number of shared access authorization rules per namespace, queue, or topic	Entity, namespace	Subsequent requests for creation of additional rules are rejected, and an exception is received by the calling code.	Maximum number of rules per entity type: 12. Rules that are configured on a Service Bus namespace apply to all types: queues, topics.
Number of messages per transaction	Transaction	Additional incoming messages are rejected, and an exception stating "Can't send more than 100 messages in a single transaction" is received by the calling code.	100 For both Send() and SendAsync() operations.
Number of virtual network and IP filter rules	Namespace		128

Site Recovery limits

The following limits apply to Azure Site Recovery.

Limit identifier	Limit
Number of vaults per subscription	500
Number of servers per Recovery Services vault	250
Number of protection groups per Recovery Services vault	No limit
Number of recovery plans per Recovery Services vault	No limit
Number of servers per protection group	No limit
Number of servers per recovery plan	100

SQL Database limits

For SQL Database limits, see SQL Database resource limits for single databases, SQL Database resource limits for elastic pools and pooled databases, and SQL Database resource limits for SQL Managed Instance.

The maximum number of private endpoints per Azure SQL Database logical server is 250.

Azure Synapse Analytics limits

Azure Synapse Analytics has the following default limits to ensure customer's subscriptions are protected from each other's workloads. To raise the limits to the maximum for your subscription, contact support.

Synapse Workspace Limits

For Pay-As-You-Go subscription offer types:

Resource	Default limit	Maximum limit
Synapse workspaces in an Azure subscription	2	2

For other subscription offer types:

Resource	Default limit	Maximum limit
Synapse workspaces in an Azure subscription per region	20	250

Synapse Pipeline Limits

Resource	Default limit	Maximum limit
Synapse pipelines in a Synapse workspace	800	800
Total number of entities, such as pipelines, data sets, triggers, linked services, Private Endpoints, and integration runtimes, within a workspace	5,000	Contact support.
Total CPU cores for Azure-SSIS Integration Runtimes under one workspace	256	Contact support.
Concurrent pipeline runs per workspace that's shared among all pipelines in the workspace	10,000	10,000
Concurrent External activity runs per workspace per Azure Integration Runtime region External activities are managed on integration runtime but execute on linked services, including Databricks, stored procedure, HDInsight, Web, and others. This limit does not apply to Self-hosted IR.	3,000	3,000
Concurrent Pipeline activity runs per workspace per Azure Integration Runtime region Pipeline activities execute on integration runtime, including Lookup, GetMetadata, and Delete. This limit does not apply to Self-hosted IR.	1,000	1,000
Concurrent authoring operations per workspace per Azure Integration Runtime region Including test connection, browse folder list and table list, preview data. This limit does not apply to Self-hosted IR.	200	200
Concurrent Data Integration Units1 consumption per workspace per Azure Integration Runtime region	Region group 12: 6,000 Region group 22: 3,000 Region group 32: 1,500 Managed virtual network2: 2,400	Region group 12: 6,000 Region group 22: 3,000 Region group 32: 1,500 Managed virtual network: Contact support.
Maximum activities per pipeline, which includes inner activities for containers	40	40
Maximum number of linked integration runtimes that can be created against a single self-hosted integration runtime	100	Contact support.
Maximum parameters per pipeline	50	50
ForEach items	100,000	100,000
ForEach parallelism	20	50
Maximum queued runs per pipeline	100	100
Characters per expression	8,192	8,192
Minimum tumbling window trigger interval	5 min	15 min
Maximum timeout for pipeline activity runs	7 days	7 days
Bytes per object for pipeline objects3	200 KB	200 KB
Bytes per object for dataset and linked service objects3	100 KB	2,000 KB
Bytes per payload for each activity run4	896 KB	896 KB
Data Integration Units1 per copy activity run	256	256
Write API calls	1,200/h	1,200/h This limit is imposed by Azure Resource Manager, not Azure Synapse Analytics.
Read API calls	12,500/h	12,500/h This limit is imposed by Azure Resource Manager, not Azure Synapse Analytics.
Monitoring queries per minute	1,000	1,000
Maximum time of data flow debug session	8 hrs	8 hrs
Concurrent number of data flows per integration runtime	50	Contact support.
Concurrent number of data flows per integration runtime in managed vNet	20	Contact support.
Concurrent number of data flow debug sessions per user per workspace	3	3
Data Flow Azure IR TTL limit	4 hrs	4 hrs
Meta Data Entity Size limit in a workspace	2 GB	Contact support.

¹ The data integration unit (DIU) is used in a cloud-to-cloud copy operation, learn more from Data integration units (version 2). For information on billing, see Azure Synapse Analytics Pricing.

² Azure Integration Runtime is globally available to ensure data compliance, efficiency, and reduced network egress costs.

Region group	Regions
Region group 1	Central US, East US, East US 2, North Europe, West Europe, West US, West US 2
Region group 2	Australia East, Australia Southeast, Brazil South, Central India, Japan East, North Central US, South Central US, Southeast Asia, West Central US
Region group 3	Other regions

If managed virtual network is enabled, the data integration unit (DIU) in all region groups are 2,400.

³ Pipeline, data set, and linked service objects represent a logical grouping of your workload. Limits for these objects don't relate to the amount of data you can move and process with Azure Synapse Analytics. Synapse Analytics is designed to scale to handle petabytes of data.

⁴ The payload for each activity run includes the activity configuration, the associated dataset(s) and linked service(s) configurations if any, and a small portion of system properties generated per activity type. Limit for this payload size doesn't relate to the amount of data you can move and process with Azure Synapse Analytics. Learn about the symptoms and recommendation if you hit this limit.

Dedicated SQL pool limits

For details of capacity limits for dedicated SQL pools in Azure Synapse Analytics, see dedicated SQL pool resource limits.

Web service call limits

Azure Resource Manager has limits for API calls. You can make API calls at a rate within the Azure Resource Manager API limits.

Azure Files and Azure File Sync

To learn more about the limits for Azure Files and File Sync, see Azure Files scalability and performance targets.

Storage limits

The following table describes default limits for Azure general-purpose v2 (GPv2), general-purpose v1 (GPv1), and Blob storage accounts. The ingress limit refers to all data that is sent to a storage account. The egress limit refers to all data that is received from a storage account.

Microsoft recommends that you use a GPv2 storage account for most scenarios. You can easily upgrade a GPv1 or a Blob storage account to a GPv2 account with no downtime and without the need to copy data. For more information, see Upgrade to a GPv2 storage account.

Note

You can request higher capacity and ingress limits. To request an increase, contact Azure Support.

Resource	Limit
Maximum number of storage accounts with standard endpoints per region per subscription, including standard and premium storage accounts.	250
Maximum number of storage accounts with Azure DNS zone endpoints (preview) per region per subscription, including standard and premium storage accounts.	5000 (preview)
Default maximum storage account capacity	5 PiB 1
Maximum number of blob containers, blobs, file shares, tables, queues, entities, or messages per storage account.	No limit
Default maximum request rate per storage account	20,000 requests per second1
Default maximum ingress per general-purpose v2 and Blob storage account in the following regions (LRS/GRS): Australia East Central US East Asia East US 2 Japan East Korea Central North Europe South Central US Southeast Asia UK South West Europe West US	60 Gbps1
Default maximum ingress per general-purpose v2 and Blob storage account in the following regions (ZRS): Australia East Central US East US East US 2 Japan East North Europe South Central US Southeast Asia UK South West Europe West US 2	60 Gb ps1
Default maximum ingress per general-purpose v2 and Blob storage account in regions that aren't listed in the previous row.	25 Gbps1
Default maximum ingress for general-purpose v1 storage accounts (all regions)	10 Gbps1
Default maximum egress for general-purpose v2 and Blob storage accounts in the following regions (LRS/GRS): Australia East Central US East Asia East US 2 Japan East Korea Central North Europe South Central US Southeast Asia UK South West Europe West US	120 Gbps1
Default maximum egress for general-purpose v2 and Blob storage accounts in the following regions (ZRS): Australia East Central US East US East US 2 Japan East North Europe South Central US Southeast Asia UK South West Europe West US 2	120 Gbps1
Default maximum egress for general-purpose v2 and Blob storage accounts in regions that aren't listed in the previous row.	50 Gbps1
Maximum number of IP address rules per storage account	200
Maximum number of virtual network rules per storage account	200
Maximum number of resource instance rules per storage account	200
Maximum number of private endpoints per storage account	200

¹ Azure Storage standard accounts support higher capacity limits and higher limits for ingress and egress by request. To request an increase in account limits, contact Azure Support.

For more information on limits for standard storage accounts, see Scalability targets for standard storage accounts.

Storage resource provider limits

The following limits apply only when you perform management operations by using Azure Resource Manager with Azure Storage.

Resource	Limit
Storage account management operations (read)	800 per 5 minutes
Storage account management operations (write)	10 per second / 1200 per hour
Storage account management operations (list)	100 per 5 minutes

Azure Blob storage limits

Resource	Target
Maximum size of single blob container	Same as maximum storage account capacity
Maximum number of blocks in a block blob or append blob	50,000 blocks
Maximum size of a block in a block blob	4000 MiB
Maximum size of a block blob	50,000 X 4000 MiB (approximately 190.7 TiB)
Maximum size of a block in an append blob	4 MiB
Maximum size of an append blob	50,000 x 4 MiB (approximately 195 GiB)
Maximum size of a page blob	8 TiB2
Maximum number of stored access policies per blob container	5
Target request rate for a single blob	Up to 500 requests per second
Target throughput for a single page blob	Up to 60 MiB per second2
Target throughput for a single block blob	Up to storage account ingress/egress limits1

¹ Throughput for a single blob depends on several factors, including, but not limited to: concurrency, request size, performance tier, speed of source for uploads, and destination for downloads. To take advantage of the performance enhancements of high-throughput block blobs, upload larger blobs or blocks. Specifically, call the Put Blob or Put Block operation with a blob or block size that is greater than 4 MiB for standard storage accounts. For premium block blob or for Data Lake Storage Gen2 storage accounts, use a block or blob size that is greater than 256 KiB.

² Page blobs are not yet supported in accounts that have the Hierarchical namespace setting on them.

The following table describes the maximum block and blob sizes permitted by service version.

Service version	Maximum block size (via Put Block)	Maximum blob size (via Put Block List)	Maximum blob size via single write operation (via Put Blob)
Version 2019-12-12 and later	4000 MiB	Approximately 190.7 TiB (4000 MiB X 50,000 blocks)	5000 MiB (preview)
Version 2016-05-31 through version 2019-07-07	100 MiB	Approximately 4.75 TiB (100 MiB X 50,000 blocks)	256 MiB
Versions prior to 2016-05-31	4 MiB	Approximately 195 GiB (4 MiB X 50,000 blocks)	64 MiB

Azure Queue storage limits

Resource	Target
Maximum size of a single queue	500 TiB
Maximum size of a message in a queue	64 KiB
Maximum number of stored access policies per queue	5
Maximum request rate per storage account	20,000 messages per second, which assumes a 1-KiB message size
Target throughput for a single queue (1-KiB messages)	Up to 2,000 messages per second

Azure Table storage limits

The following table describes capacity, scalability, and performance targets for Table storage.

Resource	Target
Number of tables in an Azure storage account	Limited only by the capacity of the storage account
Number of partitions in a table	Limited only by the capacity of the storage account
Number of entities in a partition	Limited only by the capacity of the storage account
Maximum size of a single table	500 TiB
Maximum size of a single entity, including all property values	1 MiB
Maximum number of properties in a table entity	255 (including the three system properties, PartitionKey, RowKey, and Timestamp)
Maximum total size of an individual property in an entity	Varies by property type. For more information, see Property Types in Understanding the Table Service Data Model.
Size of the PartitionKey	A string up to 1 KiB in size
Size of the RowKey	A string up to 1 KiB in size
Size of an entity group transaction	A transaction can include at most 100 entities and the payload must be less than 4 MiB in size. An entity group transaction can include an update to an entity only once.
Maximum number of stored access policies per table	5
Maximum request rate per storage account	20,000 transactions per second, which assumes a 1-KiB entity size
Target throughput for a single table partition (1 KiB-entities)	Up to 2,000 entities per second

Virtual machine disk limits

You can attach a number of data disks to an Azure virtual machine (VM). Based on the scalability and performance targets for a VM's data disks, you can determine the number and type of disk that you need to meet your performance and capacity requirements.

Important

For optimal performance, limit the number of highly utilized disks attached to the virtual machine to avoid possible throttling. If all attached disks aren't highly utilized at the same time, the virtual machine can support a larger number of disks.

For Azure managed disks:

The following table illustrates the default and maximum limits of the number of resources per region per subscription. The limits remain the same irrespective of disks encrypted with either platform-managed keys or customer-managed keys. There is no limit for the number of Managed Disks, snapshots and images per resource group.

Resource	Limit
Standard managed disks	50,000
Standard SSD managed disks	50,000
Premium managed disks	50,000
Standard_LRS snapshots1	75,000
Standard_ZRS snapshots1	75,000
Managed image	50,000

¹An individual disk can have 500 incremental snapshots.

For standard storage accounts:

A Standard storage account has a maximum total request rate of 20,000 IOPS. The total IOPS across all of your virtual machine disks in a Standard storage account should not exceed this limit.

For unmanaged disks, you can roughly calculate the number of highly utilized disks supported by a single standard storage account based on the request rate limit. For example, for a Basic tier VM, the maximum number of highly utilized disks is about 66, which is 20,000/300 IOPS per disk. The maximum number of highly utilized disks for a Standard tier VM is about 40, which is 20,000/500 IOPS per disk.

For premium storage accounts:

A premium storage account has a maximum total throughput rate of 50 Gbps. The total throughput across all of your VM disks should not exceed this limit.

For more information, see Virtual machine sizes.

Disk encryption sets

There's a limitation of 1000 disk encryption sets per region, per subscription. For more information, see the encryption documentation for Linux or Windows virtual machines. If you need to increase the quota, contact Azure support.

Managed virtual machine disks

Standard HDD managed disks

Standard Disk Type	S4	S6	S10	S15	S20	S30	S40	S50	S60	S70	S80
Disk size in GiB	32	64	128	256	512	1,024	2,048	4,096	8,192	16,384	32,767
IOPS per disk	Up to 500	Up to 500	Up to 500	Up to 500	Up to 500	Up to 500	Up to 500	Up to 500	Up to 1,300	Up to 2,000	Up to 2,000
Throughput per disk	Up to 60 MB/sec	Up to 60 MB/sec	Up to 60 MB/sec	Up to 60 MB/sec	Up to 60 MB/sec	Up to 60 MB/sec	Up to 60 MB/sec	Up to 60 MB/sec	Up to 300 MB/sec	Up to 500 MB/sec	Up to 500 MB/sec

Standard SSD managed disks

Standard SSD sizes	E1	E2	E3	E4	E6	E10	E15	E20	E30	E40	E50	E60	E70	E80
Disk size in GiB	4	8	16	32	64	128	256	512	1,024	2,048	4,096	8,192	16,384	32,767
IOPS per disk	Up to 500	Up to 500	Up to 500	Up to 500	Up to 500	Up to 500	Up to 500	Up to 500	Up to 500	Up to 500	Up to 500	Up to 2,000	Up to 4,000	Up to 6,000
Throughput per disk	Up to 60 MB/sec	Up to 60 MB/sec	Up to 60 MB/sec	Up to 60 MB/sec	Up to 60 MB/sec	Up to 60 MB/sec	Up to 60 MB/sec	Up to 60 MB/sec	Up to 60 MB/sec	Up to 60 MB/sec	Up to 60 MB/sec	Up to 400 MB/sec	Up to 600 MB/sec	Up to 750 MB/sec
Max burst IOPS per disk	600	600	600	600	600	600	600	600	1000
Max burst throughput per disk	150 MB/sec	150 MB/sec	150 MB/sec	150 MB/sec	150 MB/sec	150 MB/sec	150 MB/sec	150 MB/sec	250 MB/sec
Max burst duration	30 min	30 min	30 min	30 min	30 min	30 min	30 min	30 min	30 min

Premium SSD managed disks: Per-disk limits

Premium SSD sizes	P1	P2	P3	P4	P6	P10	P15	P20	P30	P40	P50	P60	P70	P80
Disk size in GiB	4	8	16	32	64	128	256	512	1,024	2,048	4,096	8,192	16,384	32,767
Provisioned IOPS per disk	120	120	120	120	240	500	1,100	2,300	5,000	7,500	7,500	16,000	18,000	20,000
Provisioned Throughput per disk	25 MB/sec	25 MB/sec	25 MB/sec	25 MB/sec	50 MB/sec	100 MB/sec	125 MB/sec	150 MB/sec	200 MB/sec	250 MB/sec	250 MB/sec	500 MB/sec	750 MB/sec	900 MB/sec
Max burst IOPS per disk	3,500	3,500	3,500	3,500	3,500	3,500	3,500	3,500	30,000*	30,000*	30,000*	30,000*	30,000*	30,000*
Max burst throughput per disk	170 MB/sec	170 MB/sec	170 MB/sec	170 MB/sec	170 MB/sec	170 MB/sec	170 MB/sec	170 MB/sec	1,000 MB/sec*	1,000 MB/sec*	1,000 MB/sec*	1,000 MB/sec*	1,000 MB/sec*	1,000 MB/sec*
Max burst duration	30 min	30 min	30 min	30 min	30 min	30 min	30 min	30 min	Unlimited*	Unlimited*	Unlimited*	Unlimited*	Unlimited*	Unlimited*
Eligible for reservation	No	No	No	No	No	No	No	No	Yes, up to one year	Yes, up to one year	Yes, up to one year	Yes, up to one year	Yes, up to one year	Yes, up to one year

*Applies only to disks with on-demand bursting enabled.

Premium SSD managed disks: Per-VM limits

Resource	Limit
Maximum IOPS Per VM	80,000 IOPS with GS5 VM
Maximum throughput per VM	2,000 MB/s with GS5 VM

Unmanaged virtual machine disks

Standard unmanaged virtual machine disks: Per-disk limits

VM tier	Basic tier VM	Standard tier VM
Disk size	4,095 GB	4,095 GB
Maximum 8-KB IOPS per persistent disk	300	500
Maximum number of disks that perform the maximum IOPS	66	40

Premium unmanaged virtual machine disks: Per-account limits

Resource	Limit
Total disk capacity per account	35 TB
Total snapshot capacity per account	10 TB
Maximum bandwidth per account (ingress + egress)1	<=50 Gbps

¹Ingress refers to all data from requests that are sent to a storage account. Egress refers to all data from responses that are received from a storage account.

Premium unmanaged virtual machine disks: Per-disk limits

Premium storage disk type	P10	P20	P30	P40	P50
Disk size	128 GiB	512 GiB	1,024 GiB (1 TB)	2,048 GiB (2 TB)	4,095 GiB (4 TB)
Maximum IOPS per disk	500	2,300	5,000	7,500	7,500
Maximum throughput per disk	100 MB/sec	150 MB/sec	200 MB/sec	250 MB/sec	250 MB/sec
Maximum number of disks per storage account	280	70	35	17	8

Premium unmanaged virtual machine disks: Per-VM limits

Resource	Limit
Maximum IOPS per VM	80,000 IOPS with GS5 VM
Maximum throughput per VM	2,000 MB/sec with GS5 VM

StorSimple System limits

Limit identifier	Limit	Comments
Maximum number of storage account credentials	64
Maximum number of volume containers	64
Maximum number of volumes	255
Maximum number of schedules per bandwidth template	168	A schedule for every hour, every day of the week.
Maximum size of a tiered volume on physical devices	64 TB for StorSimple 8100 and StorSimple 8600	StorSimple 8100 and StorSimple 8600 are physical devices.
Maximum size of a tiered volume on virtual devices in Azure	30 TB for StorSimple 8010 64 TB for StorSimple 8020	StorSimple 8010 and StorSimple 8020 are virtual devices in Azure that use Standard storage and Premium storage, respectively.
Maximum size of a locally pinned volume on physical devices	9 TB for StorSimple 8100 24 TB for StorSimple 8600	StorSimple 8100 and StorSimple 8600 are physical devices.
Maximum number of iSCSI connections	512
Maximum number of iSCSI connections from initiators	512
Maximum number of access control records per device	64
Maximum number of volumes per backup policy	24
Maximum number of backups retained per backup policy	64
Maximum number of schedules per backup policy	10
Maximum number of snapshots of any type that can be retained per volume	256	This amount includes local snapshots and cloud snapshots.
Maximum number of snapshots that can be present in any device	10,000
Maximum number of volumes that can be processed in parallel for backup, restore, or clone	16	If there are more than 16 volumes, they're processed sequentially as processing slots become available. New backups of a cloned or a restored tiered volume can't occur until the operation is finished. For a local volume, backups are allowed after the volume is online.
Restore and clone recover time for tiered volumes	<2 minutes	The volume is made available within 2 minutes of a restore or clone operation, regardless of the volume size. The volume performance might initially be slower than normal as most of the data and metadata still resides in the cloud. Performance might increase as data flows from the cloud to the StorSimple device. The total time to download metadata depends on the allocated volume size. Metadata is automatically brought into the device in the background at the rate of 5 minutes per TB of allocated volume data. This rate might be affected by Internet bandwidth to the cloud. The restore or clone operation is complete when all the metadata is on the device. Backup operations can't be performed until the restore or clone operation is fully complete.
Restore recover time for locally pinned volumes	<2 minutes	The volume is made available within 2 minutes of the restore operation, regardless of the volume size. The volume performance might initially be slower than normal as most of the data and metadata still resides in the cloud. Performance might increase as data flows from the cloud to the StorSimple device. The total time to download metadata depends on the allocated volume size. Metadata is automatically brought into the device in the background at the rate of 5 minutes per TB of allocated volume data. This rate might be affected by Internet bandwidth to the cloud. Unlike tiered volumes, if there are locally pinned volumes, the volume data is also downloaded locally on the device. The restore operation is complete when all the volume data has been brought to the device. The restore operations might be long and the total time to complete the restore will depend on the size of the provisioned local volume, your Internet bandwidth, and the existing data on the device. Backup operations on the locally pinned volume are allowed while the restore operation is in progress.
Thin-restore availability	Last failover
Maximum client read/write throughput, when served from the SSD tier*	920/720 MB/sec with a single 10-gigabit Ethernet network interface	Up to two times with MPIO and two network interfaces.
Maximum client read/write throughput, when served from the HDD tier*	120/250 MB/sec
Maximum client read/write throughput, when served from the cloud tier*	11/41 MB/sec	Read throughput depends on clients generating and maintaining sufficient I/O queue depth.

*Maximum throughput per I/O type was measured with 100 percent read and 100 percent write scenarios. Actual throughput might be lower and depends on I/O mix and network conditions.

Stream Analytics limits

---

Limit identifier	Limit	Comments
Maximum number of streaming units per subscription per region	500	To request an increase in streaming units for your subscription beyond 500, contact Microsoft Support.
Maximum number of inputs per job	60	There's a hard limit of 60 inputs per Azure Stream Analytics job.
Maximum number of outputs per job	60	There's a hard limit of 60 outputs per Stream Analytics job.
Maximum number of functions per job	60	There's a hard limit of 60 functions per Stream Analytics job.
Maximum number of streaming units per job	396	There's a hard limit of 396 streaming units per Stream Analytics job.
Maximum number of jobs per region	1,500	Each subscription can have up to 1,500 jobs per geographical region.
Reference data blob MB	5 GB	Up to 5 GB when using 6 SUs or more.
Maximum number of characters in a query	512000	There's a hard limit of 512k characters in an Azure Stream Analytics job query.

Virtual Machines limits

Virtual Machines limits

Resource	Limit
Virtual machines per cloud service 1	50
Input endpoints per cloud service 2	150

¹ Virtual machines created by using the classic deployment model instead of Azure Resource Manager are automatically stored in a cloud service. You can add more virtual machines to that cloud service for load balancing and availability.

² Input endpoints allow communications to a virtual machine from outside the virtual machine's cloud service. Virtual machines in the same cloud service or virtual network can automatically communicate with each other.

Virtual Machines limits - Azure Resource Manager

The following limits apply when you use Azure Resource Manager and Azure resource groups.

Resource	Limit
VMs per subscription	25,0001 per region.
VM total cores per subscription	201 per region. Contact support to increase limit.
Azure Spot VM total cores per subscription	201 per region. Contact support to increase limit.
VM per series, such as Dv2 and F, cores per subscription	201 per region. Contact support to increase limit.
Availability sets per subscription	2,500 per region.
Virtual machines per availability set	200
Proximity placement groups per resource group	800
Certificates per availability set	1992
Certificates per subscription	Unlimited3

¹ Default limits vary by offer category type, such as Free Trial and Pay-As-You-Go, and by series, such as Dv2, F, and G. For example, the default for Enterprise Agreement subscriptions is 350. For security, subscriptions default to 20 cores to prevent large core deployments. If you need more cores, submit a support ticket.

² Properties such as SSH public keys are also pushed as certificates and count towards this limit. To bypass this limit, use the Azure Key Vault extension for Windows or the Azure Key Vault extension for Linux to install certificates.

³ With Azure Resource Manager, certificates are stored in the Azure Key Vault. The number of certificates is unlimited for a subscription. There's a 1-MB limit of certificates per deployment, which consists of either a single VM or an availability set.

Note

Virtual machine cores have a regional total limit. They also have a limit for regional per-size series, such as Dv2 and F. These limits are separately enforced. For example, consider a subscription with a US East total VM core limit of 30, an A series core limit of 30, and a D series core limit of 30. This subscription can deploy 30 A1 VMs, or 30 D1 VMs, or a combination of the two not to exceed a total of 30 cores. An example of a combination is 10 A1 VMs and 20 D1 VMs.

Compute Gallery limits

There are limits, per subscription, for deploying resources using Compute Galleries:

• 100 compute galleries, per subscription, per region
• 1,000 image definitions, per subscription, per region
• 10,000 image versions, per subscription, per region

Virtual machine scale sets limits

Resource	Limit
Maximum number of VMs in a scale set	1,000
Maximum number of VMs based on a custom VM image in a scale set	600
Maximum number of scale sets in a region	2,500
Maximum number of nodes supported in VMSS for IB cluster	100

See also

• Understand Azure limits and increases
• Virtual machine and cloud service sizes for Azure
• Sizes for Azure Cloud Services
• Naming rules and restrictions for Azure resources