When I was implementing some services in Azure, I came across some issues related to some limitations. I wasn’t aware of some of them but I used this list below to see the big picture. There are other limitations in the list but these are the most frequently requested. If you are close to default limits you can definitely give Microsoft a ring and they will give you option above the default but not the maximum value.

Subscription Limits

Subscription Limits

Resource Default Limit Maximum Limit
Cores per subscription 1 20 10,000
Co-administrators per subscription 200 200
Storage accounts per subscription 100 100
Cloud services per subscription 20 200
Local networks per subscription 10 500
SQL Database servers per subscription 6 150
DNS servers per subscription 9 100
Reserved IPs per subscription 20 100
ExpressRoute dedicated circuits per subscription 10 25
Hosted service certificates per subscription 400 400
Affinity groups per subscription 256 256
Batch accounts per region per subscription 1 50
Alert rules per subscription 250 250

1Extra Small instances count as one core towards the core limit despite using a partial core.

Subscription Limits – Azure Resource Manager

The following limits apply when using the Azure Resource Manager and Azure Resource Groups. Limits that have not changed with the Azure Resource Manager are not listed below. Please refer to the previous table for those limits.

Resource Default Limit Maximum Limit
VMs per subscription 201 per Region 10,000 per Region
Co-administrators per subscription Unlimited Unlimited
Storage accounts per subscription 100 1002
Resource Groups per subscription 800 800
Availability Sets per subscription 2000 per Region 2000 per Region
Resource Manager API Reads 15000 per hour 15000 per hour
Resource Manager API Writes 1200 per hour 1200 per hour
Resource Manager API request size 4194304 bytes 4194304 bytes
Cloud services per subscription Deprecated3 Deprecated3
Affinity groups per subscription Deprecated3 Deprecated3

1Default limits vary by offer Category Type, such as Free Trial, Pay-As-You-Go, etc.

2Limit can be increased by contacting support.

3These features are no longer required with Azure Resource Groups and the Azure Resource Manager.

Resource Group Limits

Resource Default Limit Maximum Limit
Resources per resource group (per resource type) 800 800
Deployments per resource group 800 800
Resources per deployment 800 800
Management Locks (per unique scope) 20 20
Number of Tags (per resource or resource group) 15 15
Tag key length 512 512
Tag value length 256 256

Virtual Machines Limits

Virtual Machine Limits

Resource Default Limit Maximum Limit
Virtual machines per cloud service1 50 50
Input endpoints per cloud service2 150 150

1Virtual machines created in Service Management (instead of Resource Manager) are automatically stored in a cloud service. You can add more virtual machines to that cloud service for load balancing and availability.

2Input endpoints allow communications to a virtual machine from outside the virtual machine’s cloud service. Virtual machines in the same cloud service or virtual network can automatically communicate with each other.

Virtual Machines Limits – Azure Resource Manager

The following limits apply when using the Azure Resource Manager and Azure Resource Groups. Limits that have not changed with the Azure Resource Manager are not listed below. Please refer to the previous table for those limits.

Resource Default Limit
Virtual machines per availability set 100
Certificates per subscription Unlimited1

1With Azure Resource Manager, certificates are stored in the Azure Key Vault. Although the number of certificates is unlimited for a subscription, there is still a 1 MB limit of certificates per deployment (which consists of either a single VM or an availability set).

Networking Limits

ExpressRoute Limits

The following limits apply to ExpressRoute resources per subscription.

Resource Default Limit
ExpressRoute circuits per subscription 10
ExpressRoute circuits per region per subscription for ARM 10
Maximum number of routes for Azure private peering with ExpressRoute standard 4,000
Maximum number of routes for Azure private peering with ExpressRoute premium add-on 10,000
Maximum number of routes for Azure public peering with ExpressRoute standard 200
Maximum number of routes for Azure public peering with ExpressRoute premium add-on 200
Maximum number of routes for Azure Microsoft peering with ExpressRoute standard 200
Maximum number of routes for Azure Microsoft peering with ExpressRoute premium add-on 200
Number of virtual network links allowed per ExpressRoute circuit see table below

Number of Virtual Networks per ExpressRoute circuit

Circuit Size Number of VNet links for standard Number of VNet Links with Premium add-on
10 Mbps 10 Not Supported
50 Mbps 10 20
100 Mbps 10 25
200 Mbps 10 25
500 Mbps 10 40
1 Gbps 10 50
2 Gbps 10 60
5 Gbps 10 75
10 Gbps 10 100

Networking Limits

The following limits apply only for networking resources managed through the classic deployment model per subscription.

Resource Default limit Maximum limit
Virtual networks per subscription 50 100
Local network sites per virtual network 20 contact support
DNS Servers per virtual network 20 100
Virtual machines and role instances per virtual network 2048 2048
Concurrent TCP connections for a virtual machine or role instance 500K 500K
Network Security Groups (NSG) 100 200
NSG rules per NSG 200 400
User defined route tables 100 200
User defined routes per route table 100 500
Public IP addresses (dynamic) 5 contact support
Reserved public IP addresses 20 contact support
Public VIP per deployment 5 contact support
Private VIP (ILB) per deployment 1 1
Endpoint Access Control Lists (ACLs) 50 50

Networking Limits – Azure Resource Manager

The following limits apply only for networking resources managed through Azure Resource Manager per region per subscription.

Resource Default limit Maximum Limit
Virtual networks per subscription 50 500
DNS Servers per virtual network 9 25
Virtual machines and role instances per virtual network 2048 2048
Concurrent TCP connections for a virtual machine or role instance 500K 500K
Network Interfaces (NIC) 300 1000
Network Security Groups (NSG) 100 400
NSG rules per NSG 200 500
User defined route tables 100 400
User defined routes per route table 100 500
Public IP addresses (dynamic) 60 contact support
Reserved public IP addresses 20 contact support
Load balancers (internal and internet facing) 100 contact support
Load balancer rules per load balancer 150 150
Public front end IP per load balancer 5 contact support
Private front end IP per load balancer 1 contact support
Application gateways 50 50

Contact support in case you need to increase limits from default.

Traffic Manager Limits

Resource Default limit
Profiles per subscription 100 1
Endpoints per profile 200

1Contact support in case you need to increase these limits.

DNS Limits

Resource Default limit
Zones per subscription 50 1
Record sets per zone 1000 1
Records per record set 20

1 Contact support in case you need to increase these limits. The Azure DNS service is currently in Preview. These limits will be reviewed when the service reaches General Availability.

Storage Limits

Storage Service Limits

Resource Default Limit
Max number of storage accounts per subscription 1001
TB per storage account 500 TB
Max number of blob containers, blobs, file shares, tables, queues, entities, or messages per storage account Only limit is the 500 TB storage account capacity
Max size of a single blob container, table, or queue 500 TB
Max number of blocks in a block blob or append blob 50,000
Max size of a block in a block blob or append blob 4 MB
Max size of a block blob or append blob 50,000 X 4 MB (approx. 195 GB)
Max size of a page blob 1 TB
Max size of a table entity 1 MB
Max number of properties in a table entity 252
Max size of a message in a queue 64 KB
Max size of a file share 5 TB
Max size of a file in a file share 1 TB
Max number of files in a file share Only limit is the 5 TB total capacity of the file share
Max 8 KB IOPS per share 1000
Max number of files in a file share Only limit is the 5 TB total capacity of the file share
Max number of blob containers, blobs, file shares, tables, queues, entities, or messages per storage account Only limit is the 500 TB storage account capacity
Max number of stored access policies per container, file share, table, or queue 5
Total Request Rate (assuming 1KB object size) per storage account Up to 20,000 IOPS, entities per second, or messages per second
Target throughput for single blob Up to 60 MB per second, or up to 500 requests per second
Target throughput for single queue (1 KB messages) Up to 2000 messages per second
Target throughput for single table partition (1 KB entities) Up to 2000 entities per second
Target throughput for single file share Up to 60 MB per second
Max ingress2 per storage account (US Regions) 10 Gbps if GRS/ZRS3 enabled, 20 Gbps for LRS
Max egress2 per storage account (US Regions) 20 Gbps if RA-GRS/GRS/ZRS3 enabled, 30 Gbps for LRS
Max ingress2 per storage account (European and Asian Regions) 5 Gbps if GRS/ZRS3 enabled, 10 Gbps for LRS
Max egress2 per storage account (European and Asian Regions) 10 Gbps if RA-GRS/GRS/ZRS3 enabled, 15 Gbps for LRS

1If you require more than 100 storage accounts, contact Azure Support for assistance.

2Ingress refers to all data (requests) being sent to a storage account. Egress refers to all data (responses) being received from a storage account.

3Azure Storage replication options include:

  • RA-GRS: Read-access geo-redundant storage. If RA-GRS is enabled, egress targets for the secondary location are identical to those for the primary location.
  • GRS: Geo-redundant storage.
  • ZRS: Zone-redundant storage. Available only for block blobs.
  • LRS: Locally redundant storage.

Virtual Machine Disk Limits

An Azure virtual machine supports attaching a number of data disks. For optimal performance, you will want to limit the number of highly utilized disks attached to the virtual machine to avoid possible throttling. If all disks are not being highly utilized at the same time, the storage account can support a larger number disks.

  • For standard storage accounts: A standard storage account has a maximum total request rate of 20,000 IOPS. The total IOPS across all of your virtual machine disks in a standard storage account should not exceed this limit.You can roughly calculate the number of highly utilized disks supported by a single standard storage account based on the request rate limit. For example, for a Basic Tier VM, the maximum number of highly utilized disks is about 66 (20,000/300 IOPS per disk), and for a Standard Tier VM, it is about 40 (20,000/500 IOPS per disk), as shown in the table below.
  • For premium storage accounts: A premium storage account has a maximum total throughput rate of 50 Gbps. The total throughput across all of your VM disks should not exceed this limit.

Standard storage accounts

Virtual machine disks: per disk limits

VM Tier Basic Tier VM Standard Tier VM
Disk size 1023 GB 1023 GB
Max 8 KB IOPS per persistent disk 300 500
Max number of highly utilized disks 66 40

Premium storage accounts

Virtual machine disks: per account limits

Resource Default Limit
Total disk capacity per account 35 TB
Total snapshot capacity per account 10 TB
Max bandwidth per account (ingress + egress1) <=50 Gbps

1Ingress refers to all data (requests) being sent to a storage account. Egress refers to all data (responses) being received from a storage account.

Virtual machine disks: per disk limits

Premium Storage Disk Type P10 P20 P30
Disk size 128 GiB 512 GiB 1024 GiB (1 TB)
Max IOPS per disk 500 2300 5000
Max throughput per disk 100 MB per second 150 MB per second 200 MB per second
Max number of highly utilized disks 62 41 31

Storage Resource Provider Limits

The following limits apply when using the Azure Resource Manager and Azure Resource Groups only.

Resource Default Limit
Storage account management operations (read) 800 per 5 minutes
Storage account management operations (write) 200 per hour
Storage account management operations (list) 100 per 5 minutes

Cloud Services Limits

Resource Default Limit Maximum Limit
Web/worker roles per deployment1 25 25
Instance Input Endpoints per deployment 25 25
Input Endpoints per deployment 25 25
Internal Endpoints per deployment 25 25

1Each Cloud Service with Web/Worker roles can have two deployments, one for production and one for staging. Also note that this limit refers to the number of distinct roles (configuration) and not the number of instances per role (scaling).

Active Directory Limits

Here are the usage constraints and other service limits for the Azure Active Directory service.

Category Limits
Directories A single user can only be associated with a maximum of 20 Azure Active Directory directories.
Examples of possible combinations:

  • A single user creates 20 directories.
  • A single user is added to 20 directories as a member.
  • A single user creates 10 directories and later is added by others to 10 different directories.
Objects
  • A maximum of 500,000 objects can be used in a single directory by users of the Free edition of Azure Active Directory.
  • A non-admin user can create no more than 250 objects.
Schema extensions
  • String type extensions can have maximum of 256 characters.
  • Binary type extensions are limited to 256 bytes.
  • 100 extension values (across ALL types and ALL applications) can be written to any single object.
  • Only “User”, “Group”, “TenantDetail”, “Device”, “Application” and “ServicePrincipal” entities can be extended with “String” type or “Binary” type single-valued attributes.
  • Schema extensions are available only in Graph API-version 1.21-preview. The application must be granted write access to register an extension.
Applications A maximum of 10 users can be owners of a single application.
Groups
  • A maximum of 10 users can be owners of a single group.
  • Any number of objects can be members of a single group in Azure Active Directory.
  • The number of members in a group you can synchronize from your on-premises Active Directory to Azure Active Directory is limited to 15K members, using Azure Active Directory Directory Synchronization (DirSync).
  • The number of members in a group you can synchronize from your on-premises Active Directory to Azure Active Directory using Azure AD Connect is limited to 50K members.
Access Panel
  • There is no limit to the number of applications that can be seen in the Access Panel per end user, for users assigned licenses for Azure AD Premium or the Enterprise Mobility Suite.
  • A maximum of 10 app tiles (examples: Box, Salesforce, or Dropbox) can be seen in the Access Panel for each end user for users assigned licenses for Free or Azure AD Basic editions of Azure Active Directory. This limit does not apply to Administrator accounts.
Reports A maximum of 1,000 rows can be viewed or downloaded in any report. Any additional data is truncated.

Multi-Factor Authentication

Resource Default Limit Maximum Limit
Max number of Trusted IP addresses/ranges per subscription1 0 12
Remember my devices – number of days 14 60
Max number of app passwords? 0 No Limit
Allow X attempts during MFA call 1 99
Two-way Text message Timeout Seconds 60 600
Default one-time bypass seconds 300 1800
Lock user account after X consecutive MFA denials Not Set 99
Reset account lockout counter after X minutes Not Set 9999
Unlock account after X minutes Not Set 9999

1This is expected to increase in the future…

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s