Known Limits and Service Quotas - Amazon EKS

Known Limits and Service Quotas

Amazon EKS can be used for a variety of workloads and can interact with a wide range of AWS services, and we have seen customer workloads encounter a similar range of AWS service quotas and other issues that hamper scalability.

Your AWS account has default quotas (an upper limit on the number of each AWS resource your team can request). Each AWS service defines their own quota, and quotas are generally region-specific. You can request increases for some quotas (soft limits), and other quotas cannot be increased (hard limits). You should consider these values when architecting your applications. Consider reviewing these service limits periodically and incorporate them during in your application design.

You can review the usage in your account and open a quota increase request at the AWS Service Quotas console, or using the AWS CLI. Refer to the AWS documentation from the respective AWS Service for more details on the Service Quotas and any further restrictions or notices on their increase.

Note

Amazon EKS Service Quotas lists the service quotas and has links to request increases where available.

Other AWS Service Quotas

We have seen EKS customers impacted by the quotas listed below for other AWS services. Some of these may only apply to specific use cases or configurations, however you may consider if your solution will encounter any of these as it scales. The Quotas are organized by Service and each Quota has an ID in the format of L-XXXXXXXX you can use to look it up in the AWS Service Quotas console

Service Quota (L-xxxxx) Impact ID (L-xxxxx) default

IAM

Roles per account

Can limit the number of clusters or IRSA roles in an account.

L-FE177D64

1,000

IAM

OpenId connect providers per account

Can limit the number of Clusters per account, OpenID Connect is used by IRSA

L-858F3967

100

IAM

Role trust policy length

Can limit the number of of clusters an IAM role is associated with for IRSA

L-C07B4B0D

2,048

VPC

Security groups per network interface

Can limit the control or connectivity of the networking for your cluster

L-2AFB9258

5

VPC

IPv4 CIDR blocks per VPC

Can limit the number of EKS Worker Nodes

L-83CA0A9D

5

VPC

Routes per route table

Can limit the control or connectivity of the networking for your cluster

L-93826ACB

50

VPC

Active VPC peering connections per VPC

Can limit the control or connectivity of the networking for your cluster

L-7E9ECCDB

50

VPC

Inbound or outbound rules per security group.

Can limit the control or connectivity of the networking for your cluster, some controllers in EKS create new rules

L-0EA8095F

50

VPC

VPCs per Region

Can limit the number of Clusters per account or the control or connectivity of the networking for your cluster

L-F678F1CE

5

VPC

Internet gateways per Region

Can limit the number of Clusters per account or the control or connectivity of the networking for your cluster

L-A4707A72

5

VPC

Network interfaces per Region

Can limit the number of EKS Worker nodes, or Impact EKS control plane scaling/update activities.

L-DF5E4CA3

5,000

VPC

Network Address Usage

Can limit the number of Clusters per account or the control or connectivity of the networking for your cluster

L-BB24F6E5

64,000

VPC

Peered Network Address Usage

Can limit the number of Clusters per account or the control or connectivity of the networking for your cluster

L-CD17FD4B

128,000

ELB

Listeners per Network Load Balancer

Can limit the control of traffic ingress to the cluster.

L-57A373D6

50

ELB

Target Groups per Region

Can limit the control of traffic ingress to the cluster.

L-B22855CB

3,000

ELB

Targets per Application Load Balancer

Can limit the control of traffic ingress to the cluster.

L-7E6692B2

1,000

ELB

Targets per Network Load Balancer

Can limit the control of traffic ingress to the cluster.

L-EEF1AD04

3,000

ELB

Targets per Availability Zone per Network Load Balancer

Can limit the control of traffic ingress to the cluster.

L-B211E961

500

ELB

Targets per Target Group per Region

Can limit the control of traffic ingress to the cluster.

L-A0D0B863

1,000

ELB

Application Load Balancers per Region

Can limit the control of traffic ingress to the cluster.

L-53DA6B97

50

ELB

Classic Load Balancers per Region

Can limit the control of traffic ingress to the cluster.

L-E9E9831D

20

ELB

Network Load Balancers per Region

Can limit the control of traffic ingress to the cluster.

L-69A177A2

50

EC2

Running On-Demand Standard (A, C, D, H, I, M, R, T, Z) instances (as a maximum vCPU count)

Can limit the number of EKS Worker Nodes

L-1216C47A

5

EC2

All Standard (A, C, D, H, I, M, R, T, Z) Spot Instance Requests (as a maximum vCPU count)

Can limit the number of EKS Worker Nodes

L-34B43A08

5

EC2

EC2-VPC Elastic IPs

Can limit the number of NAT GWs (and thus VPCs), which may limit the number of clusters in a region

L-0263D0A3

5

EBS

Snapshots per Region

Can limit the backup strategy for stateful workloads

L-309BACF6

100,000

EBS

Storage for General Purpose SSD (gp3) volumes, in TiB

Can limit the number of EKS Worker Nodes, or PersistentVolume storage

L-7A658B76

50

EBS

Storage for General Purpose SSD (gp2) volumes, in TiB

Can limit the number of EKS Worker Nodes, or PersistentVolume storage

L-D18FCD1D

50

ECR

Registered repositories

Can limit the number of workloads in your clusters

L-CFEB8E8D

10,000

ECR

Images per repository

Can limit the number of workloads in your clusters

L-03A36CE1

10,000

SecretsManager

Secrets per Region

Can limit the number of workloads in your clusters

L-2F66C23C

500,000

AWS Request Throttling

AWS services also implement request throttling to ensure that they remain performant and available for all customers. Simliar to Service Quotas, each AWS service maintains their own request throttling thresholds. Consider reviewing the respective AWS Service documentation if your workloads will need to quickly issue a large number of API calls or if you notice request throttling errors in your application.

EC2 API requests around provisioning EC2 network interfaces or IP addresses can encounter request throttling in large clusters or when clusters scale drastically. The table below shows some of the API actions that we have seen customers encounter request throttling from. You can review the EC2 rate limit defaults and the steps to request a rate limit increase in the EC2 documentation on Rate Throttling.

Mutating Actions Read-only Actions

AssignPrivateIpAddresses

DescribeDhcpOptions

AttachNetworkInterface

DescribeInstances

CreateNetworkInterface

DescribeNetworkInterfaces

DeleteNetworkInterface

DescribeSecurityGroups

DeleteTags

DescribeTags

DetachNetworkInterface

DescribeVpcs

ModifyNetworkInterfaceAttribute

DescribeVolumes

UnassignPrivateIpAddresses

Other Known Limits

📝 Edit this page on GitHub