REL01-BP04 Monitor and manage quotas

Evaluate your potential usage and increase your quotas appropriately, allowing for planned growth in usage.

Desired outcome: Active and automated systems that manage and monitor have been deployed. These operations solutions ensure that quota usage thresholds are nearing being reached. These would be proactively remediated by requested quota changes.

Common anti-patterns:

• Not configuring monitoring to check for service quota thresholds

• Not configuring monitoring for hard limits, even though those values cannot be changed.

• Assuming that amount of time required to request and secure a soft quota change is immediate or a short period.

• Configuring alarms for when service quotas are being approached, but having no process on how to respond to an alert.

• Only configuring alarms for services supported by AWS Service Quotas and not monitoring other AWS services.

• Not considering quota management for multiple Region resiliency designs, like active/active, active/passive – hot, active/passive - cold, and active/passive - pilot light approaches.

• Not assessing quota differences between Regions.

• Not assessing the needs in every Region for a specific quota increase request.

• Not leveraging templates for multi-Region quota management.

Benefits of establishing this best practice: Automatic tracking of the AWS Service Quotas and monitoring your usage against those quotas will allow you to see when you are approaching a quota limit. You can also use this monitoring data to help limit any degradations due to quota exhaustion.

Level of risk exposed if this best practice is not established: Medium

Implementation guidance

For supported services, you can monitor your quotas by configuring various different services that can assess and then send alerts or alarms. This can aid in monitoring usage and can alert you to approaching quotas. These alarms can be invoked from AWS Config, Lambda functions, Amazon CloudWatch, or from AWS Trusted Advisor. You can also use metric filters on CloudWatch Logs to search and extract patterns in logs to determine if usage is approaching quota thresholds.

Implementation steps

For monitoring:

• Capture current resource consumption (for example, buckets or instances). Use service API operations, such as the Amazon EC2 DescribeInstances API, to collect current resource consumption.

• Capture your current quotas that are essential and applicable to the services using:

  • AWS Service Quotas

  • AWS Trusted Advisor

  • AWS documentation

  • AWS service-specific pages

  • AWS Command Line Interface (AWS CLI)

  • AWS Cloud Development Kit (AWS CDK)

• Use AWS Service Quotas, an AWS service that helps you manage your quotas for over 250 AWS services from one location.

• Use Trusted Advisor service limits to monitor your current service limits at various thresholds.

• Use the service quota history (console or AWS CLI) to check on regional increases.

• Compare service quota changes in each Region and each account to create equivalency, if required.

For management:

• Automated: Set up an AWS Config custom rule to scan service quotas across Regions and compare for differences.

• Automated: Set up a scheduled Lambda function to scan service quotas across Regions and compare for differences.

• Manual: Scan services quota through AWS CLI, API, or AWS Console to scan service quotas across Regions and compare for differences. Report the differences.

• If differences in quotas are identified between Regions, request a quota change, if required.

• Review the result of all requests.

Resources

Related best practices:

• REL01-BP01 Aware of service quotas and constraints

• REL01-BP02 Manage service quotas across accounts and regions

• REL01-BP03 Accommodate fixed service quotas and constraints through architecture

• REL01-BP05 Automate quota management

• REL01-BP06 Ensure that a sufficient gap exists between the current quotas and the maximum usage to accommodate failover

• REL03-BP01 Choose how to segment your workload

• REL10-BP01 Deploy the workload to multiple locations

• REL11-BP01 Monitor all components of the workload to detect failures

• REL11-BP03 Automate healing on all layers

• REL12-BP05 Test resiliency using chaos engineering

Related documents:

• AWS Well-Architected Framework’s Reliability Pillar: Availability

• AWS Service Quotas (formerly referred to as service limits)

• AWS Trusted Advisor Best Practice Checks (see the Service Limits section)

• AWS limit monitor on AWS answers

• Amazon EC2 Service Limits

• What is Service Quotas?

• How to Request Quota Increase

• Service endpoints and quotas

• Service Quotas User Guide

• Quota Monitor for AWS

• AWS Fault Isolation Boundaries

• Availability with redundancy

• AWS for Data

• What is Continuous Integration?

• What is Continuous Delivery?

• APN Partner: partners that can help with configuration management

• Managing the account lifecycle in account-per-tenant SaaS environments on AWS

• Managing and monitoring API throttling in your workloads

• View AWS Trusted Advisor recommendations at scale with AWS Organizations

• Automating Service Limit Increases and Enterprise Support with AWS Control Tower

• Actions, resources, and condition keys for Service Quotas

Related videos:

• AWS Live re:Inforce 2019 - Service Quotas

• View and Manage Quotas for AWS Services Using Service Quotas

• AWS IAM Quotas Demo

• AWS re:Invent 2018: Close Loops and Opening Minds: How to Take Control of Systems, Big and Small

Related tools:

• AWS CodeDeploy

• AWS CloudTrail

• Amazon CloudWatch

• Amazon EventBridge

• Amazon DevOps Guru

• AWS Config

• AWS Trusted Advisor

• AWS CDK

• AWS Systems Manager

• AWS Marketplace