REL01-BP03 Accommodate fixed service quotas and constraints through architecture

Be aware of unchangeable service quotas, service constraints, and physical resource limits. Design architectures for applications and services to prevent these limits from impacting reliability.

Examples include network bandwidth, serverless function invocation payload size, throttle burst rate for of an API gateway, and concurrent user connections to a database.

Desired outcome: The application or service performs as expected under normal and high traffic conditions. They have been designed to work within the limitations for that resource’s fixed constraints or service quotas.

Common anti-patterns:

• Choosing a design that uses a resource of a service, unaware that there are design constraints that will cause this design to fail as you scale.

• Performing benchmarking that is unrealistic and will reach service fixed quotas during the testing. For example, running tests at a burst limit but for an extended amount of time.

• Choosing a design that cannot scale or be modified if fixed service quotas are to be exceeded. For example, an SQS payload size of 256KB.

• Observability has not been designed and implemented to monitor and alert on thresholds for service quotas that might be at risk during high traffic events

Benefits of establishing this best practice: Verifying that the application will run under all projected services load levels without disruption or degradation.

Level of risk exposed if this best practice is not established: Medium

Implementation guidance

Unlike soft service quotas or resources that be replaced with higher capacity units, AWS services’ fixed quotas cannot be changed. This means that all these type of AWS services must be evaluated for potential hard capacity limits when used in an application design.

Hard limits are show in the Service Quotas console. If the columns shows ADJUSTABLE = No, the service has a hard limit. Hard limits are also shown in some resources configuration pages. For example, Lambda has specific hard limits that cannot be adjusted.

As an example, when designing a python application to run in a Lambda function, the application should be evaluated to determine if there is any chance of Lambda running longer than 15 minutes. If the code may run more than this service quota limit, alternate technologies or designs must be considered. If this limit is reached after production deployment, the application will suffer degradation and disruption until it can be remediated. Unlike soft quotas, there is no method to change to these limits even under emergency Severity 1 events.

Once the application has been deployed to a testing environment, strategies should be used to find if any hard limits can be reached. Stress testing, load testing, and chaos testing should be part of the introduction test plan.

Implementation steps

• Review the complete list of AWS services that could be used in the application design phase.

• Review the soft quota limits and hard quota limits for all these services. Not all limits are shown in the Service Quotas console. Some services describe these limits in alternate locations.

• As you design your application, review your workload’s business and technology drivers, such as business outcomes, use case, dependent systems, availability targets, and disaster recovery objects. Let your business and technology drivers guide the process to identify the distributed system that is right for your workload.

• Analyze service load across Regions and accounts. Many hard limits are regionally based for services. However, some limits are account based.

• Analyze resilience architectures for resource usage during a zonal failure and Regional failure. In the progression of multi-Region designs using active/active, active/passive – hot, active/passive - cold, and active/passive - pilot light approaches, these failure cases will cause higher usage. This creates a potential use case for hitting hard limits.

Resources

Related best practices:

• REL01-BP01 Aware of service quotas and constraints

• REL01-BP02 Manage service quotas across accounts and regions

• REL01-BP04 Monitor and manage quotas

• REL01-BP05 Automate quota management

• REL01-BP06 Ensure that a sufficient gap exists between the current quotas and the maximum usage to accommodate failover

• REL03-BP01 Choose how to segment your workload

• REL10-BP01 Deploy the workload to multiple locations

• REL11-BP01 Monitor all components of the workload to detect failures

• REL11-BP03 Automate healing on all layers

• REL12-BP05 Test resiliency using chaos engineering

Related documents:

• AWS Well-Architected Framework’s Reliability Pillar: Availability

• AWS Service Quotas (formerly referred to as service limits)

• AWS Trusted Advisor Best Practice Checks (see the Service Limits section)

• AWS limit monitor on AWS answers

• Amazon EC2 Service Limits

• What is Service Quotas?

• How to Request Quota Increase

• Service endpoints and quotas

• Service Quotas User Guide

• Quota Monitor for AWS

• AWS Fault Isolation Boundaries

• Availability with redundancy

• AWS for Data

• What is Continuous Integration?

• What is Continuous Delivery?

• APN Partner: partners that can help with configuration management

• Managing the account lifecycle in account-per-tenant SaaS environments on AWS

• Managing and monitoring API throttling in your workloads

• View AWS Trusted Advisor recommendations at scale with AWS Organizations

• Automating Service Limit Increases and Enterprise Support with AWS Control Tower

• Actions, resources, and condition keys for Service Quotas

Related videos:

• AWS Live re:Inforce 2019 - Service Quotas

• View and Manage Quotas for AWS Services Using Service Quotas

• AWS IAM Quotas Demo

• AWS re:Invent 2018: Close Loops and Opening Minds: How to Take Control of Systems, Big and Small

Related tools:

• AWS CodeDeploy

• AWS CloudTrail

• Amazon CloudWatch

• Amazon EventBridge

• Amazon DevOps Guru

• AWS Config

• AWS Trusted Advisor

• AWS CDK

• AWS Systems Manager

• AWS Marketplace