Cloud Quotas and Limits
Cloud quota dan limit yang sering menjadi failure mode: service quota, API throttling, IP exhaustion, ENI limit, load balancer limit, target group limit, private endpoint limit, IAM policy size, secret size, request rate, log ingestion, quota increase process, dan monitoring.
Part 053 — Cloud Quotas and Limits
Target pembaca: Senior Java/JAX-RS backend engineer yang perlu memahami quota dan limit sebagai production failure mode, bukan sekadar angka administratif di console cloud.
Quota adalah batas kapasitas atau jumlah resource yang ditetapkan oleh cloud provider.
Limit adalah constraint teknis, operational, atau policy yang membatasi cara resource digunakan.
Di production, quota dan limit sering muncul sebagai gejala berikut:
new pods cannot start
load balancer cannot be created
private endpoint creation fails
SDK calls suddenly throttle
Terraform apply fails
new node cannot attach ENI
subnet runs out of IPs
logs are missing or delayed
secret/config update rejected
object storage upload fails intermittently
Masalahnya: gejala quota sering terlihat seperti bug aplikasi.
Backend engineer yang tidak mengenali quota akan mencari root cause di Java code, thread pool, database query, atau Kubernetes manifest, padahal failure terjadi di cloud control plane, network capacity, atau service-specific limit.
Part ini membangun mental model quota/limit untuk AWS dan Azure dari sudut pandang enterprise Java/JAX-RS system di EKS/AKS/hybrid.
1. Konsep inti
Cloud quota adalah guardrail yang membatasi konsumsi resource.
Quota bisa berlaku pada level:
organization / management group
account / subscription
region
availability zone
VPC / VNet
subnet
cluster
node
namespace
resource group
service
API operation
identity principal
Tidak semua quota sama.
Ada quota yang bisa dinaikkan, ada yang hard limit.
adjustable quota = bisa request increase
hard limit = tidak bisa dinaikkan
regional quota = berbeda per region
per-resource quota = berlaku per VPC/VNet/subnet/cluster
rate limit = batas request per waktu
capacity limit = batas resource yang tersedia
policy limit = dibatasi organisasi/platform/security
Senior engineer harus membedakan:
quota reached -> kapasitas administratif habis
limit reached -> constraint teknis/policy tidak bisa dilewati
throttling -> request rate terlalu tinggi
capacity shortage -> provider/region tidak punya capacity cukup
policy denial -> bukan quota, tetapi policy/security block
2. Kenapa quota ada
Quota ada karena cloud adalah shared platform.
Provider perlu:
- melindungi stabilitas service,
- mencegah runaway automation,
- membatasi blast radius salah konfigurasi,
- mengontrol kapasitas regional,
- mencegah abuse,
- memberi predictability untuk multi-tenant platform,
- memaksa customer melakukan capacity planning.
Bagi enterprise, quota juga menjadi governance mechanism:
prod can create only approved resource types
sandbox has smaller quotas
network accounts control peering/private endpoint count
central logging limits ingestion cost
CI/CD principal cannot create arbitrary high-cost resource
Quota bukan musuh. Quota adalah sinyal bahwa kapasitas perlu dikelola secara eksplisit.
3. Lifecycle quota dalam sistem production
Quota tidak hanya relevan saat resource dibuat.
Quota muncul sepanjang lifecycle:
architecture design
↓
capacity planning
↓
IaC plan/apply
↓
cluster scaling
↓
traffic growth
↓
incident surge
↓
DR/failover
↓
cleanup/decommission
Contoh failure lifecycle:
normal day:
30 nodes, 600 pods, subnet masih cukup
traffic spike:
autoscaler ingin tambah 20 nodes
cloud limit:
ENI/IP/subnet capacity tidak cukup
Kubernetes symptom:
pods Pending
application symptom:
Java service replicas tidak naik
business symptom:
quote submission latency naik
Jika quota tidak dimonitor sebelum scaling, autoscaling hanya menjadi ilusi.
4. AWS mental model
Di AWS, quota umumnya berada pada:
AWS account
region
service
VPC
subnet
resource type
API operation
Contoh area quota penting:
EC2 instances / vCPU
Elastic IP
VPC per region
subnet per VPC
route table entries
security group rules
ENI per instance type
load balancer count
target group count
NAT Gateway count
VPC endpoint count
IAM policy size
CloudWatch log ingestion
S3 request behavior
EKS cluster/node/network capacity
Service Quotas adalah tempat umum untuk melihat dan request quota increase.
Tetapi tidak semua limit terlihat lengkap di satu tempat. Beberapa limit hanya ada di dokumentasi service atau muncul sebagai error runtime.
5. Azure mental model
Di Azure, quota umumnya berada pada:
tenant
management group policy
subscription
region
resource provider
resource group
VNet/subnet
service SKU
API operation
Contoh area quota penting:
VM cores per region
public IP
load balancer rule
private endpoint
VNet/subnet capacity
NSG rule
route table route
managed disk
AKS node pool
Azure Monitor log ingestion
Key Vault throttling
Storage account request rate
Azure Resource Manager throttling
Azure memiliki subscription and service limits/quotas. Banyak quota bersifat per subscription dan per region.
Azure Resource Manager juga dapat melakukan throttling terhadap control-plane operation, sehingga automation yang terlalu agresif bisa gagal walau resource quota belum habis.
6. Quota vs autoscaling
Autoscaling tidak menghapus quota.
Autoscaling hanya meminta resource tambahan.
HPA scales pods
requires schedulable nodes
Cluster Autoscaler/Karpenter scales nodes
requires cloud capacity
requires vCPU quota
requires subnet IPs
requires ENI capacity
requires node group/VMSS ability
Load balancer controller creates targets
requires LB/target group/backend pool quota
Jika quota habis, autoscaler gagal secara valid.
Senior engineer harus membaca autoscaling sebagai control loop yang bergantung pada cloud quota.
7. API throttling
API throttling adalah rate limit pada cloud API atau service API.
Contoh:
Terraform creates too many resources at once
controller reconciles too aggressively
SDK retries too many times
CI/CD polls cloud API continuously
application performs high-rate secret/config lookup
application lists object storage keys too frequently
Dampak ke Java/JAX-RS:
HTTP 429
ThrottlingException
TooManyRequestsException
RequestLimitExceeded
retry storm
latency spike
thread pool saturation
connection pool exhaustion
partial operation failure
Throttling harus ditangani dengan:
bounded timeout
exponential backoff
jitter
retry budget
circuit breaker
cache
pagination
idempotency key
8. Control plane vs data plane limit
Quota bisa terjadi di control plane atau data plane.
control plane:
create load balancer
create private endpoint
attach policy
update route table
scale node pool
create secret
deploy resource via Terraform
data plane:
upload object
read secret
send message
write log
query database
call API endpoint
Failure control plane biasanya terlihat saat deploy, scale, atau incident mitigation.
Failure data plane terlihat saat aplikasi melayani traffic.
Keduanya harus dimonitor.
9. IP address exhaustion
IP exhaustion adalah salah satu quota-like failure paling umum di Kubernetes cloud networking.
Di EKS dengan VPC CNI, pod IP berasal dari VPC/subnet.
Di AKS dengan Azure CNI, pod IP bisa berasal dari VNet/subnet tergantung mode networking.
Jika subnet habis:
new pod cannot get IP
node cannot become useful
cluster autoscaling fails to add effective capacity
load balancer/backend integration can fail
private endpoint placement can fail
Symptom:
pods Pending
CNI error
failed to assign IP address
node has insufficient pod capacity
subnet address space exhausted
Debugging harus mulai dari:
subnet free IPs
node count
pod density
CNI mode
prefix delegation / overlay mode
reserved IPs
private endpoint consumption
10. ENI and node-level limits di EKS
Di AWS, Elastic Network Interface dan IP per ENI bergantung pada instance type.
Untuk EKS VPC CNI, ini berdampak langsung ke jumlah pod per node.
instance type
↓
max ENI
↓
IPs per ENI
↓
max pods per node
↓
cluster pod capacity
Failure mode:
node has CPU/memory but cannot host more pods
pods Pending karena IP capacity habis
Karpenter adds nodes but subnet capacity tetap habis
security groups for pods menambah ENI pressure
Correctness concern:
Jangan hanya melihat CPU/memory. Untuk EKS, IP/ENI adalah resource scheduling yang nyata walau tidak terlihat seperti CPU.
11. Load balancer and target limits
Load balancer memiliki quota dan limit:
number of load balancers
listeners
rules
target groups
targets per target group
certificates per listener
backend pools
health probes
frontend IP configs
Dampak ke Kubernetes:
Ingress creation stuck
Service type LoadBalancer stuck
target registration fails
health check never becomes healthy
controller logs show quota exceeded
Dampak ke Java/JAX-RS:
route tidak reachable
deployment terlihat sukses tapi traffic tidak masuk
blue/green deployment stuck
canary tidak mendapat traffic
502/503/504 meningkat
Review PR harus mengecek apakah setiap service butuh load balancer sendiri atau bisa share ingress/gateway.
12. Private endpoint limits
Private endpoint/VPC endpoint bukan resource gratis tanpa batas.
Quota dapat muncul pada:
number of endpoints
endpoint per VPC/VNet
network interface usage
DNS zone links
security group/NSG rules
route table entries
private link service connections
Failure mode:
new private endpoint cannot be created
endpoint created but DNS not linked
endpoint IP consumes subnet capacity
Terraform apply fails midway
new service remains public because private path not provisioned
Senior engineer harus menolak desain yang membuat private endpoint per microservice tanpa reasoning ownership, cost, DNS, dan quota.
13. IAM/RBAC policy limits
Identity system juga memiliki limit.
Contoh:
IAM policy size
managed policy attachments
role name length
trust policy complexity
Azure role assignment count
custom role definition limit
group membership complexity
Failure mode:
policy cannot be updated
role assignment fails
least privilege policy becomes too large
wildcard permission introduced to bypass size issue
CI/CD role cannot deploy
Correctness concern:
Jika policy terlalu besar, masalahnya sering bukan hanya limit. Bisa jadi boundary resource dan responsibility model sudah salah.
14. Secret and config limits
Secret/config service punya batas ukuran, rate, version, dan throughput.
Failure mode:
secret too large
too many secret reads at startup
secret version count grows without cleanup
config reload hammers control plane
Key Vault/Secrets Manager throttling
pod startup storm after deployment
Dampak ke Java:
application startup fails
readiness never becomes true
all pods restart together
secret cache stale
credential rotation breaks connection
Mitigasi:
cache with TTL
staggered rollout
external secrets sync interval sane
avoid per-request secret lookup
separate secret from large config
rotation tested in staging
15. Object storage request limits
S3 dan Azure Blob sangat scalable, tetapi aplikasi tetap bisa membuat pola akses yang buruk.
Failure mode:
hot prefix / hot partition pattern
too many list operations
small object explosion
large upload without multipart discipline
signed URL generated too frequently
retry storm on 503/429
Dampak ke Java/JAX-RS:
upload endpoint timeout
download latency spike
heap pressure
partial upload orphan
duplicate object
incorrect retry of non-idempotent operation
Review harus fokus pada:
key design
multipart threshold
streaming
retry/idempotency
metadata
lifecycle cleanup
request metric
cost of LIST/GET/PUT
16. Log ingestion and observability limits
Observability juga punya quota dan cost limit.
Failure mode:
log ingestion throttled
logs delayed
query timeout
metric cardinality explosion
trace ingestion sampled aggressively
dashboard shows partial data
alert misses event
bill spikes due to verbose logs
Aplikasi Java sering menjadi sumber masalah karena:
logs too verbose
stack trace repeated
PII/debug payload logged
high-cardinality labels
per-request custom metric labels
trace span attributes unbounded
Senior engineer harus memastikan observability design memiliki budget.
17. Quota during disaster recovery
DR adalah momen quota paling berbahaya.
Normal production mungkin cukup quota.
Tetapi saat failover:
secondary region needs sudden compute capacity
DNS shifts traffic
new nodes scale up
database replica promoted
broker capacity increases
logs surge
cold cache increases DB load
Jika secondary region quota tidak disiapkan, DR hanya berhasil di diagram.
Checklist DR harus memasukkan:
vCPU quota in DR region
IP/subnet capacity
load balancer capacity
database/broker/Redis quota
private endpoint quota
log ingestion capacity
support escalation path
18. Quota failure taxonomy
Gunakan taxonomy ini saat incident:
CREATE failure
resource cannot be created
SCALE failure
autoscaler cannot add capacity
UPDATE failure
existing resource cannot be changed
RUNTIME throttle
data plane request rate too high
CONTROL throttle
management API rate too high
ADDRESS exhaustion
subnet/IP/ENI capacity depleted
OBSERVABILITY drop
logs/metrics/traces missing or delayed
POLICY disguised as quota
organization policy denies resource
Taxonomy mempercepat triage karena setiap tipe memiliki owner dan evidence berbeda.
19. Detection signals
Quota harus dimonitor sebelum menjadi incident.
Sinyal penting:
subnet available IP
node pod capacity
pending pods by reason
autoscaler failure event
load balancer controller error
Terraform quota error
cloud API throttling metric
SDK 429/ThrottlingException count
log ingestion volume
role assignment failure
private endpoint count
service quota utilization
Jangan hanya mengandalkan alert application error rate.
Quota failure sering muncul lebih awal di platform telemetry.
20. Debugging flow: quota suspected
Gunakan flow berikut:
1. Identify symptom
Pending pod? Failed deploy? SDK throttle? Missing logs?
2. Classify plane
Control plane or data plane?
3. Find exact failing operation
Create? Scale? Update? Runtime call?
4. Read error code
QuotaExceeded? TooManyRequests? LimitExceeded? AuthorizationFailed?
5. Check scope
Region? Account? Subscription? VPC/VNet? Subnet? Cluster?
6. Check current utilization
Quota used vs available.
7. Check recent change
Deployment, scaling, traffic spike, failover, IaC apply.
8. Mitigate safely
Scale down noncritical, reduce concurrency, request quota, shift traffic, rollback.
9. Add permanent guardrail
Monitoring, preflight check, capacity reservation, quota increase.
21. Java/JAX-RS impact
Quota failure affects Java services through dependency behavior.
Typical patterns:
cloud SDK call returns 429/limit error
HTTP client waits until timeout
retry policy amplifies traffic
request thread blocked
JAX-RS worker pool saturates
readiness/liveness fails
HPA scales pods
cluster cannot add capacity
incident worsens
Correct application behavior:
fail fast where appropriate
use bounded timeout
classify retryable vs non-retryable error
avoid infinite retries
return explicit 503/429 to caller if dependency constrained
emit dependency metric
preserve correlation ID
avoid leaking cloud error details externally
22. PostgreSQL impact
Managed PostgreSQL quota/limit examples:
connection limit
storage limit
IOPS limit
backup retention limit
read replica count
parameter group/server parameter constraints
maintenance window constraints
CPU/vCore quota
region capacity
Symptoms:
too many connections
slow queries due to IOPS cap
storage full
replica lag
failover slower than expected
connection pool exhaustion
Review checklist:
connection pool max <= database capacity
PgBouncer/proxy strategy clear
storage autoscale understood
backup/PITR quota reviewed
replica/failover quota tested
23. Kafka/RabbitMQ impact
Messaging quota/limit examples:
broker count
partition count
topic count
connection count
channel count
queue count
message size
throughput unit
retention storage
consumer group behavior
Symptoms:
producer throttle
consumer lag
broker disk pressure
queue grows
connection refused
rebalance storm
message publish timeout
Cloud quota can combine with broker-level limit.
Example:
traffic spike
↓
Kafka partition throughput limit
↓
producer retries
↓
Java thread pool saturation
↓
API latency spike
24. Redis impact
Redis quota/limit examples:
memory limit
connection limit
throughput limit
cluster shard count
replica count
eviction policy
command CPU saturation
network bandwidth
Symptoms:
OOM / eviction spike
cache miss storm
connection timeout
MOVED/ASK errors if cluster mode misused
failover latency
hot key overload
Application concern:
Do not let Redis limit become correctness failure unless Redis is explicitly part of the source of truth.
25. Camunda/workflow impact
Workflow engines can amplify quota issues.
Examples:
job executor retries external calls
incident retry storm calls cloud SDK repeatedly
history/audit writes increase database pressure
timer batch causes thundering herd
external task workers saturate dependency quota
Review:
retry interval
max attempts
backoff
idempotency
dead-letter/incident handling
cloud dependency protection
26. NGINX/API gateway impact
NGINX, ingress, API gateway, and WAF can hit limits:
connection limit
listener/rule limit
header size
body size
timeout
rate limit
upstream count
certificate count
log volume
Symptoms:
413 payload too large
429 too many requests
502 upstream unavailable
503 no healthy upstream
504 gateway timeout
TLS handshake failure
Quota and config limit can look identical from client side. Always inspect gateway/ingress logs.
27. EKS-specific quota review
Check:
vCPU quota per instance family
subnet available IPs
ENI per instance type
pod density
security groups for pods
EKS cluster quota
managed node group quota
load balancer and target group quota
EBS volume quota
EFS mount target placement
CloudWatch Container Insights ingestion
Key warning:
EKS cluster may have enough CPU on paper but insufficient network address capacity.
28. AKS-specific quota review
Check:
regional vCPU quota
VM family quota
subnet available IPs
Azure CNI mode
node pool limit
VMSS scaling behavior
load balancer rule/backend pool capacity
private endpoint count
Azure Monitor ingestion
managed disk quota
public IP/private IP capacity
Key warning:
Azure subscription quota and resource provider throttling can block scaling even if Kubernetes configuration is correct.
29. IaC and CI/CD quota preflight
CI/CD should not discover quota only during production deploy.
Preflight checks can include:
Service Quotas / Azure quota check
subnet free IP check
LB/target group count check
private endpoint count check
vCPU regional quota check
log ingestion budget check
Terraform plan resource count
policy-as-code validation
For high-risk changes, PR should include quota impact.
Bad PR description:
Add new private endpoint and ingress.
Better PR description:
Adds one private endpoint in subnet app-private-1.
Subnet currently has 820 free IPs; endpoint consumes one IP.
Adds one internal ingress rule to shared ALB; no new LB.
No quota increase required.
Rollback removes endpoint and DNS record.
30. Cost relationship
Quota and cost are related.
Increasing quota can enable cost explosion.
Examples:
vCPU quota increase enables runaway autoscaling
log ingestion limit increase enables noisy logging bill
NAT Gateway count increases fixed cost
private endpoint count increases hourly cost
load balancer per service increases idle cost
cross-region quota enables expensive replication
Quota increase request should explain:
why needed
expected utilization
environment
cost impact
monitoring
cleanup plan
owner
31. Correctness concerns
Quota can corrupt business correctness if retries are not controlled.
Examples:
object upload partially succeeds but DB update fails
message publish retried without idempotency
workflow retries duplicate external operation
signed URL generated but object not committed
config update applies to only some pods
secret rotation succeeds for one environment but not another
Mitigation:
idempotency keys
transactional outbox
explicit state transition
compensating action
retry budget
dead-letter handling
reconciliation job
32. Security concerns
Quota pressure can create unsafe shortcuts.
Examples:
policy too large -> wildcard permission added
private endpoint quota hit -> public endpoint temporarily enabled
NSG rule limit hit -> broad CIDR allowlist added
log ingestion cost high -> audit log disabled
secret throttle -> secret copied to env var manually
Senior engineer must resist quota-driven security regression.
The correct response is redesign, increase, cleanup, or consolidate—not weakening control.
33. PR review checklist
Ask:
- Apakah perubahan menambah resource cloud baru?
- Quota apa yang dikonsumsi?
- Scope quota: account/subscription, region, VPC/VNet, subnet, cluster, service?
- Apakah quota adjustable?
- Apakah ada hard limit?
- Apakah subnet IP capacity cukup?
- Apakah EKS/AKS scaling tetap bekerja setelah perubahan?
- Apakah private endpoint baru perlu DNS zone link?
- Apakah LB/target/backend pool quota cukup?
- Apakah log/metric/trace ingestion bertambah?
- Apakah SDK call punya retry budget?
- Apakah ada cost impact dari quota increase?
- Apakah rollback menghapus resource yang mengonsumsi quota?
- Apakah DR region punya quota yang sama?
- Apakah dashboard/alert quota tersedia?
34. Internal verification checklist
Verifikasi ke platform/SRE/DevOps/security/backend team:
- AWS Service Quotas dashboard apa yang dipakai?
- Azure quota/subscription limit dashboard apa yang dipakai?
- Region AWS/Azure mana yang dipakai untuk dev/test/prod?
- Apakah quota berbeda per environment?
- Siapa yang boleh request quota increase?
- Berapa lead time approval quota increase?
- Apakah quota increase masuk change management?
- Apakah subnet free IP dimonitor?
- Apakah EKS ENI/IP exhaustion pernah terjadi?
- Apakah AKS subnet exhaustion pernah terjadi?
- Apakah load balancer/target group/backend pool quota pernah menjadi issue?
- Apakah private endpoint count dimonitor?
- Apakah IAM/RBAC/policy size pernah menjadi issue?
- Apakah Key Vault/Secrets Manager/Parameter Store throttling pernah terjadi?
- Apakah log ingestion punya budget/limit?
- Apakah quota dicek sebelum DR test?
- Apakah CI/CD punya quota preflight?
- Apakah incident notes menyebut quota/limit/throttling?
35. Senior engineer mental model
Quota adalah bagian dari architecture, bukan appendix.
Sebelum menyetujui desain, tanyakan:
What capacity does this design consume?
Where is the limit enforced?
How close are we to the limit now?
What happens during scale-out?
What happens during failover?
What is the error signal?
Who owns the quota increase?
What is the rollback if quota blocks deployment?
Jika pertanyaan ini tidak bisa dijawab, desain belum production-ready.
36. Ringkasan
Quota dan limit adalah hidden dependency.
Aplikasi Java/JAX-RS bisa benar secara kode, tetapi gagal karena:
cloud API throttling
subnet IP exhaustion
ENI limit
load balancer quota
private endpoint quota
policy size limit
secret/config throttle
object storage request pattern
log ingestion limit
regional vCPU quota
Senior engineer yang efektif tidak hanya bertanya “apakah service bisa jalan”, tetapi juga:
apakah service bisa scale?
apakah bisa deploy saat traffic tinggi?
apakah bisa failover?
apakah bisa diobservasi?
apakah quota cukup untuk rollback dan recovery?
Quota yang tidak dimonitor adalah incident yang sedang menunggu traffic spike, deployment besar, atau DR test.
You just completed lesson 53 in final stretch. Use the series map if you want to review the broader track, or continue directly into the next lesson while the context is still warm.
Keep the momentum while the lesson is still fresh. Move backward for review or continue forward into the next concept.