Series MapLesson 53 / 60
Focus mode active/Press Alt+Shift+R to toggle/Esc to exit
Final StretchOrdered learning track

Cloud Quotas and Limits

Cloud quota dan limit yang sering menjadi failure mode: service quota, API throttling, IP exhaustion, ENI limit, load balancer limit, target group limit, private endpoint limit, IAM policy size, secret size, request rate, log ingestion, quota increase process, dan monitoring.

8 min read1508 words
PrevNext
Lesson 5360 lesson track51–60 Final Stretch
#aws#azure#quota#limits+10 more

Part 053 — Cloud Quotas and Limits

Target pembaca: Senior Java/JAX-RS backend engineer yang perlu memahami quota dan limit sebagai production failure mode, bukan sekadar angka administratif di console cloud.

Quota adalah batas kapasitas atau jumlah resource yang ditetapkan oleh cloud provider.

Limit adalah constraint teknis, operational, atau policy yang membatasi cara resource digunakan.

Di production, quota dan limit sering muncul sebagai gejala berikut:

new pods cannot start
load balancer cannot be created
private endpoint creation fails
SDK calls suddenly throttle
Terraform apply fails
new node cannot attach ENI
subnet runs out of IPs
logs are missing or delayed
secret/config update rejected
object storage upload fails intermittently

Masalahnya: gejala quota sering terlihat seperti bug aplikasi.

Backend engineer yang tidak mengenali quota akan mencari root cause di Java code, thread pool, database query, atau Kubernetes manifest, padahal failure terjadi di cloud control plane, network capacity, atau service-specific limit.

Part ini membangun mental model quota/limit untuk AWS dan Azure dari sudut pandang enterprise Java/JAX-RS system di EKS/AKS/hybrid.


1. Konsep inti

Cloud quota adalah guardrail yang membatasi konsumsi resource.

Quota bisa berlaku pada level:

organization / management group
account / subscription
region
availability zone
VPC / VNet
subnet
cluster
node
namespace
resource group
service
API operation
identity principal

Tidak semua quota sama.

Ada quota yang bisa dinaikkan, ada yang hard limit.

adjustable quota     = bisa request increase
hard limit           = tidak bisa dinaikkan
regional quota       = berbeda per region
per-resource quota   = berlaku per VPC/VNet/subnet/cluster
rate limit           = batas request per waktu
capacity limit       = batas resource yang tersedia
policy limit         = dibatasi organisasi/platform/security

Senior engineer harus membedakan:

quota reached       -> kapasitas administratif habis
limit reached       -> constraint teknis/policy tidak bisa dilewati
throttling          -> request rate terlalu tinggi
capacity shortage   -> provider/region tidak punya capacity cukup
policy denial       -> bukan quota, tetapi policy/security block

2. Kenapa quota ada

Quota ada karena cloud adalah shared platform.

Provider perlu:

  1. melindungi stabilitas service,
  2. mencegah runaway automation,
  3. membatasi blast radius salah konfigurasi,
  4. mengontrol kapasitas regional,
  5. mencegah abuse,
  6. memberi predictability untuk multi-tenant platform,
  7. memaksa customer melakukan capacity planning.

Bagi enterprise, quota juga menjadi governance mechanism:

prod can create only approved resource types
sandbox has smaller quotas
network accounts control peering/private endpoint count
central logging limits ingestion cost
CI/CD principal cannot create arbitrary high-cost resource

Quota bukan musuh. Quota adalah sinyal bahwa kapasitas perlu dikelola secara eksplisit.


3. Lifecycle quota dalam sistem production

Quota tidak hanya relevan saat resource dibuat.

Quota muncul sepanjang lifecycle:

architecture design
  ↓
capacity planning
  ↓
IaC plan/apply
  ↓
cluster scaling
  ↓
traffic growth
  ↓
incident surge
  ↓
DR/failover
  ↓
cleanup/decommission

Contoh failure lifecycle:

normal day:
  30 nodes, 600 pods, subnet masih cukup

traffic spike:
  autoscaler ingin tambah 20 nodes

cloud limit:
  ENI/IP/subnet capacity tidak cukup

Kubernetes symptom:
  pods Pending

application symptom:
  Java service replicas tidak naik

business symptom:
  quote submission latency naik

Jika quota tidak dimonitor sebelum scaling, autoscaling hanya menjadi ilusi.


4. AWS mental model

Di AWS, quota umumnya berada pada:

AWS account
region
service
VPC
subnet
resource type
API operation

Contoh area quota penting:

EC2 instances / vCPU
Elastic IP
VPC per region
subnet per VPC
route table entries
security group rules
ENI per instance type
load balancer count
target group count
NAT Gateway count
VPC endpoint count
IAM policy size
CloudWatch log ingestion
S3 request behavior
EKS cluster/node/network capacity

Service Quotas adalah tempat umum untuk melihat dan request quota increase.

Tetapi tidak semua limit terlihat lengkap di satu tempat. Beberapa limit hanya ada di dokumentasi service atau muncul sebagai error runtime.


5. Azure mental model

Di Azure, quota umumnya berada pada:

tenant
management group policy
subscription
region
resource provider
resource group
VNet/subnet
service SKU
API operation

Contoh area quota penting:

VM cores per region
public IP
load balancer rule
private endpoint
VNet/subnet capacity
NSG rule
route table route
managed disk
AKS node pool
Azure Monitor log ingestion
Key Vault throttling
Storage account request rate
Azure Resource Manager throttling

Azure memiliki subscription and service limits/quotas. Banyak quota bersifat per subscription dan per region.

Azure Resource Manager juga dapat melakukan throttling terhadap control-plane operation, sehingga automation yang terlalu agresif bisa gagal walau resource quota belum habis.


6. Quota vs autoscaling

Autoscaling tidak menghapus quota.

Autoscaling hanya meminta resource tambahan.

HPA scales pods
  requires schedulable nodes

Cluster Autoscaler/Karpenter scales nodes
  requires cloud capacity
  requires vCPU quota
  requires subnet IPs
  requires ENI capacity
  requires node group/VMSS ability

Load balancer controller creates targets
  requires LB/target group/backend pool quota

Jika quota habis, autoscaler gagal secara valid.

Senior engineer harus membaca autoscaling sebagai control loop yang bergantung pada cloud quota.


7. API throttling

API throttling adalah rate limit pada cloud API atau service API.

Contoh:

Terraform creates too many resources at once
controller reconciles too aggressively
SDK retries too many times
CI/CD polls cloud API continuously
application performs high-rate secret/config lookup
application lists object storage keys too frequently

Dampak ke Java/JAX-RS:

HTTP 429
ThrottlingException
TooManyRequestsException
RequestLimitExceeded
retry storm
latency spike
thread pool saturation
connection pool exhaustion
partial operation failure

Throttling harus ditangani dengan:

bounded timeout
exponential backoff
jitter
retry budget
circuit breaker
cache
pagination
idempotency key

8. Control plane vs data plane limit

Quota bisa terjadi di control plane atau data plane.

control plane:
  create load balancer
  create private endpoint
  attach policy
  update route table
  scale node pool
  create secret
  deploy resource via Terraform

data plane:
  upload object
  read secret
  send message
  write log
  query database
  call API endpoint

Failure control plane biasanya terlihat saat deploy, scale, atau incident mitigation.

Failure data plane terlihat saat aplikasi melayani traffic.

Keduanya harus dimonitor.


9. IP address exhaustion

IP exhaustion adalah salah satu quota-like failure paling umum di Kubernetes cloud networking.

Di EKS dengan VPC CNI, pod IP berasal dari VPC/subnet.

Di AKS dengan Azure CNI, pod IP bisa berasal dari VNet/subnet tergantung mode networking.

Jika subnet habis:

new pod cannot get IP
node cannot become useful
cluster autoscaling fails to add effective capacity
load balancer/backend integration can fail
private endpoint placement can fail

Symptom:

pods Pending
CNI error
failed to assign IP address
node has insufficient pod capacity
subnet address space exhausted

Debugging harus mulai dari:

subnet free IPs
node count
pod density
CNI mode
prefix delegation / overlay mode
reserved IPs
private endpoint consumption

10. ENI and node-level limits di EKS

Di AWS, Elastic Network Interface dan IP per ENI bergantung pada instance type.

Untuk EKS VPC CNI, ini berdampak langsung ke jumlah pod per node.

instance type
  ↓
max ENI
  ↓
IPs per ENI
  ↓
max pods per node
  ↓
cluster pod capacity

Failure mode:

node has CPU/memory but cannot host more pods
pods Pending karena IP capacity habis
Karpenter adds nodes but subnet capacity tetap habis
security groups for pods menambah ENI pressure

Correctness concern:

Jangan hanya melihat CPU/memory. Untuk EKS, IP/ENI adalah resource scheduling yang nyata walau tidak terlihat seperti CPU.


11. Load balancer and target limits

Load balancer memiliki quota dan limit:

number of load balancers
listeners
rules
target groups
targets per target group
certificates per listener
backend pools
health probes
frontend IP configs

Dampak ke Kubernetes:

Ingress creation stuck
Service type LoadBalancer stuck
target registration fails
health check never becomes healthy
controller logs show quota exceeded

Dampak ke Java/JAX-RS:

route tidak reachable
deployment terlihat sukses tapi traffic tidak masuk
blue/green deployment stuck
canary tidak mendapat traffic
502/503/504 meningkat

Review PR harus mengecek apakah setiap service butuh load balancer sendiri atau bisa share ingress/gateway.


12. Private endpoint limits

Private endpoint/VPC endpoint bukan resource gratis tanpa batas.

Quota dapat muncul pada:

number of endpoints
endpoint per VPC/VNet
network interface usage
DNS zone links
security group/NSG rules
route table entries
private link service connections

Failure mode:

new private endpoint cannot be created
endpoint created but DNS not linked
endpoint IP consumes subnet capacity
Terraform apply fails midway
new service remains public because private path not provisioned

Senior engineer harus menolak desain yang membuat private endpoint per microservice tanpa reasoning ownership, cost, DNS, dan quota.


13. IAM/RBAC policy limits

Identity system juga memiliki limit.

Contoh:

IAM policy size
managed policy attachments
role name length
trust policy complexity
Azure role assignment count
custom role definition limit
group membership complexity

Failure mode:

policy cannot be updated
role assignment fails
least privilege policy becomes too large
wildcard permission introduced to bypass size issue
CI/CD role cannot deploy

Correctness concern:

Jika policy terlalu besar, masalahnya sering bukan hanya limit. Bisa jadi boundary resource dan responsibility model sudah salah.


14. Secret and config limits

Secret/config service punya batas ukuran, rate, version, dan throughput.

Failure mode:

secret too large
too many secret reads at startup
secret version count grows without cleanup
config reload hammers control plane
Key Vault/Secrets Manager throttling
pod startup storm after deployment

Dampak ke Java:

application startup fails
readiness never becomes true
all pods restart together
secret cache stale
credential rotation breaks connection

Mitigasi:

cache with TTL
staggered rollout
external secrets sync interval sane
avoid per-request secret lookup
separate secret from large config
rotation tested in staging

15. Object storage request limits

S3 dan Azure Blob sangat scalable, tetapi aplikasi tetap bisa membuat pola akses yang buruk.

Failure mode:

hot prefix / hot partition pattern
too many list operations
small object explosion
large upload without multipart discipline
signed URL generated too frequently
retry storm on 503/429

Dampak ke Java/JAX-RS:

upload endpoint timeout
download latency spike
heap pressure
partial upload orphan
duplicate object
incorrect retry of non-idempotent operation

Review harus fokus pada:

key design
multipart threshold
streaming
retry/idempotency
metadata
lifecycle cleanup
request metric
cost of LIST/GET/PUT

16. Log ingestion and observability limits

Observability juga punya quota dan cost limit.

Failure mode:

log ingestion throttled
logs delayed
query timeout
metric cardinality explosion
trace ingestion sampled aggressively
dashboard shows partial data
alert misses event
bill spikes due to verbose logs

Aplikasi Java sering menjadi sumber masalah karena:

logs too verbose
stack trace repeated
PII/debug payload logged
high-cardinality labels
per-request custom metric labels
trace span attributes unbounded

Senior engineer harus memastikan observability design memiliki budget.


17. Quota during disaster recovery

DR adalah momen quota paling berbahaya.

Normal production mungkin cukup quota.

Tetapi saat failover:

secondary region needs sudden compute capacity
DNS shifts traffic
new nodes scale up
database replica promoted
broker capacity increases
logs surge
cold cache increases DB load

Jika secondary region quota tidak disiapkan, DR hanya berhasil di diagram.

Checklist DR harus memasukkan:

vCPU quota in DR region
IP/subnet capacity
load balancer capacity
database/broker/Redis quota
private endpoint quota
log ingestion capacity
support escalation path

18. Quota failure taxonomy

Gunakan taxonomy ini saat incident:

CREATE failure
  resource cannot be created

SCALE failure
  autoscaler cannot add capacity

UPDATE failure
  existing resource cannot be changed

RUNTIME throttle
  data plane request rate too high

CONTROL throttle
  management API rate too high

ADDRESS exhaustion
  subnet/IP/ENI capacity depleted

OBSERVABILITY drop
  logs/metrics/traces missing or delayed

POLICY disguised as quota
  organization policy denies resource

Taxonomy mempercepat triage karena setiap tipe memiliki owner dan evidence berbeda.


19. Detection signals

Quota harus dimonitor sebelum menjadi incident.

Sinyal penting:

subnet available IP
node pod capacity
pending pods by reason
autoscaler failure event
load balancer controller error
Terraform quota error
cloud API throttling metric
SDK 429/ThrottlingException count
log ingestion volume
role assignment failure
private endpoint count
service quota utilization

Jangan hanya mengandalkan alert application error rate.

Quota failure sering muncul lebih awal di platform telemetry.


20. Debugging flow: quota suspected

Gunakan flow berikut:

1. Identify symptom
   Pending pod? Failed deploy? SDK throttle? Missing logs?

2. Classify plane
   Control plane or data plane?

3. Find exact failing operation
   Create? Scale? Update? Runtime call?

4. Read error code
   QuotaExceeded? TooManyRequests? LimitExceeded? AuthorizationFailed?

5. Check scope
   Region? Account? Subscription? VPC/VNet? Subnet? Cluster?

6. Check current utilization
   Quota used vs available.

7. Check recent change
   Deployment, scaling, traffic spike, failover, IaC apply.

8. Mitigate safely
   Scale down noncritical, reduce concurrency, request quota, shift traffic, rollback.

9. Add permanent guardrail
   Monitoring, preflight check, capacity reservation, quota increase.

21. Java/JAX-RS impact

Quota failure affects Java services through dependency behavior.

Typical patterns:

cloud SDK call returns 429/limit error
HTTP client waits until timeout
retry policy amplifies traffic
request thread blocked
JAX-RS worker pool saturates
readiness/liveness fails
HPA scales pods
cluster cannot add capacity
incident worsens

Correct application behavior:

fail fast where appropriate
use bounded timeout
classify retryable vs non-retryable error
avoid infinite retries
return explicit 503/429 to caller if dependency constrained
emit dependency metric
preserve correlation ID
avoid leaking cloud error details externally

22. PostgreSQL impact

Managed PostgreSQL quota/limit examples:

connection limit
storage limit
IOPS limit
backup retention limit
read replica count
parameter group/server parameter constraints
maintenance window constraints
CPU/vCore quota
region capacity

Symptoms:

too many connections
slow queries due to IOPS cap
storage full
replica lag
failover slower than expected
connection pool exhaustion

Review checklist:

connection pool max <= database capacity
PgBouncer/proxy strategy clear
storage autoscale understood
backup/PITR quota reviewed
replica/failover quota tested

23. Kafka/RabbitMQ impact

Messaging quota/limit examples:

broker count
partition count
topic count
connection count
channel count
queue count
message size
throughput unit
retention storage
consumer group behavior

Symptoms:

producer throttle
consumer lag
broker disk pressure
queue grows
connection refused
rebalance storm
message publish timeout

Cloud quota can combine with broker-level limit.

Example:

traffic spike
  ↓
Kafka partition throughput limit
  ↓
producer retries
  ↓
Java thread pool saturation
  ↓
API latency spike

24. Redis impact

Redis quota/limit examples:

memory limit
connection limit
throughput limit
cluster shard count
replica count
eviction policy
command CPU saturation
network bandwidth

Symptoms:

OOM / eviction spike
cache miss storm
connection timeout
MOVED/ASK errors if cluster mode misused
failover latency
hot key overload

Application concern:

Do not let Redis limit become correctness failure unless Redis is explicitly part of the source of truth.


25. Camunda/workflow impact

Workflow engines can amplify quota issues.

Examples:

job executor retries external calls
incident retry storm calls cloud SDK repeatedly
history/audit writes increase database pressure
timer batch causes thundering herd
external task workers saturate dependency quota

Review:

retry interval
max attempts
backoff
idempotency
dead-letter/incident handling
cloud dependency protection

26. NGINX/API gateway impact

NGINX, ingress, API gateway, and WAF can hit limits:

connection limit
listener/rule limit
header size
body size
timeout
rate limit
upstream count
certificate count
log volume

Symptoms:

413 payload too large
429 too many requests
502 upstream unavailable
503 no healthy upstream
504 gateway timeout
TLS handshake failure

Quota and config limit can look identical from client side. Always inspect gateway/ingress logs.


27. EKS-specific quota review

Check:

vCPU quota per instance family
subnet available IPs
ENI per instance type
pod density
security groups for pods
EKS cluster quota
managed node group quota
load balancer and target group quota
EBS volume quota
EFS mount target placement
CloudWatch Container Insights ingestion

Key warning:

EKS cluster may have enough CPU on paper but insufficient network address capacity.


28. AKS-specific quota review

Check:

regional vCPU quota
VM family quota
subnet available IPs
Azure CNI mode
node pool limit
VMSS scaling behavior
load balancer rule/backend pool capacity
private endpoint count
Azure Monitor ingestion
managed disk quota
public IP/private IP capacity

Key warning:

Azure subscription quota and resource provider throttling can block scaling even if Kubernetes configuration is correct.


29. IaC and CI/CD quota preflight

CI/CD should not discover quota only during production deploy.

Preflight checks can include:

Service Quotas / Azure quota check
subnet free IP check
LB/target group count check
private endpoint count check
vCPU regional quota check
log ingestion budget check
Terraform plan resource count
policy-as-code validation

For high-risk changes, PR should include quota impact.

Bad PR description:

Add new private endpoint and ingress.

Better PR description:

Adds one private endpoint in subnet app-private-1.
Subnet currently has 820 free IPs; endpoint consumes one IP.
Adds one internal ingress rule to shared ALB; no new LB.
No quota increase required.
Rollback removes endpoint and DNS record.

30. Cost relationship

Quota and cost are related.

Increasing quota can enable cost explosion.

Examples:

vCPU quota increase enables runaway autoscaling
log ingestion limit increase enables noisy logging bill
NAT Gateway count increases fixed cost
private endpoint count increases hourly cost
load balancer per service increases idle cost
cross-region quota enables expensive replication

Quota increase request should explain:

why needed
expected utilization
environment
cost impact
monitoring
cleanup plan
owner

31. Correctness concerns

Quota can corrupt business correctness if retries are not controlled.

Examples:

object upload partially succeeds but DB update fails
message publish retried without idempotency
workflow retries duplicate external operation
signed URL generated but object not committed
config update applies to only some pods
secret rotation succeeds for one environment but not another

Mitigation:

idempotency keys
transactional outbox
explicit state transition
compensating action
retry budget
dead-letter handling
reconciliation job

32. Security concerns

Quota pressure can create unsafe shortcuts.

Examples:

policy too large -> wildcard permission added
private endpoint quota hit -> public endpoint temporarily enabled
NSG rule limit hit -> broad CIDR allowlist added
log ingestion cost high -> audit log disabled
secret throttle -> secret copied to env var manually

Senior engineer must resist quota-driven security regression.

The correct response is redesign, increase, cleanup, or consolidate—not weakening control.


33. PR review checklist

Ask:

  • Apakah perubahan menambah resource cloud baru?
  • Quota apa yang dikonsumsi?
  • Scope quota: account/subscription, region, VPC/VNet, subnet, cluster, service?
  • Apakah quota adjustable?
  • Apakah ada hard limit?
  • Apakah subnet IP capacity cukup?
  • Apakah EKS/AKS scaling tetap bekerja setelah perubahan?
  • Apakah private endpoint baru perlu DNS zone link?
  • Apakah LB/target/backend pool quota cukup?
  • Apakah log/metric/trace ingestion bertambah?
  • Apakah SDK call punya retry budget?
  • Apakah ada cost impact dari quota increase?
  • Apakah rollback menghapus resource yang mengonsumsi quota?
  • Apakah DR region punya quota yang sama?
  • Apakah dashboard/alert quota tersedia?

34. Internal verification checklist

Verifikasi ke platform/SRE/DevOps/security/backend team:

  • AWS Service Quotas dashboard apa yang dipakai?
  • Azure quota/subscription limit dashboard apa yang dipakai?
  • Region AWS/Azure mana yang dipakai untuk dev/test/prod?
  • Apakah quota berbeda per environment?
  • Siapa yang boleh request quota increase?
  • Berapa lead time approval quota increase?
  • Apakah quota increase masuk change management?
  • Apakah subnet free IP dimonitor?
  • Apakah EKS ENI/IP exhaustion pernah terjadi?
  • Apakah AKS subnet exhaustion pernah terjadi?
  • Apakah load balancer/target group/backend pool quota pernah menjadi issue?
  • Apakah private endpoint count dimonitor?
  • Apakah IAM/RBAC/policy size pernah menjadi issue?
  • Apakah Key Vault/Secrets Manager/Parameter Store throttling pernah terjadi?
  • Apakah log ingestion punya budget/limit?
  • Apakah quota dicek sebelum DR test?
  • Apakah CI/CD punya quota preflight?
  • Apakah incident notes menyebut quota/limit/throttling?

35. Senior engineer mental model

Quota adalah bagian dari architecture, bukan appendix.

Sebelum menyetujui desain, tanyakan:

What capacity does this design consume?
Where is the limit enforced?
How close are we to the limit now?
What happens during scale-out?
What happens during failover?
What is the error signal?
Who owns the quota increase?
What is the rollback if quota blocks deployment?

Jika pertanyaan ini tidak bisa dijawab, desain belum production-ready.


36. Ringkasan

Quota dan limit adalah hidden dependency.

Aplikasi Java/JAX-RS bisa benar secara kode, tetapi gagal karena:

cloud API throttling
subnet IP exhaustion
ENI limit
load balancer quota
private endpoint quota
policy size limit
secret/config throttle
object storage request pattern
log ingestion limit
regional vCPU quota

Senior engineer yang efektif tidak hanya bertanya “apakah service bisa jalan”, tetapi juga:

apakah service bisa scale?
apakah bisa deploy saat traffic tinggi?
apakah bisa failover?
apakah bisa diobservasi?
apakah quota cukup untuk rollback dan recovery?

Quota yang tidak dimonitor adalah incident yang sedang menunggu traffic spike, deployment besar, atau DR test.

Lesson Recap

You just completed lesson 53 in final stretch. Use the series map if you want to review the broader track, or continue directly into the next lesson while the context is still warm.

Continue The Track

Keep the momentum while the lesson is still fresh. Move backward for review or continue forward into the next concept.