Oracle Cloud Infrastructure Documentation

Compartment Quotas

This topic describes compartment quotas for Oracle Cloud Infrastructure.

Compartment quotas give tenant and compartment administrators better control over how resources are consumed in Oracle Cloud Infrastructure, enabling administrators to easily allocate resources to compartments using the Console. Along with compartment budgets, compartment quotas create a powerful toolset to manage your spending in Oracle Cloud Infrastructure tenancies.

You can start using compartment quotas from any compartment detail page in the Console.

About Compartment Quotas

Compartment quotas are similar to Service Limits; the biggest difference is that service limits are set by Oracle, and compartment quotas are set by administrators, using policies that allow them to allocate resources with a high level of flexibility.

Compartment quotas are set using policy statements written in a simple declarative language that is similar to the IAM policy language.

There are three types of quota policy statements:

  • set - sets the maximum number of a cloud resource that can be used for a compartment
  • unset - resets quotas back to the default service limits
  • zero - removes access to a cloud resource for a compartment

The quota policy statements look like this:

Quota policy set statement diagram

Quota policy unset statement diagram

Quota policy zero statement diagram

The language components for a quota policy statement are:

  • The action keyword, which corresponds to the type of quota being defined. This can be set, unset, or zero.
  • The name of the service family; for example: compute.
  • The quota or quotas keyword
  • The name of the quota, which varies by service family. For example, a valid quota in the compute family is vm-standard2-16-count.
    • You can also use wildcards to specify a range of names. For example, "/vm-*/" matches all Compute shapes that start with the letters "vm".
  • For set statements, the value of the quota.
  • The compartment that the quota covers.
  • An optional condition. For example where request.region = 'us-phoenix-1'. Currently supported conditionals are request.region and request.ad.

Permissions and Nesting

Compartment quotas can be set on the root compartment. An administrator (who must be able to manage quotas on the root compartment) can set quotas on their own compartments and any child compartments. Quotas set on a parent compartment override quotas set on child compartments. This way, an administrator of a parent compartment can create a quota on a child compartment that cannot be overridden by the child.

Scope

Quotas can have different scopes, and work at the availability domain, the region, or globally.

There are a few important things to understand about scope when working with compartment quotas:

  • When setting a quota at the availability domain (AD) level, the quota is allocated to each AD. So, for example, setting a quota of 2 X7 VMs on a compartment actually sets a limit of 2 VMs per AD. To target a specific AD, use the request.ad parameter in the where clause.

  • Regional quotas apply to each region. For example, if a quota of 10 functions is set on a compartment, 10 functions will be allocated per region. To target a specific region, use the request.region parameter in the where clause.

  • Usage for sub-compartments counts towards usage for the main compartment.

For more information, see Regions and Availability Domains.

Quota Evaluation and Precedence

The following rules apply when quota statements are evaluated:

  • Within a policy, quota statements are evaluated in order, and later statements supersede previous statements that target the same resource.
  • In cases where more than one policy is set for the same resource, the most restrictive policy is applied.
  • Service limits always take precedence over quotas. Although it is possible to specify a quota for a resource that exceeds the service limit for that resource, the service limit will still be enforced.

Usage Examples

The following example sets the quota for VM.DenseIO1.16 Compute shapes to 10 in each AD on compartment MyCompartment in the us-phoenix-1 region:

set compute quota vm-dense-io1-16-count to 10 in compartment MyCompartment where request.region = us-phoenix-1

The next example shows how to make a whitelist, setting every quota in a family to zero and then explicitly allocating resources:

zero compute quotas in tenancy
set compute quota vm-dense-io1-16-count to 10 in tenancy

This example shows how to limit creating a bare metal compute resource to only one region:

zero compute quotas /*bm*/ in tenancy
set compute quota /*bm*/ to 5 in tenancy where request.region = us-phoenix-1

This example policy statement only allows one VM.Standard2.1 Compute instance in a single compartment in a single region:

zero compute quotas in tenancy
set compute quota vm-standard2-1-count to 10 in compartment sales_department where request.region = us-phoenix-1

You can clear quotas by using an unset statement, which removes the quota for a resource - any limits on this resource will now be enforced by the service limits:

zero compute quotas in tenancy
unset compute quota vm-dense-io1-16-count in tenancy

Using the Console

To create a quota
To edit a quota
To delete a quota

Available Quotas by Service

Click a service name to view the available quotas you can set.

Block Volume Quotas
Compute Quotas
Data Transfer Quotas
Database Quotas
DNS Quotas
Email Delivery Quotas
Health Checks Quotas
Key Management Quotas
Notifications Quotas
Quotas Quotas
Resource Manager Quotas
Streaming Quotas
WAF Quotas