Oracle Cloud Infrastructure Documentation

Compartment Quotas

This topic describes compartment quotas for Oracle Cloud Infrastructure.

Compartment quotas give tenant and compartment administrators better control over how resources are consumed in Oracle Cloud Infrastructure, enabling administrators to easily allocate resources to compartments using the Console. Along with compartment budgets, compartment quotas create a powerful toolset to manage your spending in Oracle Cloud Infrastructure tenancies.

You can start using compartment quotas from any compartment detail page in the Console.

About Compartment Quotas

Compartment quotas are similar to Service Limits; the biggest difference is that service limits are set by Oracle, and compartment quotas are set by administrators, using policies that allow them to allocate resources with a high level of flexibility.

Compartment quotas are set using policy statements written in a simple declarative language that is similar to the IAM policy language.

There are three types of quota policy statements:

  • set - sets the maximum number of a cloud resource that can be used for a compartment
  • unset - resets quotas back to the default service limits
  • zero - removes access to a cloud resource for a compartment

The quota policy statements look like this:

Quota policy set statement diagram

Quota policy unset statement diagram

Quota policy zero statement diagram

The language components for a quota policy statement are:

  • The action keyword, which corresponds to the type of quota being defined. This can be set, unset, or zero.
  • The name of the service family; for example: compute.
  • The quota or quotas keyword
  • The name of the quota, which varies by service family. For example, a valid quota in the compute family is vm-standard2-16-count.
    • You can also use wildcards to specify a range of names. For example, "/vm-*/" matches all Compute shapes that start with the letters "vm".
  • For set statements, the value of the quota.
  • The compartment that the quota covers.
  • An optional condition. For example where request.region = 'us-phoenix-1'. Currently supported conditionals are request.region and request.ad.

Authentication and Authorization

Each service in Oracle Cloud Infrastructure integrates with IAM for authentication and authorization, for all interfaces (the Console, SDK or CLI, and REST API).

An administrator in your organization needs to set up A collection of users who all need a particular type of access to a set of resources or compartment., A collection of related resources that can be accessed only by certain groups that have been given permission by an administrator in your organization., and An IAM document that specifies who has what type of access to your resources. It is used in different ways: to mean an individual statement written in the policy language; to mean a collection of statements in a single, named "policy" document (which has an Oracle Cloud ID (OCID) assigned to it); and to mean the overall body of policies your organization uses to control access to resources. that control which users can access which services, which resources, and the type of access. For example, the policies control who can create new users, create and manage the cloud network, launch instances, create buckets, download objects, etc. For more information, see Getting Started with Policies. For specific details about writing policies for each of the different services, see Policy Reference.

If you’re a regular user (not an administrator) who needs to use the Oracle Cloud Infrastructure resources that your company owns, contact your administrator to set up a user ID for you. The administrator can confirm which compartment or compartments you should be using.

For common policies used to authorize users, see Common Policies.

To manage quotas in a compartment, you must belong to a group that has the correct permissions. For example:

allow group QuotaAdmins to { QUOTA_READ, QUOTA_CREATE, QUOTA_DELETE, QUOTA_UPDATE, QUOTA_INSPECT } in tenancy

For in-depth information on granting users permissions for the Quotas service, see Details for the Quotas Service in the IAM policy reference.

Permissions and Nesting

Compartment quotas can be set on the root compartment. An administrator (who must be able to manage quotas on the root compartment) can set quotas on their own compartments and any child compartments. Quotas set on a parent compartment override quotas set on child compartments. This way, an administrator of a parent compartment can create a quota on a child compartment that cannot be overridden by the child.

Scope

Quotas can have different scopes, and work at the availability domain, the region, or globally.

There are a few important things to understand about scope when working with compartment quotas:

  • When setting a quota at the availability domain (AD) level, the quota is allocated to each AD. So, for example, setting a quota of 2 X7 VMs on a compartment actually sets a limit of 2 VMs per AD. To target a specific AD, use the request.ad parameter in the where clause.

  • Regional quotas apply to each region. For example, if a quota of 10 functions is set on a compartment, 10 functions will be allocated per region. To target a specific region, use the request.region parameter in the where clause.

  • Usage for sub-compartments counts towards usage for the main compartment.

For more information, see Regions and Availability Domains.

Quota Evaluation and Precedence

The following rules apply when quota statements are evaluated:

  • Within a policy, quota statements are evaluated in order, and later statements supersede previous statements that target the same resource.
  • In cases where more than one policy is set for the same resource, the most restrictive policy is applied.
  • Service limits always take precedence over quotas. Although it is possible to specify a quota for a resource that exceeds the service limit for that resource, the service limit will still be enforced.

Usage Examples

The following example sets the quota for VM.DenseIO1.16 Compute shapes to 10 in each AD on compartment MyCompartment in the US West (Phoenix) region:

set compute quota vm-dense-io1-16-count to 10 in compartment MyCompartment where request.region = us-phoenix-1

The next example shows how to make a whitelist, setting every quota in a family to zero and then explicitly allocating resources:

zero compute quotas in tenancy
set compute quota vm-dense-io1-16-count to 10 in tenancy

This example shows how to limit creating a bare metal compute resource to only one region:

zero compute quotas /*bm*/ in tenancy
set compute quota /*bm*/ to 5 in tenancy where request.region = us-phoenix-1

This example policy statement only allows one VM.Standard2.1 Compute instance in a single compartment in a single region:

zero compute quotas in tenancy
set compute quota vm-standard2-1-count to 10 in compartment sales_department where request.region = us-phoenix-1

You can clear quotas by using an unset statement, which removes the quota for a resource - any limits on this resource will now be enforced by the service limits:

zero compute quotas in tenancy
unset compute quota vm-dense-io1-16-count in tenancy

Using the Console

To create a quota
To edit a quota
To delete a quota

Available Quotas by Service

Click a service name to view the available quotas you can set.

Analytics Cloud
Block Volume Quotas
Compute Quotas
Data Transfer Quotas
Database Quotas
DNS Quotas
Email Delivery Quotas
Health Checks Quotas
Key Management Quotas
Notifications Quotas
Resource Manager Quotas
Streaming Quotas
WAF Quotas