Compartment Quotas
This topic describes compartment quotas for Oracle Cloud Infrastructure.
Compartment quotas give tenant and compartment administrators better control over how resources are consumed in Oracle Cloud Infrastructure, enabling administrators to easily allocate resources to compartments using the Console. Along with compartment budgets, compartment quotas create a powerful toolset to manage your spending in Oracle Cloud Infrastructure tenancies.
You can start using compartment quotas from any compartment detail page in the Console.
About Compartment Quotas
Compartment quotas are similar to Service Limits; the biggest difference is that service limits are set by Oracle, and compartment quotas are set by administrators, using policies that allow them to allocate resources with a high level of flexibility.
Compartment quotas are set using policy statements written in a simple declarative language that is similar to the IAM policy language.
There are three types of quota policy statements:
set- sets the maximum number of a cloud resource that can be used for a compartmentunset- resets quotas back to the default service limitszero- removes access to a cloud resource for a compartment
The quota policy statements look like this:
The language components for a quota policy statement are:
- The
actionkeyword, which corresponds to the type of quota being defined. This can beset,unset, orzero. - The name of the service family; for example:
compute. - The
quotaorquotaskeyword - The name of the quota, which varies by service family. For example, a valid quota in the
computefamily isvm-standard2-16-count.- You can also use wildcards to specify a range of names. For example,
"/vm-*/"matches all Compute shapes that start with the letters "vm".
- You can also use wildcards to specify a range of names. For example,
- For set statements, the value of the quota.
- The compartment that the quota covers.
- An optional condition. For example
where request.region = 'us-phoenix-1'. Currently supported conditionals arerequest.regionandrequest.ad.
Authentication and Authorization
Each service in Oracle Cloud Infrastructure integrates with IAM for authentication and authorization, for all interfaces (the Console, SDK or CLI, and REST API).
An administrator in your organization needs to set up groups , compartments , and policies that control which users can access which services, which resources, and the type of access. For example, the policies control who can create new users, create and manage the cloud network, launch instances, create buckets, download objects, etc. For more information, see Getting Started with Policies. For specific details about writing policies for each of the different services, see Policy Reference.
If you’re a regular user (not an administrator) who needs to use the Oracle Cloud Infrastructure resources that your company owns, contact your administrator to set up a user ID for you. The administrator can confirm which compartment or compartments you should be using.
For common policies used to authorize users, see Common Policies.
To manage quotas in a compartment, you must belong to a group that has the correct permissions. For example:
allow group QuotaAdmins to { QUOTA_READ, QUOTA_CREATE, QUOTA_DELETE, QUOTA_UPDATE, QUOTA_INSPECT } in tenancy
For in-depth information on granting users permissions for the Quotas service, see Details for the Quotas Service in the IAM policy reference.
Permissions and Nesting
Compartment quotas can be set on the root compartment. An administrator (who must be able to manage quotas on the root compartment) can set quotas on their own compartments and any child compartments. Quotas set on a parent compartment override quotas set on child compartments. This way, an administrator of a parent compartment can create a quota on a child compartment that cannot be overridden by the child.
Scope
Quotas can have different scopes, and work at the availability domain, the region, or globally.
There are a few important things to understand about scope when working with compartment quotas:
-
When setting a quota at the availability domain (AD) level, the quota is allocated to each AD. So, for example, setting a quota of 2 X7 VMs on a compartment actually sets a limit of 2 VMs per AD. To target a specific AD, use the
request.adparameter in thewhereclause. -
Regional quotas apply to each region. For example, if a quota of 10 functions is set on a compartment, 10 functions will be allocated per region. To target a specific region, use the
request.regionparameter in thewhereclause. - Usage for sub-compartments counts towards usage for the main compartment.
For more information, see Regions and Availability Domains.
Quota Evaluation and Precedence
The following rules apply when quota statements are evaluated:
- Within a policy, quota statements are evaluated in order, and later statements supersede previous statements that target the same resource.
- In cases where more than one policy is set for the same resource, the most restrictive policy is applied.
- Service limits always take precedence over quotas. Although it is possible to specify a quota for a resource that exceeds the service limit for that resource, the service limit will still be enforced.
Usage Examples
The following example sets the quota for VM.DenseIO1.16 Compute shapes to 10 in each AD on compartment MyCompartment in the US West (Phoenix) region:
set compute quota vm-dense-io1-16-count to 10 in compartment MyCompartment where request.region = us-phoenix-1
The next example shows how to make a whitelist, setting every quota in a family to zero and then explicitly allocating resources:
zero compute quotas in tenancy
set compute quota vm-dense-io1-16-count to 10 in tenancy
This example shows how to limit creating a bare metal compute resource to only one region:
zero compute quotas /*bm*/ in tenancy
set compute quota /*bm*/ to 5 in tenancy where request.region = us-phoenix-1
This example policy statement only allows one VM.Standard2.1 Compute instance in a single compartment in a single region:
zero compute quotas in tenancy
set compute quota vm-standard2-1-count to 10 in compartment sales_department where request.region = us-phoenix-1
You can clear quotas by using an unset statement, which removes the quota for a resource - any limits on this resource will now be enforced by the service limits:
zero compute quotas in tenancy
unset compute quota vm-dense-io1-16-count in tenancy
Using the Console
-
Open the navigation menu. Under Governance and Administration, go to Governance and click Quota Policies. From the Quota Policies screen, click Create Quota.
-
Enter the following:
-
Enter a name for your quota in the Name field.
-
Enter a description for your quota in the Description field.
-
Enter a quota policy string in the Quota Policy field.
-
- Click Create Quota Policy.
Note
New policies can take up to 10 minutes to start working.
-
From the Quota Policies screen, click the quota you want to edit to display the quota policy details page, then click the Edit Quota button.
-
Edit the quota.
- Click Save Changes.
-
There are two ways to delete a quota from the console:
- From the main Quota Policies page, click the context menu to the right of the quota you want to delete, then select Delete.
- Click the quota you want to delete, then from the quota policy detail page click Delete .
- From the Confirm Delete dialog, click Delete or Cancel.
Available Quotas by Service
Click a service name to view the available quotas you can set.
For Analytics Cloud quotas and examples, see Service Quotas.
Family name: block-storage
|
Name |
Scope |
Description |
|---|---|---|
| backup-count | Regional | Total number of block and boot volume backups |
| total-storage-gb | Availability domain |
Maximum storage space of block and boot volumes, in GB |
| volume-count | Availability domain |
Total number of block and boot volumes |
Example
set block-storage quota volume-count to 10 in compartment MyCompartment
Family name: compute
|
Name |
Scope |
Description |
|---|---|---|
| custom-image-count | Regional | Number of custom images |
| bm-standard1-36-count | Availability domain | Number of BM.Standard1.36 shapes |
| bm-dense-io1-36-count | Availability domain | Number of BM.DenseIO1.36 shapes |
| bm-standard-b1-44-count | Availability domain | Number of BM.Standard.B1.44 shapes |
| bm-standard2-52-count | Availability domain | Number of BM.Standard2.52 shapes |
| bm-dense-io2-52-count | Availability domain | Number of BM.DenseIO2.52 shapes |
| bm-gpu2-2-count | Availability domain | Number of BM.GPU2.2 shapes |
| bm-gpu3-8-count | Availability domain | Number of BM.GPU3.8 shapes |
| bm-standard-e2-64-count | Availability domain | Number of BM.Standard.E2.64 shapes |
| bm-hpc2-36-count | Availability domain | Number of BM.HPC2.36 shapes |
| vm-standard1-1-count | Availability domain | Number of VM.Standard1.1 shapes |
| vm-standard1-2-count | Availability domain | Number of VM.Standard1.2 shapes |
| vm-standard1-4-count | Availability domain | Number of VM.Standard1.4 shapes |
| vm-standard1-8-count | Availability domain | Number of VM.Standard1.8 shapes |
| vm-standard1-16-count | Availability domain | Number of VM.Standard1.16 shapes |
| vm-dense-io1-4-count | Availability domain | Number of VM.DenseIO1.4 shapes |
| vm-dense-io1-8-count | Availability domain | Number of VM.DenseIO1.8 shapes |
| vm-dense-io1-16-count | Availability domain | Number of VM.DenseIO1.16 shapes |
| vm-standard2-1-count | Availability domain | Number of VM.Standard2.1 shapes |
| vm-standard2-2-count | Availability domain | Number of VM.Standard2.2 shapes |
| vm-standard2-4-count | Availability domain | Number of VM.Standard2.4 shapes |
| vm-standard2-8-count | Availability domain | Number of VM.Standard2.8 shapes |
| vm-standard2-16-count | Availability domain | Number of VM.Standard2.16 shapes |
| vm-standard2-24-count | Availability domain | Number of VM.Standard2.24 shapes |
| vm-standard-e2-1-count | Availability domain | Number of VM.Standard.E2.1 shapes |
| vm-standard-e2-2-count | Availability domain | Number of VM.Standard.E2.2 shapes |
| vm-standard-e2-4-count | Availability domain | Number of VM.Standard.E2.4 shapes |
| vm-standard-e2-8-count | Availability domain | Number of VM.Standard.E2.8 shapes |
| vm-dense-io2-8-count | Availability domain | Number of VM.DenseIO2.8 shapes |
| vm-dense-io2-16-count | Availability domain | Number of VM.DenseIO2.16 shapes |
| vm-dense-io2-24-count | Availability domain | Number of VM.DenseIO2.24 shapes |
| vm-gpu2-1-count | Availability domain | Number of VM.GPU2.1 shapes |
| vm-gpu3-1-count | Availability domain | Number of VM.GPU3.1 shapes |
| vm-gpu3-2-count | Availability domain | Number of VM.GPU3.2 shapes |
| vm-gpu3-4-count | Availability domain | Number of VM.GPU3.4 shapes |
Example
set compute quota vm-dense-io1-4-count to 10 in compartment MyCompartment where request.ad = 'us-phoenix-1-ad-2'
Family name: compute-management
|
Name |
Scope |
Description |
|---|---|---|
| config-count | Regional | Number of instance configurations |
| pool-count | Regional | Number of instance pools |
Example
set compute-management quota config-count to 10 in compartment MyCompartment
Family name: auto-scaling
|
Name |
Scope |
Description |
|---|---|---|
| config-count | Regional | Number of autoscaling configurations |
Example
Set auto-scaling quota config-count to 10 in compartment MyCompartment
Family name: data-transfer
|
Name |
Scope |
Description |
|---|---|---|
| active-appliance-count | Regional | Number of approved transfer appliances |
| appliance-count | Regional | Number of transfer appliances |
| job-count | Regional | Number of transfer jobs |
Example
zero data-transfer quota job-count in tenancy set data-transfer quota job-count to 1 in compartment Finance set data-transfer quota appliance-count to 3 in compartment Finance
Family name: database
|
Name |
Scope |
Description |
|---|---|---|
| adb-free-count | Regional | Number of Always Free Autonomous Databases. Tenancies can have a total of two Always Free Autonomous Databases, and these resources must be provisioned in the home region. For each database, you can choose the workload type (Autonomous Transaction Processing or Autonomous Data Warehouse). |
| adw-ocpu-count | Regional | Number of Autonomous Data Warehouse OCPUs |
| adw-total-storage-tb | Regional | Amount of storage (in TB) for Autonomous Data Warehouse databases with shared deployment |
| atp-ocpu-count | Regional | Number of Autonomous Transaction Processing OCPUs |
| atp-total-storage-tb | Regional | Amount of storage (in TB) for Autonomous Transaction Processing databases with shared deployment |
| bm-dense-io1-36-count | Availability domain | Number of BM.DenseIO1.36 DB systems |
| bm-dense-io2-52-count | Availability domain | Number of BM.DenseIO2.52 DB systems |
| exadata-base-48-count | Availability domain | Number of Exadata.Base.48 DB systems |
| exadata-full1-336-x6-count | Availability domain | Number of Exadata.Full1.336 - X6 DB systems |
| exadata-full2-368-x7-count | Availability domain | Number of Exadata.Full2.368 - X7 DB systems and Autonomous Exadata Infrastructure |
| exadata-half1-168-x6-count | Availability domain | Number of Exadata.Half1.168 - X6 DB systems |
| exadata-half2-184-x7-count | Availability domain | Number of Exadata.Half2.184 - X7 DB systems and Autonomous Exadata Infrastructure |
| exadata-quarter1-84-x6-count | Availability domain | Number of Exadata.Quarter1.84 - X6 DB systems |
| exadata-quarter2-92-x7-count | Availability domain | Number of Exadata.Quarter2.92 - X7 DB systems and Autonomous Exadata Infrastructure |
| vm-block-storage-gb | Availability domain | Total size of block storage attachments across all virtual machine DB systems, in GB |
| vm-standard1-ocpu-count | Availability domain | Number of VM.Standard1.x OCPUs |
| vm-standard2-ocpu-count | Availability domain | Number of VM.Standard2.x OCPUs |
For information about shapes that are not listed, including non-metered shapes, contact Oracle Support.
Example
The following example shows how to limit the number of Autonomous Data Warehouse resources in a compartment:
#Limits the Autonomous Data Warehouse CPU core count to 2 in the MyCompartment compartment set database quota adw-ocpu-count to 2 in compartment MyCompartment
To limit the number of virtual machine DB systems in a compartment, you must set a quota for the number of CPU cores and a separate quota for the block storage:
#Sets a quota for virtual machine Standard Edition OCPUs to 2 in the MyCompartment compartment set database quota vm-standard1-ocpu-count to 2 in compartment MyCompartment
#Sets the virtual machine DB system block storage quota to 1024 GB in the same compartment set database quota vm-block-storage-gb to 1024 in compartment MyCompartment
The following example shows how to prevent the usage of all database resources in the tenancy except for two Exadata full rack X7 resources in a specified compartment:
zero database quotas in tenancy set database quota exadata-full2-368-x7-count to 2 in compartment MyCompartment
This example of nested quotas shows how to distribute limits for a resource type in a compartment among its subcompartments:
#Allows usage of 3 Autonomous Data Warehouse OCPUs in parent compartment Compartment1 set database quota adw-ocpu-count to 3 in compartment Compartment1
#Allows usage of 1 Autonomous Data Warehouse OCPU in child compartment Compartment1.1 set database quota adw-ocpu-count to 1 in compartment Compartment1.1 #Allows usage of 2 Autonomous Data Warehouse OCPUs in child compartment Compartment1.2 set database quota adw-ocpu-count to 2 in compartment Compartment1.2
This example shows how to set a quota for Autonomous Exadata Infrastructure quarter rack resources in a compartment:
#Limits the usage of Exadata.Quarter2.92 X7 shapes to 1 in the MyCompartment compartment set database quota exadata-quarter2-92-x7-count to 1 in compartment MyCompartment
Family name: dns
|
Name |
Scope |
Description |
|---|---|---|
| global-zone-count | Global | Number of public DNS zones |
| steering-policy-count | Global | Number of traffic management steering policies |
| steering-policy-attachment-count | Global | Number of traffic management steering policy attachments |
Example
zero dns quotas in compartment MyCompartment zero dns quota global-zone-count in compartment MyCompartment
zero dns quota steering-policy-count in compartment MyCompartment zero dns quota steering-policy-attachment-count in compartment MyCompartment
Family name: email-delivery
|
Name |
Scope |
Description |
|---|---|---|
| approved-sender-count | Regional | Number of approved senders |
Example
zero email-delivery quota approved-sender-count in compartment MyCompartment
Family name: health-checks
|
Name |
Scope |
Description |
|---|---|---|
| monitor-basic-count | Regional | Number of basic monitors |
| monitor-premium-count | Regional | Number of premium monitors |
Example
zero health-checks quotas monitor-basic-count
Family name: kms
|
Name |
Scope |
Description |
|---|---|---|
| virtual-private-vault-count | Regional | Number of virtual private vaults |
Example
set kms quota virtual-private-vault-count to 10 in compartment MyCompartment set kms quota virtual-vault-count to 10 in compartment MyCompartment
Family name: notifications
|
Name |
Scope |
Description |
|---|---|---|
| topic-count | Regional | Number of topics |
Example
set notifications quota topic-count to 10 in compartment MyCompartment
Family name: resource-manager
|
Name |
Scope |
Description |
|---|---|---|
| concurrent-job-count | Regional | Number of concurrent Jobs per compartment |
| stack-count | Regional | Number of of stacks per compartment |
Example
set resource-manager quota concurrent-job-count to 1 in compartment MyCompartment
zero resource-manager quota stack-count in compartment MyCompartment
Family name: streaming
|
Name |
Scope |
Description |
|---|---|---|
| partition-count | Regional | Number of partitions |
Example
set streaming quota partition-count to 10 in compartment MyCompartment
Family name: waas
|
Name |
Scope |
Description |
|---|---|---|
| waas-policy-count | Regional | Number of WAF policies |
Example
zero waas quota waas-policy-count in compartment MyCompartment