Required AWS service quotas
Review this list of the required Amazon Web Service (AWS) service quotas that are required to run an OpenShift Container Platform cluster.
Tip
AWS Security Token Service (STS) is the recommended credential mode for installing and interacting with clusters on OpenShift Container Platform because it provides enhanced security.
Required AWS service quotas
The table below describes the AWS service quotas and levels required to create and run one OpenShift Container Platform cluster. Although most default values are suitable for most workloads, you might need to request additional quota for the following cases:
-
OpenShift Container Platform clusters require a minimum AWS EC2 service quota of 100 vCPUs to provide for cluster creation, availability, and upgrades. The default maximum value for vCPUs assigned to Running On-Demand Standard Amazon EC2 instances is
5. Therefore if you have not created a OpenShift Container Platform cluster using the same AWS account previously, you must request additional EC2 quota forRunning On-Demand Standard (A, C, D, H, I, M, R, T, Z) instances.
-
Some optional cluster configuration features, such as custom security groups, might require you to request additional quota. For example, because OpenShift Container Platform associates 1 security group with network interfaces in worker machine pools by default, and the default quota for
Security groups per network interfaceis5, if you want to add 5 custom security groups, you must request additional quota, because this would bring the total number of security groups on worker network interfaces to 6.
Note
The AWS SDK allows OpenShift Container Platform to check quotas, but the AWS SDK calculation does not account for your existing usage. Therefore, it is possible for cluster creation to fail because of a lack of available quota even though the AWS SDK quota check passes. To fix this issue, increase your quota.
If you need to modify or increase a specific AWS quota, see Amazon’s documentation on requesting a quota increase. Large quota requests are submitted to Amazon Support for review, and can take some time to be approved. If your quota request is urgent, contact AWS Support.
| Quota name | Service code | Quota code | AWS default | Minimum required | Description |
|---|---|---|---|---|---|
Running On-Demand Standard (A, C, D, H, I, M, R, T, Z) instances |
ec2 |
L-1216C47A |
5 |
100 |
Maximum number of vCPUs assigned to the Running On-Demand Standard (A, C, D, H, I, M, R, T, Z) instances. The default value of 5 vCPUs is not sufficient to create OpenShift Container Platform clusters. |
Storage for General Purpose SSD (gp2) volume storage in TiB |
ebs |
L-D18FCD1D |
50 |
300 |
The maximum aggregated amount of storage, in TiB, that can be provisioned across General Purpose SSD (gp2) volumes in this Region. |
Storage for General Purpose SSD (gp3) volume storage in TiB |
ebs |
L-7A658B76 |
50 |
300 |
The maximum aggregated amount of storage, in TiB, that can be provisioned across General Purpose SSD (gp3) volumes in this Region. 300 TiB of storage is the required minimum for optimal performance. |
Storage for Provisioned IOPS SSD (io1) volumes in TiB |
ebs |
L-FD252861 |
50 |
300 |
The maximum aggregated amount of storage, in TiB, that can be provisioned across Provisioned IOPS SSD (io1) volumes in this Region. 300 TiB of storage is the required minimum for optimal performance. |
| Quota name | Service code | Quota code | AWS default | Minimum required | Description |
|---|---|---|---|---|---|
EC2-VPC Elastic IPs |
ec2 |
L-0263D0A3 |
5 |
5 |
The maximum number of Elastic IP addresses that you can allocate for EC2-VPC in this Region. |
VPCs per Region |
vpc |
L-F678F1CE |
5 |
5 |
The maximum number of VPCs per Region. This quota is directly tied to the maximum number of internet gateways per Region. |
Internet gateways per Region |
vpc |
L-A4707A72 |
5 |
5 |
The maximum number of internet gateways per Region. This quota is directly tied to the maximum number of VPCs per Region. To increase this quota, increase the number of VPCs per Region. |
Network interfaces per Region |
vpc |
L-DF5E4CA3 |
5,000 |
5,000 |
The maximum number of network interfaces per Region. |
Security groups per network interface |
vpc |
L-2AFB9258 |
5 |
5 |
The maximum number of security groups per network interface. This quota, multiplied by the quota for rules per security group, cannot exceed 1000. |
Snapshots per Region |
ebs |
L-309BACF6 |
10,000 |
10,000 |
The maximum number of snapshots per Region |
IOPS for Provisioned IOPS SSD (Io1) volumes |
ebs |
L-B3A130E6 |
300,000 |
300,000 |
The maximum aggregated number of IOPS that can be provisioned across Provisioned IOPS SDD (io1) volumes in this Region. |
Application Load Balancers per Region |
elasticloadbalancing |
L-53DA6B97 |
50 |
50 |
The maximum number of Application Load Balancers that can exist in each region. |
Classic Load Balancers per Region |
elasticloadbalancing |
L-E9E9831D |
20 |
20 |
The maximum number of Classic Load Balancers that can exist in each region. |