Managing Service Quotas at Scale with Service Quota Templates

AWS Control Tower customers use the Account Factory to create new AWS accounts with best practices blueprints and guardrails in place during account creation. When customers create new accounts, they want to increase service limits for some AWS services that are required as per their business needs. Service Quotas in AWS help you to manage your quotas for many AWS services from one location.

Overview

In this lab, you will learn how to use the Service Quota Template functionality to apply a Service Quota increase for the number of VPCs allowed in each region across all newly created accounts in your AWS Organization. This means that when you create a new account via the AWS Control Tower Account factory, those quotas will be applied automatically, without needing to go and put them in manually.

Note: The Service Quota Template only applies to new accounts and will not affect existing accounts. If you need to modify quotas on those accounts, you can follow the process outlined here: https://docs.aws.amazon.com/servicequotas/latest/userguide/request-quota-increase.html

Pre-requisites

The lab will assume that you are currently operating in 2 AWS regions, N. Virginia and Oregon. Running this lab will not result in any charges to your AWS Account.

Walk-through

1. Verify the current service limits.

  • Log into your AWS Control Tower Management account with AdministratorAccess for managing Service Quotas.
  • You can view your Service Quotas by clicking on your Role in the top navigation and selecting My Service Quotas.

  • Type VPC in the search box, and click on Amazon Virtual Private Cloud (Amazon VPC) in the service list

  • On the Service Quotas Console, click on AWS Services in the left sidebar.

This takes us to the list of Service Quotas for Amazon VPC.

  • Search for VPCs per Region Quota name. As shown here, the default and applied quota value for VPCs per Region in the AWS Control Tower Management Account is 5, and this quota is adjustable. You will set your template to change this to 10 for all new accounts.

Now that you have identified the desired Service Quota, its default value, and validated that it is adjustable, you can add it to a Quota request template.

2. Enable and Configure the Quota request template

  • In the left sidebar, click on Quota request template.
  • By default, the Quota request template is disabled. First you will enable it, then add quotas.
  • To enable the Quota request template for all new accounts created in your organization, click the Enable button next to Template association.

  • A dialog box will pop up confirming that you wish to continue, click Enable.

  • Now you should see a status of Enabled under Template association. This means whatever you define in this template will be adjusted in all new accounts in your organization.

  • Now add a quota to the Quota request template. Click the Add quota button to get started.

  • You should now be in the Add quota screen.

  • Click the Region drop down menu and select US East (N.Virginia)
  • Click on the Service drop down and type in vpc then select Amazon Virtual Private Cloud (Amazon VPC)
  • Next, click the Quota drop down menu and select VPCs per Region.

  • Next, type in 10 for the Desired quota value and click Add to add it to the template.

Then repeat the process again for Oregon so your quota is applied in both regions.

You can view the quotas that have been added to this template in the Added quotas section.

You have completed a Quota request template! Now whenever an account is vended via Account Factory, these service limit increases will automatically be requested for your new vended account.

If you wish to test this, you can continue with the steps below.

3. Vend out a new AWS account via Account Factory

To validate the service quota template functionality, you will need to vend out a new AWS account. You can do this by utilizing the AWS Control Tower Account Factory as described in the Account Factory Lab.

4. Validate the Quota Increase

In order to validate the quota increases worked as expected, you will log into your new account and check the Service Quotas dashboard.

Log in to your newly created AWS account, and select a role with access to view service quotas.

You can view your Service Quotas by clicking on your Role in the top navigation and selecting My Service Quotas.

Note: Confirm that you are in one of the regions that you requested a quota increase for.

On the Service Quotas Dashboard, click on AWS Services in the left-hand navigation bar.

Type VPC in the search box, and click on Amazon Virtual Private Cloud (Amazon VPC) in the service list

You should now see that the Service Quota for VPCs per Region now has an Applied quota value of 10 increased from the Default quota value of 5. This means that your template increased the value without needing to go into the account to do so.

Conclusion

Congratulations, now all new accounts you create will be able to utilize this increased quota value. This increases will not be reflected in accounts that were created prior to the template being applied. To make changes in those accounts, you may submit a quota increase request inside of those individual accounts.

Lab Decommission

  • Login to your AWS Control Tower Management Account with AdministratorAccess
  • Go to the Service Quotas Console by clicking on your Role in the top navigation and selecting My Service Quotas.
  • In the left sidebar, click on Quota request template.
  • In the Template association section, click Disable.
  • A dialog box will pop up confirming that you wish to disable the template association, click Disable.

References