Study Guide925 words
Mastering AWS Networking Limits and Quotas
How limits and quotas affect AWS networking services (for example, bandwidth limits, route limits)
Mastering AWS Networking Limits and Quotas
AWS networking services are designed for massive scale, yet they operate within specific logical and physical boundaries known as Service Quotas (formerly limits). Understanding these is critical for passing the ANS-C01 exam and designing resilient architectures.
Learning Objectives
By the end of this guide, you should be able to:
- Distinguish between soft limits (adjustable) and hard limits (fixed).
- Identify key numerical constraints for VPCs, Transit Gateways, and Direct Connect.
- Explain the process for monitoring and requesting quota increases.
- Understand the impact of BGP route limits on hybrid connectivity.
Key Terms & Glossary
- Service Quota: The maximum number of resources you can create in an AWS account.
- Soft Limit: A quota that can be increased by submitting a request to AWS Support.
- Hard Limit: A fixed technical constraint that cannot be changed (e.g., the 1,000 route limit on Direct Connect BGP sessions).
- BGP Hold Timer: The interval a router waits for a message before declaring a neighbor dead (Default: 90s).
- Propagation: The process of automatically injecting routes from a gateway into a VPC route table.
The "Big Idea"
While the cloud provides the illusion of infinite resources, AWS uses quotas to protect the underlying multi-tenant infrastructure from resource exhaustion and to prevent "noisy neighbor" scenarios. In the Advanced Networking Specialty context, hitting a limit often manifests as a silent failure (e.g., routes not appearing) rather than an explicit error, making proactive monitoring essential.
Formula / Concept Box
| Metric | Default Quota | Type | Context |
|---|---|---|---|
| VPCs per Region | 5 | Soft | Can be increased to hundreds. |
| Subnets per VPC | 200 | Soft | Scalable to 50 CIDR blocks. |
| BGP Routes (Direct Connect) | 1,000 | Hard | Per BGP session (Private/Transit VIF). |
| Advertised Prefixes to AWS | 100 | Soft | Over Transit VIFs. |
| Transit Gateways per Account | 5 | Soft | Per Region. |
Hierarchical Outline
- VPC & Core Networking
- VPC Quotas: Default 5 per region; tracking IGW count to VPC count.
- Subnetting: Max 200 subnets per VPC; 5 CIDR blocks default (can increase to 50).
- Security Groups: Limits on inbound/outbound rules per group.
- Hybrid Connectivity (Direct Connect)
- VIF Limits: 30 Virtual Interfaces per Direct Connect gateway.
- BGP Timers: Min hold timer 3s; Min keepalive 1s.
- Gateway Scaling: 200 Direct Connect gateways per account; 10 VPGs per account.
- Transit Gateway (TGW)
- Attachments: Max 1 VPC attachment per VPC per TGW.
- Routing: 20 Route Tables per TGW; 10,000 static routes per TGW.
- Route 53 & DNS
- Policies: 50 Traffic flow policies; 1,000 versions per policy.
- Health Checks: 16 KB limit on response header lengths.
Visual Anchors
The Quota Management Workflow
Loading Diagram...
BGP Timer Interaction
Compiling TikZ diagram…
⏳
Running TeX engine…
This may take a few seconds
Definition-Example Pairs
- Route Prefix Limit: The maximum number of network paths you can advertise to AWS.
- Example: If you advertise 101 routes over a Transit VIF when the limit is 100, the BGP session will go down completely.
- Secondary CIDR Blocks: Additional IP ranges added to a VPC when the primary range is exhausted.
- Example: A VPC starting with
10.0.0.0/16runs out of IPs; the admin adds172.16.0.0/16as a secondary CIDR to allow for more subnets.
- Example: A VPC starting with
Worked Examples
Problem: The Direct Connect Route Overflow
Scenario: A company has an on-premises data center with 1,200 internal subnets. They want to advertise all these subnets to their AWS VPC via a Direct Connect Private VIF.
Step-by-Step Breakdown:
- Identify the Limit: The hard limit for routes received by AWS on a Private VIF is 1,000.
- The Violation: Advertising 1,200 routes exceeds the 1,000-route hard limit.
- The Result: The BGP session will transition to an
IDLEorACTIVEstate (down), and no traffic will flow. - The Solution: Implement Route Summarization on the on-premises router. Combine the 1,200 specific
/24routes into a few larger summary routes (e.g., several/16or/19routes) so the total count stays below 1,000.
Checkpoint Questions
- What is the default number of VPCs allowed per region?
- If a BGP session over Direct Connect fails because of route limits, is this a soft or hard limit?
- How many Transit Gateways can be created per account by default?
- Which service allows you to track the history of your quota requests?
Muddy Points & Cross-Refs
- Soft vs. Hard: Students often confuse which limits are negotiable. Remember: Direct Connect BGP route limits (1000) are HARD. Most resource counts (VPCs, TGWs) are SOFT.
- Shared Resources: Using AWS Resource Access Manager (RAM) allows you to share TGWs or subnets, but the quotas generally apply to the owner account, not the consumer. Check the "Resource Sharing" chapter for deep-dive interactions.
Comparison Tables
Connectivity Comparison: Scaling Limits
| Feature | VPC Peering | Transit Gateway | Direct Connect |
|---|---|---|---|
| Route Limit | Limited by VPC RT (approx 50-100) | 10,000 (Static) | 1,000 (BGP Hard) |
| Scalability | 1-to-1 Mesh (Complex) | Hub-and-Spoke (Simple) | Hybrid Dedicated Link |
| Max Throughput | No Aggregate Limit | 50 Gbps per attachment | 1, 10, or 100 Gbps |
| Quota Type | Soft (RT entries) | Soft (Attachments) | Hard (BGP Routes) |