Setting Quotas for Multi-Tenancy

Quotas allow you to limit the compute resources or limit the daily costs for an organization so that you can assign available resources to your consumer groups based on their business requirements.

Before you configure quotas, you have a few decisions to make:

  • Will you set a global quota for the entire organization, or will you set limits for each destination where an organization can deploy services? You can configure a different type of quota for each destination. This is useful when you have different costs and resource constraints for different workload types, such as development compared with production.
  • Will you set a resource quota or a cost quota? Resource-based quotas allow you to limit the number of vCPUs, the amount of RAM and the amount of storage. Cost-based quotas allow you to limit the total daily cost of VMs. When you choose per-destination quota, you can configure a different type of quota for each destination.
  • If you're setting a resource quota, will you set quota limits for individual storage tiers?
  • Will you set quota limits for the organization as a whole, individual members, or both?

Read on for detailed information on how quotas work, or choose one of the following to get started:

How quotas work

You set quotas for each organization. All VMs assigned to an organization count against an organization's quota. You can't assign quota to a parent organization.

You can also optionally set quotas for each member of an organization. All VMs owned by an organization member (meaning that an organization member is primary owner) count against a member's quota. Member quotas allow you to set limits based on users' individual needs.

If you've implemented the Cost Adjustments feature to apply markups and discounts to your costs, user and organization level cost quota calculations will use adjusted costs.

By default, all resources or total daily cost are available to any member until the maximum quota for the organization is reached. You must set the same type of quota for both the organization and its members (for example, if you set a cost-based quota for the organization, you must set cost-based quotas for its members).

You can't assign member quota to a directory services group. Member quotas can only be assigned to individual users (either local or directory services users).

Once you assign quotas, you can use them to determine whether a service request (both new services and change requests) can be approved. For example, you may want any service request that exceeds an organization's quota to be rejected automatically. Or, you may want a second level of approval for requests that will exceed quota. To set up an approval process, you configure an approval workflow for new service requests and service change requests.

To configure quotas, you must use organizations. However, if you don't want to configure multiple organizations, you can simply add all of your users to the Default organization. See Creating Organizations for Multi-Tenancy.

Quota usage is based on VM ownership, not on cost allocation.

Load balancers, databases and application stacks are not included in resource quota calculations. Resource quota-based service request approval workflows don't work for CloudFormation and GCP Deployment Manager services. However, because VMs are included in quota calculations, once a stack is deployed, any VMs in the application stack may cause quota to be exceeded. Cost quotas are fully supported for AWS and GCP services.

Reserved quota

Service requests are also included in quota usage calculations. In other words, quota is reserved for a member once a service request is submitted. Quota reservation ensures that quota calculations are accurate in situations where the approval or provisioning process may take a long time.

For example, if the organization Development has 2 CPUs remaining in its quota, and an organization member, Brian, has submitted a service change request to increase the CPU count for one of his VMs from 2 to 4, once his request is submitted, 2 CPUs are reserved for him, and the organization's quota has been reached. If Doug, another member of the Development organization, requests a VM with 2 CPUs, his request will exceed the organization's quota. Depending on the organization's approval process, Doug's request may be rejected or may need an additional level of approval. If Brian's request is later rejected, the reserved quota is released, at which point Doug's request will no longer exceed the organization's quota.

If a primary owner is specified on the request form, quota is reserved for the primary owner, not for the requester.

Per-tier storage quota

Your storage capacity is likely divided into a few tiers with varying capabilities and cost. Commander allows you considerable flexibility in configuring resource quota for each storage tier, at the organization level and the member level. You can set an overall storage limit, storage tier limits, or both, for both organizations and members. You can set per-tier storage quota limits even if you don't set an overall storage quota for the organization or member. For example, if you use one storage tier for swap space, you can exclude this tier from storage quota calculations, while setting per-tier quota limits for your other storage tiers. You can also control whether media files count towards an organization's quota through storage tiers.

You can allow users to request a specific storage tier by adding the Storage element to the request form and enabling the Display Storage Tier option for this element. When the Storage Tier element is not selectable by requesters, the storage tier of the source disk is used for quota calculations.

When you configure per-tier storage quota, Service Portal organization managers see a Storage Tiers tab in the Edit Quota dialog. Organization members see storage tiers in the Quota widget on the Service Portal Dashboard.

portal-storage-tiers

Service Portal users can click the green areas of each graph to see which VMs are consuming resources. For example, clicking the green bar in the SSD graph shown above displays a list of VMs consuming SSD storage. These properties reflect total provisioned storage, rather than actual (used) storage.

When a storage tier is included in quota but set to Unlimited, the storage tier is displayed on the Service Portal dashboard, but usage doesn't count towards a user's or organization's quota. When a storage tier is excluded, it's not displayed on the Service Portal dashboard, and usage doesn't count towards a user's or organization's quota.

Notes:

  • You must ensure that datastores are available to back all storage tiers in use.
  • To see the tier usage for an individual VM, add the Tier Usage properties to the VM Summary tab. See Displaying properties to learn how.
  • To see the tier usage for a list of VMs, add the Tier Usage columns to the Virtual Machines tab. See Adding, removing, or rearranging table columns to learn how.

Media Library quota

You can include media files in quota calculations. When media files are included in quota calculations, if an upload would exceed an organization's quota, Service Portal users are prevented from uploading files. Commander users, by contrast, are not prevented from uploading files in this situation, but files uploaded to an organization's media folder by Commander users do count towards the organization's quota.

Note that media folders assigned to multiple organizations consume quota from all assigned organizations.

Both resource quota and cost quota are supported for media files. In the case of a cost quota, costs are determined by the cost model assigned to the datacenter where the datastore is located.

Global media folders are never included in quota calculations. Member quotas are not affected by media files.

To include media files in quota calculations, make sure that the storage tier assigned to the datastore where the media files are located is included in the organization's quota. If you want Service Portal users to see their media quota separately in the Service Portal dashboard, put the media files on a separate storage tier and name the tier Media, for example.

To exclude media files from quota calculations, assign a specific storage tier to the datastore where the media files are located. Then, exclude this storage tier from the organization's quota.

See Creating a Media Library to learn how to set up a media library.

What users see when quota is configured

When quota is configured for an organization, quota information is included in all service request emails related to the organization, and a Quota tab appears on the Request Details dialog for requests made by organization members. The Quota tab is shown only until the request is approved.

Quota Information for Service Requests

If a primary owner was specified on the request form, the primary owner's quota usage is displayed, rather than the requester's.

Organization members can monitor their quota usage on the Service Portal Dashboard. When quota has been exceeded, organization members see warnings at the top of the Dashboard. Members also see a warning when submitting a service request that will exceed their available quota.

Organization managers can see the quota usage for all of the organizations they manage.

Manager's View of Organization's Quota Usage

Administrators see warning icons in the Organizations list when quota has been exceeded.

Quota Exceeded

Clicking View Details in the Organization Details pane takes you to the Configure Organization wizard, where you can see and edit detailed usage for the organization and each member.

Setting Cost Quota for Organization Members

Example: Configuring quota for an organization

If you want to limit the resources for an organization to 20 CPUs, 80 GB of memory and 200 GB of storage, and your organization currently has four members, you can:

  • set identical quotas for each member (each member is limited to 5 CPUs, 20 GB of memory and 50 GB of storage)
  • set individual quotas for each member (one member is allowed up to 8 CPUs, and the other 3 are limited to 4 CPUs each)
  • allow each member to have up to the maximum available quota for the organization, by not setting member quotas (if two members have used up all 20 CPUs, the others will have no available quota)