Check for vCPU-Based EC2 Instance Limit

Risk level: Medium (should be achieved)

Determine if the number of vCPUs (Virtual Central Processing Units) used by EC2 On-Demand instances per AWS region is close to the vCPU limit number established by Amazon Web Services, and request a limit increase in order to avoid running into resource limitations for future EC2 provisioning sessions. Amazon EC2 service recently switched from instance count-based limits to vCPU-based limits to simplify the limit management experience for all AWS cloud customers. With vCPU-based limits, Amazon EC2 measures usage towards each limit based on the total number of vCPUs that are assigned to the running On-Demand EC2 instances provisioned within your AWS account. The following table shows the number of vCPUs provided for each instance size. The vCPU mapping for some EC2 instance types may differ – see AWS EC2 Instance Types for more details.

Instance Size	vCPUs
nano	1
micro	1
small	1
medium	1
large	2
xlarge	4
2xlarge	8
3xlarge	12
4xlarge	16
8xlarge	32
9xlarge	36
10xlarge	40
12xlarge	48
16xlarge	64
18xlarge	72
24xlarge	96
32xlarge	128

Performance
efficiency

Monitoring vCPU-based limits for your On-Demand EC2 instances will help you to manage better your AWS compute power and avoid resource starvation in case your applications need to scale up or in case you just need to provision multiple EC2 instances in a short period of time.

Note: Currently, there are 5 different vCPU-based limits for On-Demand instances: one limit that governs the usage of Standard Instance families such as A, C, D, H, I, M, R, T, and Z, one limit for Accelerated Instance family (F), one for graphic-intensive instances (G), one for general purpose GPU (P), and one for special memory optimized (X) instances. As an example, this conformity rule demonstrates how to check the vCPU-based limit (and increase the quota) for the Standard Instance family (i.e. A, C, D, H, I, M, R, T and Z instance types).

Audit

To determine if your AWS account is going to reach soon the vCPU-based limit set for the On-Demand instances, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under INSTANCES, click Instances.

04 Click inside the EC2 attributes filter box located under the dashboard top menu, choose Instance Type from the dropdown list and select one of the instance types available in the list. This filtering method will help you to determine how many On-Demand instances are currently provisioned for the selected instance type. Repeat this step for the rest of the instance types available within the current AWS region.

05 In the left navigation panel, under Reports section, select Limits to access the page with the vCPU-based instance limits set for the AWS region.

06 On the Limits page, click Calculate vCPU limit to open the simplified vCPU calculator necessary to compute the total vCPU limit requirements for your AWS account.

07 On the Calculate vCPU limit page, use Add instance type button to add each instance type identified at step no. 4. Use Instance Count to set the number of EC2 instances available for each instance type found. Once all the instance types are added to the calculator, compare the value available in the vCPUs needed column (i.e. the total number of vCPUs in use) with the value defined in the Current limit column (i.e. the vCPU limit quota set for the AWS region). If the total number of vCPUs in use is going to reach soon the limit quota set for the current AWS region, follow the instructions provided in the Remediation/Resolution section to request a vCPU limit increase. Click Close to return to the Limits dashboard.

08 Change the AWS region from the navigation bar and repeat the entire process for the other regions.

Using AWS CLI

01 Run get-service-quota command (OSX/Linux/UNIX) using custom query filters to get the vCPU limit quota set for the On-Demand EC2 instances within the selected AWS region. The quota code used by Amazon Service Quotas for all the EC2 standard instances (instance type A, C, D, H, I, M, R, T and Z) is "L-1216C47A":

aws service-quotas get-service-quota
	--region us-east-1
	--service-code ec2
	--quota-code L-1216C47A
	--query 'Quota.Value'

02 The command output should return the vCPU limit quota configured for the selected region:

1848.0

03 Run describe-instances command (OSX/Linux/UNIX) using custom query filters to describe the instance type and the vCPU information for each running On-Demand EC2 instance available within the selected AWS region:

aws ec2 describe-instances
	--region us-east-1
	--filters "Name=instance-state-name,Values=running"
	--query 'Reservations[*].Instances[*].{"InstanceType": InstanceType,"CpuOptions": CpuOptions}'

04 The command output should return the vCPU information (the number of CPU cores per instance and the number of threads per CPU core) for each EC2 instance running in the selected region:

[
    [
        {
            "InstanceType": "c5.4xlarge",
            "CpuOptions": {
                "CoreCount": 8,
                "ThreadsPerCore": 2
            }
        }
    ],
 
    ...
 
    [
        {
            "InstanceType": "c4.xlarge",
            "CpuOptions": {
                "CoreCount": 2,
                "ThreadsPerCore": 2
            }
        }
    ]
]

Use the vCPU details returned by the describe-instances command output to determine the total number of vCPUs currently in use. The number of vCPUs for an EC2 instance is the number of CPU cores ("CoreCount" attribute value) multiplied by the number of threads per core ("ThreadsPerCore" attribute value). Compare the total number of vCPUs used by the EC2 instances within the selected region with the vCPU limit quota returned at step no. 2. If the total number of vCPUs in use is going to reach soon the limit quota set for the selected AWS region, use the Amazon Service Quotas to request a vCPU limit increase (see Remediation/Resolution section).

05 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 4 to perform the entire audit process for other regions.

Remediation / Resolution

To request an increase for the vCPU-based EC2 instance limit based on your application requirements, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Amazon Service Quotas dashboard at https://console.aws.amazon.com/servicequotas/.

03 In the navigation panel, under Service Quotas, click Dashboard.

04 Select Amazon Elastic Compute Cloud (Amazon EC2) to access the default quotas configured for the AWS EC2 service.

05 On the Amazon Elastic Compute Cloud (Amazon EC2) page, under Service quotas, select Running On-Demand Standard (A, C, D, H, I, M, R, T, Z) instances and click Request quota increase to initiate the quota request process.

06 On the Request quota increase: Running On-Demand Standard (A, C, D, H, I, M, R, T, Z) instances configuration panel, in the Change quota value box, enter the total amount of vCPUs, representing the new quota limit. Click Request to send your vCPU quota increase request to AWS support.

07 Some quota increase requests create an AWS Support Center case. To track the status of your vCPU quota increase request, select Quota request history in the navigation panel, then click on the Quota requested link available for your latest quota request.

08 On the Request quota increase: Running On-Demand Standard (A, C, D, H, I, M, R, T, Z) instances panel, click on the Support Center case number ticket number to access the support case details (including case status) available for your request.

09 Change the AWS region from the navigation bar and repeat the entire remediation process for the other regions.

Using AWS CLI

01 Run request-service-quota-increase command (OSX/Linux/UNIX) to request an increase for the number of vCPUs that can be used by On-Demand EC2 instances within the selected AWS region (i.e. vCPU-based instance limit). The quota code required by Amazon Service Quotas for the EC2 standard instances (instance type A, C, D, H, I, M, R, T and Z) is "L-1216C47A". Use --desired-value configuration parameter to set the new quota limit:

aws service-quotas request-service-quota-increase
	--region us-east-1
	--service-code ec2
	--quota-code L-1216C47A
	--desired-value 2150

02 The command output should return the new quota request configuration details:

{
    "RequestedQuota": {
        "QuotaName": "Running On-Demand Standard (A, C, D, H, I, M, R, T, Z) instances",
        "Status": "PENDING",
        "DesiredValue": 2150.0,
        "Created": 1571219119.939,
        "QuotaArn": "arn:aws:servicequotas:us-east-1:123456789012:ec2/L-1216C47A",
        "ServiceName": "Amazon Elastic Compute Cloud (Amazon EC2)",
        "GlobalQuota": false,
        "ServiceCode": "ec2",
        "QuotaCode": "L-1216C47A",
        "Requester": "{\"accountId\":\"123456789012\",\"callerArn\":\"arn:aws:sts::123456789012:assumed-role/ec2-manager/i-0abcdabcdabcdabcd\"}",
        "Id": "abcd1234abcd1234abcd1234abcd1234abcd1234",
        "Unit": "None"
    }
}

03 Some quota increase requests generate an AWS Support Center case. To retrieve the increase request status, run get-requested-service-quota-change command (OSX/Linux/UNIX) using the request ID returned at the previous step as identifier parameter:

aws service-quotas get-requested-service-quota-change
	--region us-east-1
	--request-id abcd1234abcd1234abcd1234abcd1234abcd1234
	--query 'RequestedQuota.Status'

04 The command output should return the support case status (i.e. increase request status). If the request is pending the status should be set to "CASE_OPENED", otherwise the status should be "CASE_CLOSED":

"CASE_CLOSED"

05 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 4 to perform the entire remediation/resolution process for other regions.

References

AWS Command Line Interface (CLI) Documentation
ec2
describe-instances
service-quotas
get-service-quota
request-service-quota-increase
get-requested-service-quota-change

AWS Blog(s)
Using new vCPU-based On-Demand Instance limits with Amazon EC2

Publication date Oct 21, 2019

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for and

You are auditing:

Check for vCPU-Based EC2 Instance Limit

Risk level: Medium

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS Console

Using AWS CLI

References

Related EC2 rules