{"id":909,"date":"2026-04-16T15:58:36","date_gmt":"2026-04-16T15:58:36","guid":{"rendered":"https:\/\/www.devopsschool.com\/tutorials\/oracle-cloud-compartment-quotas-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-governance-and-administration\/"},"modified":"2026-04-16T15:58:36","modified_gmt":"2026-04-16T15:58:36","slug":"oracle-cloud-compartment-quotas-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-governance-and-administration","status":"publish","type":"post","link":"https:\/\/www.devopsschool.com\/tutorials\/oracle-cloud-compartment-quotas-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-governance-and-administration\/","title":{"rendered":"Oracle Cloud Compartment Quotas Tutorial: Architecture, Pricing, Use Cases, and Hands-On Guide for Governance and Administration"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">Category<\/h2>\n\n\n\n<p>Governance and Administration<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">1. Introduction<\/h2>\n\n\n\n<p><strong>What this service is<\/strong><br\/>\nCompartment Quotas is an Oracle Cloud Infrastructure (OCI) governance capability that lets you <strong>cap how many resources (and sometimes how much capacity)<\/strong> can be created inside a specific compartment (or set of compartments), so teams can\u2019t accidentally (or intentionally) consume more than an approved amount.<\/p>\n\n\n\n<p><strong>Simple explanation (1 paragraph)<\/strong><br\/>\nIf compartments are how you <em>organize<\/em> OCI, Compartment Quotas is how you <em>control consumption<\/em> within that organization. You can define rules like \u201cThis dev compartment can only have 1 VCN\u201d or \u201cThis project can only create up to N instances of a given shape,\u201d and OCI will enforce those rules whenever someone tries to create or scale resources.<\/p>\n\n\n\n<p><strong>Technical explanation (1 paragraph)<\/strong><br\/>\nIn OCI, quotas are implemented using <strong>quota policies<\/strong> (IAM policy framework with quota-specific statements). When a user or automation calls OCI APIs to create\/resize resources, OCI evaluates the request against applicable quota policies and blocks the request if it would exceed the configured quota. Quotas are a <strong>preventive control<\/strong>: they stop new allocations beyond the limit, but typically don\u2019t delete existing resources automatically.<\/p>\n\n\n\n<p><strong>What problem it solves<\/strong><br\/>\nCompartment Quotas helps prevent:\n&#8211; Cost overruns from uncontrolled provisioning\n&#8211; \u201cNoisy neighbor\u201d resource starvation across teams sharing a tenancy\n&#8211; Security\/compliance drift when environments exceed approved sizes\n&#8211; Operational instability from unbounded scaling or accidental duplication<\/p>\n\n\n\n<blockquote>\n<p>Naming note (important): OCI documentation commonly refers to this capability as <strong>Quotas<\/strong> or <strong>Quota Policies<\/strong>. This tutorial uses <strong>Compartment Quotas<\/strong> as the primary service name (as requested) and maps it to OCI\u2019s <strong>quota policies<\/strong> feature.<\/p>\n<\/blockquote>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">2. What is Compartment Quotas?<\/h2>\n\n\n\n<p><strong>Official purpose<\/strong><br\/>\nCompartment Quotas is designed to let OCI customers <strong>allocate and enforce resource usage limits within compartments<\/strong>, independently from Oracle-set <strong>service limits<\/strong> (also called tenancy limits). You use quotas to distribute capacity across teams, environments, or projects in a controlled way.<\/p>\n\n\n\n<p><strong>Core capabilities<\/strong>\n&#8211; Define <strong>hard limits<\/strong> (quotas) for specific resource types within a compartment\n&#8211; Apply quotas to support common governance models (prod vs non-prod, team-by-team)\n&#8211; Block API operations that would exceed quota (create\/scale) with clear error feedback\n&#8211; Manage quotas as code (where supported) using Infrastructure as Code (IaC) practices<\/p>\n\n\n\n<p><strong>Major components<\/strong>\n&#8211; <strong>Compartments<\/strong>: OCI\u2019s logical isolation and organization unit\n&#8211; <strong>Quota policies<\/strong>: IAM policy objects containing quota statements (the \u201crules\u201d)\n&#8211; <strong>Quota statements<\/strong>: rules in OCI policy language that set limits for a service\/resource type\n&#8211; <strong>OCI control plane enforcement<\/strong>: evaluation during provisioning calls<\/p>\n\n\n\n<p><strong>Service type<\/strong>\n&#8211; Governance control (policy-based), not a data-plane service\n&#8211; Implemented through OCI IAM policy framework (quota policy type)<\/p>\n\n\n\n<p><strong>Scope (regional\/global\/account-scoped)<\/strong>\n&#8211; <strong>Tenancy-scoped governance<\/strong>: quota policies are defined in your tenancy and apply to resource actions within the tenancy\u2019s compartments.\n&#8211; <strong>Enforcement occurs at request time<\/strong> in the region where the resource is being created\/modified (because most resources are regional).<br\/>\n  If you need region-specific behavior, OCI policy language may support conditional expressions\u2014<strong>verify in official docs<\/strong> for current quota condition support and syntax.<\/p>\n\n\n\n<p><strong>How it fits into the Oracle Cloud ecosystem<\/strong>\nCompartment Quotas sits in the same governance toolbox as:\n&#8211; <strong>Compartments<\/strong> (structure)\n&#8211; <strong>IAM policies<\/strong> (who can do what)\n&#8211; <strong>Tagging and tag defaults<\/strong> (classification and automation)\n&#8211; <strong>Budgets and cost controls<\/strong> (financial monitoring)\n&#8211; <strong>Service limits<\/strong> (Oracle-set upper bounds)\n&#8211; <strong>Audit<\/strong> (tracking governance changes)<\/p>\n\n\n\n<p>In a mature OCI landing zone, Compartment Quotas is one of the main controls that prevents \u201canything goes\u201d provisioning while still enabling self-service for teams.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">3. Why use Compartment Quotas?<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Business reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Cost containment by design<\/strong>: quotas stop spending before it happens rather than alerting after the fact.<\/li>\n<li><strong>Chargeback\/showback governance<\/strong>: allocate resource envelopes per department\/project to align with funding.<\/li>\n<li><strong>Predictable budgeting<\/strong>: enforce environment sizes (dev\/test\/prod) to match financial plans.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Technical reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Prevent resource exhaustion<\/strong>: keep shared tenancy resources available across teams.<\/li>\n<li><strong>Standardize environment size<\/strong>: ensure non-prod stays non-prod (e.g., can\u2019t become production-grade scale).<\/li>\n<li><strong>Support platform engineering<\/strong>: enable \u201cguardrailed self-service\u201d where teams can provision within boundaries.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Operational reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Reduce incidents from runaway provisioning<\/strong>: fewer surprises from accidental loops, misconfigured autoscaling, or repeated Terraform applies.<\/li>\n<li><strong>Simplify operations<\/strong>: if a compartment cannot exceed a known footprint, operational capacity planning becomes easier.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Security\/compliance reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Enforce least privilege in capacity terms<\/strong>: even if a user can create a resource, quotas can prevent excessive creation.<\/li>\n<li><strong>Environment segregation<\/strong>: keep regulated workloads constrained to approved services\/sizes (where quota types exist).<\/li>\n<li><strong>Auditability<\/strong>: quota changes are governance changes that can be audited (via OCI Audit).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Scalability\/performance reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Controlled scaling<\/strong>: quotas can prevent scaling beyond tested limits in lower environments.<\/li>\n<li><strong>Prevent \u201cblast radius\u201d expansion<\/strong>: compromised credentials can\u2019t create unlimited resources if quotas exist.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">When teams should choose Compartment Quotas<\/h3>\n\n\n\n<p>Choose it when you need:\n&#8211; Hard caps per compartment (dev\/test\/prod, per team, per project)\n&#8211; Preventive cost control (stop creation, not just alert)\n&#8211; Guardrails for self-service provisioning\n&#8211; Capacity allocation across teams in a shared tenancy<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">When teams should not choose it (or not rely on it alone)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>If you need <strong>spend-based enforcement<\/strong>: quotas limit <em>resource counts\/capacity<\/em>, not direct currency spend.<\/li>\n<li>If you need <strong>real-time anomaly detection<\/strong>: use <strong>Budgets<\/strong>, <strong>Cost Analysis<\/strong>, and monitoring alongside quotas.<\/li>\n<li>If your critical constraint is an <strong>Oracle service limit<\/strong>: quotas cannot exceed Oracle-set limits; you may need a limit increase request.<\/li>\n<li>If your governance model is purely <strong>approval workflow<\/strong>: quotas don\u2019t do approvals; they enforce caps.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">4. Where is Compartment Quotas used?<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Industries<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>SaaS and technology companies (multi-team, rapid provisioning)<\/li>\n<li>Financial services (strong governance, segregation, audit)<\/li>\n<li>Healthcare and life sciences (regulated environments with strict controls)<\/li>\n<li>Public sector (budget constraints and controlled provisioning)<\/li>\n<li>Education and research (many projects sharing one tenancy)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Team types<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Platform engineering \/ cloud center of excellence (CCoE)<\/li>\n<li>DevOps and SRE teams managing shared infrastructure<\/li>\n<li>Security teams enforcing guardrails<\/li>\n<li>FinOps teams aligning consumption with budgets<\/li>\n<li>Application teams using self-service within limits<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Workloads and architectures<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Multi-environment deployments (dev\/test\/stage\/prod compartments)<\/li>\n<li>Shared services + spoke compartments (hub-and-spoke networking)<\/li>\n<li>Multi-team \u201clanding zone\u201d patterns<\/li>\n<li>Terraform-managed infrastructure where guardrails must exist beyond code review<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Real-world deployment contexts<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Enterprise tenancy<\/strong> with dozens\/hundreds of compartments, each with dedicated quota envelopes<\/li>\n<li><strong>ISV\/SaaS<\/strong> where internal teams have per-service ceilings to avoid noisy neighbors<\/li>\n<li><strong>Shared OCI tenancy for multiple business units<\/strong> with delegated administration<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Production vs dev\/test usage<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Production<\/strong>: enforce predictable ceilings to reduce risk and keep within approved architecture\/capacity.<\/li>\n<li><strong>Dev\/Test<\/strong>: strongest value\u2014prevent dev from becoming \u201cshadow production\u201d and limit accidental cost spikes.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">5. Top Use Cases and Scenarios<\/h2>\n\n\n\n<p>Below are realistic scenarios where Compartment Quotas is commonly used. Each includes a problem, why quotas fit, and a short example.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">1) Dev compartment cost guardrails<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: Developers accidentally create too many resources in dev (e.g., multiple networks, instances).<\/li>\n<li><strong>Why this fits<\/strong>: Quotas block excessive creation at the API level.<\/li>\n<li><strong>Example<\/strong>: \u201cDev compartment can have at most 1 VCN and limited compute shapes.\u201d<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">2) Allocate compute capacity across teams<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: One team consumes most compute capacity, leaving others blocked by service limits.<\/li>\n<li><strong>Why this fits<\/strong>: Quotas distribute allowed capacity per compartment\/team.<\/li>\n<li><strong>Example<\/strong>: Team A gets 50 OCPUs; Team B gets 20 OCPUs; shared services get 30 OCPUs.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">3) Prevent Terraform runaway applies<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: A CI\/CD pipeline misconfiguration loops and creates repeated resources.<\/li>\n<li><strong>Why this fits<\/strong>: Quotas stop creation after the ceiling is reached.<\/li>\n<li><strong>Example<\/strong>: Networking module cannot create more than N subnets; compute cannot exceed N instances.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">4) Protect shared networking from sprawl<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: Too many VCNs\/subnets cause operational complexity and route-table sprawl.<\/li>\n<li><strong>Why this fits<\/strong>: Quotas enforce a network design standard.<\/li>\n<li><strong>Example<\/strong>: Each app compartment gets 1 VCN max; additional networks require an architecture review.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">5) Enforce non-production size limits<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: Test environment grows to production-like scale, increasing spend and risk.<\/li>\n<li><strong>Why this fits<\/strong>: Quotas enforce maximum footprint.<\/li>\n<li><strong>Example<\/strong>: Test compartment limited to small shapes and low instance counts.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6) Controlled adoption of expensive services<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: Teams adopt high-cost services without review.<\/li>\n<li><strong>Why this fits<\/strong>: Where quota types exist, you can cap resource creation.<\/li>\n<li><strong>Example<\/strong>: Limit certain database deployments\/counts per compartment (verify supported quota types for the DB service in official docs).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">7) M&amp;A \/ multi-business-unit tenancy control<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: Different business units share a tenancy but require strict allocation boundaries.<\/li>\n<li><strong>Why this fits<\/strong>: Compartment boundaries + quotas create enforceable envelopes.<\/li>\n<li><strong>Example<\/strong>: BU1 and BU2 get separate compartments with independent quotas.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">8) Sandbox compartment safety net<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: Sandboxes are intentionally free-form but can become costly.<\/li>\n<li><strong>Why this fits<\/strong>: Set small but non-zero quotas to allow experimentation safely.<\/li>\n<li><strong>Example<\/strong>: Sandbox capped at a few networks and limited compute.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">9) Limit storage resource sprawl (where supported)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: Excess volumes\/buckets proliferate, complicating lifecycle management.<\/li>\n<li><strong>Why this fits<\/strong>: Quotas can cap counts (verify the exact resource quota types supported).<\/li>\n<li><strong>Example<\/strong>: Limit block volume count to N in dev.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">10) Enforce phased rollout of a platform<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: A new internal platform should ramp gradually; uncontrolled consumption is risky.<\/li>\n<li><strong>Why this fits<\/strong>: Quotas implement phased capacity rollouts by raising ceilings incrementally.<\/li>\n<li><strong>Example<\/strong>: Start with low quota for new app compartments, increase after readiness checks.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">11) Reduce blast radius of compromised credentials<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: If a key is compromised, an attacker could try to provision large infrastructure.<\/li>\n<li><strong>Why this fits<\/strong>: Quotas cap maximum creation.<\/li>\n<li><strong>Example<\/strong>: Even with create permissions, attacker cannot exceed small quotas in dev compartments.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">12) Constrain \u201cedge case\u201d resources<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: Rare resources are created without standardization.<\/li>\n<li><strong>Why this fits<\/strong>: Quotas can act as a forcing function for exceptions and review.<\/li>\n<li><strong>Example<\/strong>: Set quota to 0 for a resource type in certain compartments (verify supported syntax and resource types).<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">6. Core Features<\/h2>\n\n\n\n<blockquote>\n<p>Note: OCI quota capabilities depend on service support and available quota resource types. Always confirm the exact quota resource names and supported services in the official documentation for your OCI release\/region.<\/p>\n<\/blockquote>\n\n\n\n<h3 class=\"wp-block-heading\">Feature 1: Compartment-scoped hard limits (quota enforcement)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: Enforces a maximum allowed quantity for specific resource types within a compartment.<\/li>\n<li><strong>Why it matters<\/strong>: Prevents uncontrolled growth and protects shared capacity.<\/li>\n<li><strong>Practical benefit<\/strong>: Stops bad provisioning before it costs money or destabilizes operations.<\/li>\n<li><strong>Caveats<\/strong>: Quotas typically prevent <em>new<\/em> allocations; they generally do not delete existing resources automatically.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Feature 2: Quota policies (policy-based governance)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: Quotas are managed as <strong>quota policies<\/strong> using OCI\u2019s IAM policy language.<\/li>\n<li><strong>Why it matters<\/strong>: Same governance workflow as IAM policies\u2014reviewable, auditable, automatable.<\/li>\n<li><strong>Practical benefit<\/strong>: Infrastructure teams can manage quotas alongside IAM controls.<\/li>\n<li><strong>Caveats<\/strong>: You must have appropriate IAM permissions to create\/edit policies.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Feature 3: Service\/resource-type granularity<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: Quotas can target specific services and resource quota types (for example, count-based quotas for specific resource categories).<\/li>\n<li><strong>Why it matters<\/strong>: Allows precise allocation (e.g., cap network objects in dev but not in prod).<\/li>\n<li><strong>Practical benefit<\/strong>: Align quotas with architecture standards (network topology, environment sizing).<\/li>\n<li><strong>Caveats<\/strong>: Not every OCI service\/resource has a quota type exposed for quota policies\u2014verify support.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Feature 4: Enforced at provisioning time via OCI APIs<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: When a request is made to create\/scale a resource, OCI evaluates quotas before granting the request.<\/li>\n<li><strong>Why it matters<\/strong>: Works regardless of tool (Console, CLI, SDKs, Terraform, CI\/CD).<\/li>\n<li><strong>Practical benefit<\/strong>: Central enforcement without relying on client-side checks.<\/li>\n<li><strong>Caveats<\/strong>: Error responses can appear as authorization\/limit errors; users need guidance to interpret them.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Feature 5: Works with compartment model and (often) compartment hierarchies<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: Quotas align to compartment-based organization and governance.<\/li>\n<li><strong>Why it matters<\/strong>: Most OCI governance models are compartment-centric.<\/li>\n<li><strong>Practical benefit<\/strong>: You can mirror org structure: business unit \u2192 program \u2192 app \u2192 environment.<\/li>\n<li><strong>Caveats<\/strong>: Exact inheritance and evaluation rules can be nuanced\u2014verify inheritance behavior and statement targeting in official docs.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Feature 6: Auditability (governance change tracking)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: Quota policy creation\/updates are IAM governance actions and can be logged in <strong>OCI Audit<\/strong>.<\/li>\n<li><strong>Why it matters<\/strong>: Compliance and operational traceability.<\/li>\n<li><strong>Practical benefit<\/strong>: You can answer \u201cwho changed the quota and when?\u201d<\/li>\n<li><strong>Caveats<\/strong>: Ensure Audit is configured per your retention\/archival requirements.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Feature 7: Automatable via IaC (where supported)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: Quota policies can be managed via Terraform\/automation (depending on provider support for quota policy type).<\/li>\n<li><strong>Why it matters<\/strong>: Enables repeatable landing zones and controlled changes.<\/li>\n<li><strong>Practical benefit<\/strong>: Review quotas via pull requests, apply via pipelines.<\/li>\n<li><strong>Caveats<\/strong>: Provider schemas evolve; verify the current Terraform OCI provider fields for quota policies.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">7. Architecture and How It Works<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">High-level service architecture<\/h3>\n\n\n\n<p>Compartment Quotas sits in the <strong>OCI control plane<\/strong>:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>An actor (user, service principal, CI\/CD, Terraform) calls OCI APIs to create or update a resource in a compartment.<\/li>\n<li>OCI IAM authorization checks that the actor has permission to perform the action.<\/li>\n<li>OCI evaluates <strong>quota policies<\/strong> applicable to that compartment and resource type.<\/li>\n<li>If the request would exceed quota, OCI rejects the request with an error.<\/li>\n<li>If within quota, OCI proceeds to provision\/update the resource.<\/li>\n<\/ol>\n\n\n\n<h3 class=\"wp-block-heading\">Request\/control flow (typical)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Console\/CLI\/SDK\/Terraform<\/strong> \u2192 <strong>OCI API endpoint (region)<\/strong> <\/li>\n<li>API triggers:<\/li>\n<li>IAM authorization<\/li>\n<li>Quota evaluation<\/li>\n<li>Service limit evaluation (Oracle-set limits)<\/li>\n<li>Target service provisions resource if allowed.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Integrations with related services<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>IAM<\/strong>: Quota policies are managed similarly to IAM policies.<\/li>\n<li><strong>Compartments<\/strong>: Quotas are scoped and enforced against compartments.<\/li>\n<li><strong>Audit<\/strong>: Tracks quota policy changes.<\/li>\n<li><strong>Billing\/Cost Management<\/strong>: Quotas reduce spend indirectly by preventing resource creation; budgets\/alerts complement quotas.<\/li>\n<li><strong>Terraform\/Resource Manager<\/strong>: Quotas apply regardless of IaC tooling, providing guardrails outside code.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Dependency services<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>OCI <strong>Identity and Access Management (IAM)<\/strong><\/li>\n<li>OCI <strong>Compartments<\/strong> and tenancy structure<\/li>\n<li>Target services being limited (Compute, Networking, Storage, etc., depending on supported quota types)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Security\/authentication model<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Quota policies don\u2019t authenticate users; they rely on OCI IAM authentication.<\/li>\n<li>Enforcement happens after authentication and during authorization\/provisioning checks.<\/li>\n<li>Only privileged identities should manage quota policies (typically tenancy admins or a delegated governance group).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Networking model<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>No special VCN networking is required; quotas are control-plane governance.<\/li>\n<li>Calls to OCI public API endpoints (or via OCI private endpoints where applicable) are still governed by quotas.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Monitoring\/logging\/governance considerations<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Audit logs<\/strong>: monitor quota policy changes.<\/li>\n<li><strong>Operational runbooks<\/strong>: document what quota errors look like and how teams request increases.<\/li>\n<li><strong>Change management<\/strong>: treat quota updates as production changes.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Simple architecture diagram<\/h3>\n\n\n\n<pre><code class=\"language-mermaid\">flowchart LR\n  U[User \/ CI-CD \/ Terraform] --&gt; API[OCI API (Region)]\n  API --&gt; IAM[IAM AuthZ Check]\n  IAM --&gt; Q[Compartment Quotas (Quota Policy Evaluation)]\n  Q --&gt;|Allow| S[Target Service (e.g., Networking\/Compute)]\n  Q --&gt;|Deny: Quota exceeded| E[Error returned to caller]\n  S --&gt; R[Resource created\/updated in Compartment]\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Production-style architecture diagram (landing zone governance)<\/h3>\n\n\n\n<pre><code class=\"language-mermaid\">flowchart TB\n  subgraph Tenancy[OCI Tenancy]\n    subgraph Root[Root Compartment]\n      GOV[IAM: Governance Groups\\n(Quota Admins, Security, Platform)]\n      AUD[Audit Logs]\n      POL[Quota Policies\\n(Compartment Quotas)]\n      LIM[Service Limits (Oracle-set)]\n      BUD[Budgets\/Cost Controls]\n    end\n\n    subgraph Shared[Shared-Services Compartment]\n      HUBNET[Hub VCN \/ DNS \/ Security]\n      LOG[Logging \/ Monitoring]\n    end\n\n    subgraph NonProd[Non-Prod]\n      DEV[Dev Compartment]\n      TEST[Test Compartment]\n      CI[CI\/CD Compartment]\n    end\n\n    subgraph Prod[Production]\n      PRODAPP[Prod App Compartments]\n      PRODDATA[Prod Data Compartments]\n    end\n  end\n\n  GOV --&gt; POL\n  POL --&gt; DEV\n  POL --&gt; TEST\n  POL --&gt; PRODAPP\n  POL --&gt; PRODDATA\n\n  U2[App Teams] --&gt; API2[OCI APIs]\n  API2 --&gt; LIM\n  LIM --&gt; POL\n  POL --&gt; HUBNET\n  POL --&gt; DEV\n  POL --&gt; PRODAPP\n\n  POL --&gt; AUD\n  BUD --&gt; FIN[FinOps Alerts\/Reports]\n<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">8. Prerequisites<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Tenancy\/account requirements<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>An active <strong>Oracle Cloud (OCI) tenancy<\/strong><\/li>\n<li>Ability to create\/manage compartments and policies (often restricted to administrators)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Permissions \/ IAM requirements<\/h3>\n\n\n\n<p>To create and manage quota policies, you typically need permissions equivalent to managing IAM policies in the relevant scope (often tenancy\/root compartment).<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Minimum: permission to <strong>create\/update policies<\/strong> (quota policies are a type of policy).<\/li>\n<li>Best practice: delegate quota management to a controlled admin group (e.g., \u201cQuotaAdmins\u201d) and restrict scope.<\/li>\n<\/ul>\n\n\n\n<blockquote>\n<p>Verify in official docs: the exact IAM policy statements and any dedicated \u201cquota\u201d permissions can vary by OCI policy model updates. Start from OCI IAM \u201cQuotas\u201d documentation and IAM policy reference.<\/p>\n<\/blockquote>\n\n\n\n<h3 class=\"wp-block-heading\">Billing requirements<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>No separate billing requirement for the quota feature itself.<\/li>\n<li>Resource creation attempts blocked by quotas will not incur resource costs.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Tools needed (for this tutorial)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>OCI Console access (recommended for beginners)<\/li>\n<li>Optional: OCI CLI installed and configured if you want command-line verification<br\/>\n  OCI CLI docs: https:\/\/docs.oracle.com\/en-us\/iaas\/Content\/API\/SDKDocs\/cliinstall.htm<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Region availability<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Quotas are a control-plane governance feature used across OCI regions.<\/li>\n<li>Enforcement occurs where the resource is created (regional services). If you need region-specific quota logic, <strong>verify support<\/strong> for conditional scoping in quota statements.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Quotas\/limits prerequisites<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Be aware of two layers:<\/li>\n<li><strong>Service limits<\/strong> (Oracle-set) define the maximum possible.<\/li>\n<li><strong>Compartment Quotas<\/strong> define your internal caps (must be \u2264 service limits).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Prerequisite services<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>OCI IAM (Identity)<\/li>\n<li>OCI Compartments<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">9. Pricing \/ Cost<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Current pricing model (accurate framing)<\/h3>\n\n\n\n<p><strong>Compartment Quotas (quota policies) does not have a standalone usage charge<\/strong> in typical OCI pricing. You are not billed per quota statement or per evaluation. The financial impact is indirect: quotas help you <strong>avoid<\/strong> costs by preventing resource creation beyond approved limits.<\/p>\n\n\n\n<blockquote>\n<p>Always verify on official OCI pricing pages for any governance feature packaging changes.<\/p>\n<\/blockquote>\n\n\n\n<h3 class=\"wp-block-heading\">Pricing dimensions (what affects cost)<\/h3>\n\n\n\n<p>While Compartment Quotas itself is typically not billed, costs may arise from:\n&#8211; The <strong>resources you allow<\/strong> under quotas (compute, storage, databases, networking gateways, etc.)\n&#8211; <strong>Audit log retention and archiving<\/strong> (if you export logs to Object Storage)\n&#8211; <strong>Operational tooling<\/strong> (SIEM integrations, log analytics, ticketing automation)\n&#8211; <strong>Data egress<\/strong> and inter-region data transfer from the workloads you provision (not from quotas)<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Free tier<\/h3>\n\n\n\n<p>OCI Free Tier applies to eligible services\/resources, not to quotas directly. Quotas can be used in free-tier tenancies to prevent accidental creation of non-free resources.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Cost drivers<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Setting quotas too high can still allow expensive provisioning.<\/li>\n<li>Lack of quotas in dev\/test can lead to costly \u201cresource sprawl.\u201d<\/li>\n<li>Overly restrictive quotas can increase engineering time (people cost) due to frequent quota increase requests.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Hidden or indirect costs<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Operational friction<\/strong>: if quotas are too tight or not aligned with delivery needs.<\/li>\n<li><strong>Support overhead<\/strong>: handling quota-exceeded tickets without good automation.<\/li>\n<li><strong>Pipeline failures<\/strong>: IaC runs fail when quotas are hit; this can delay releases.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Network\/data transfer implications<\/h3>\n\n\n\n<p>No meaningful network charges are caused by quota evaluation itself. Network and data transfer costs come from the resources created within quota boundaries (NAT gateways, load balancers, egress, etc.).<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">How to optimize cost with quotas<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Put strict quotas on non-prod compartments (network objects, compute counts).<\/li>\n<li>Implement \u201csandbox\u201d quotas that allow experimentation but limit blast radius.<\/li>\n<li>Periodically review and lower quotas based on observed usage.<\/li>\n<li>Use budgets\/alerts to complement quotas for spend-based visibility.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Example low-cost starter estimate (no fabricated numbers)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Using Compartment Quotas: <strong>$0 for the quota feature itself<\/strong> (typical).<\/li>\n<li>If you run this tutorial using <strong>only VCN creation<\/strong> (no gateways, no compute), the incremental cost is generally <strong>$0<\/strong> for networking objects like VCN\/subnet creation alone (OCI commonly does not charge for the mere existence of these objects; charges come from attached billable resources like gateways\/LBs\u2014verify for your region and product terms).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Example production cost considerations<\/h3>\n\n\n\n<p>In production, the \u201ccost\u201d story is about the resources governed:\n&#8211; Define quotas for compute and network growth boundaries.\n&#8211; Ensure service limits and quotas are aligned with peak demand and DR needs.\n&#8211; Include headroom for incident response (temporary scale-out), or document a fast quota-increase process.<\/p>\n\n\n\n<p><strong>Official pricing references<\/strong>\n&#8211; OCI Pricing: https:\/\/www.oracle.com\/cloud\/pricing\/\n&#8211; OCI Cost Estimator: https:\/\/www.oracle.com\/cloud\/costestimator.html<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">10. Step-by-Step Hands-On Tutorial<\/h2>\n\n\n\n<p>This lab uses a safe, low-cost approach: <strong>limit VCN creation<\/strong> in a compartment. Creating VCNs\/subnets is typically not billable by itself, making it a good way to validate quota behavior without provisioning compute.<\/p>\n\n\n\n<blockquote>\n<p>Important: The exact quota statement resource names must match OCI\u2019s supported quota types. The example below uses commonly referenced naming patterns (e.g., <code>virtual-network<\/code> and <code>vcn-count<\/code>). <strong>If your tenancy rejects the statement<\/strong>, use the official Quotas documentation to find the correct service and resource quota type names for networking in your OCI environment.<\/p>\n<\/blockquote>\n\n\n\n<h3 class=\"wp-block-heading\">Objective<\/h3>\n\n\n\n<p>Create a compartment, apply a Compartment Quotas policy that allows only <strong>one VCN<\/strong> in that compartment, then verify OCI blocks creation of a second VCN.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Lab Overview<\/h3>\n\n\n\n<p>You will:\n1. Create a compartment for the lab\n2. Create a quota policy (Compartment Quotas) that caps VCN count\n3. Create the first VCN (should succeed)\n4. Attempt to create a second VCN (should fail with a quota\/limit error)\n5. Validate and review audit trails\n6. Clean up resources (VCN and quota policy and compartment)<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Step 1: Create a compartment for the lab<\/h3>\n\n\n\n<p><strong>Console steps<\/strong>\n1. Sign in to the OCI Console.\n2. Open the navigation menu \u2192 <strong>Identity &amp; Security<\/strong> \u2192 <strong>Compartments<\/strong>.\n3. Click <strong>Create Compartment<\/strong>.\n4. Enter:\n   &#8211; Name: <code>quota-lab<\/code>\n   &#8211; Description: <code>Compartment Quotas lab<\/code>\n   &#8211; Parent Compartment: your root compartment (or another permitted parent)\n5. Click <strong>Create Compartment<\/strong>.<\/p>\n\n\n\n<p><strong>Expected outcome<\/strong>\n&#8211; A new compartment <code>quota-lab<\/code> exists and is in <strong>Active<\/strong> state.<\/p>\n\n\n\n<p><strong>Verification<\/strong>\n&#8211; Confirm <code>quota-lab<\/code> appears in the compartments list.\n&#8211; Use the compartment selector (top-left) to confirm it\u2019s selectable.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 2: Create a Compartment Quotas policy (quota policy)<\/h3>\n\n\n\n<p>You\u2019ll create a <strong>quota policy<\/strong> that sets the maximum number of VCNs in <code>quota-lab<\/code> to 1.<\/p>\n\n\n\n<p><strong>Console steps<\/strong>\n1. Navigation menu \u2192 <strong>Identity &amp; Security<\/strong> \u2192 <strong>Policies<\/strong>.\n2. Ensure you are in the correct compartment for storing the policy (often <strong>root<\/strong> or a designated governance compartment).<br\/>\n   &#8211; Many organizations store governance policies in the <strong>root compartment<\/strong> for central management.\n3. Click <strong>Create Policy<\/strong>.\n4. Enter:\n   &#8211; Name: <code>quota-lab-vcn-cap<\/code>\n   &#8211; Description: <code>Compartment Quotas lab: cap VCN count in quota-lab<\/code>\n   &#8211; Policy type: <strong>Quota<\/strong> (or similar option\u2014OCI UI labeling can vary)\n5. In the policy statements editor, add a statement similar to:<\/p>\n\n\n\n<pre><code class=\"language-text\">set virtual-network quota vcn-count to 1 in compartment quota-lab\n<\/code><\/pre>\n\n\n\n<ol class=\"wp-block-list\" start=\"6\">\n<li>Click <strong>Create<\/strong>.<\/li>\n<\/ol>\n\n\n\n<p><strong>Expected outcome<\/strong>\n&#8211; A quota policy is created successfully.<\/p>\n\n\n\n<p><strong>Verification<\/strong>\n&#8211; Open the policy details and confirm:\n  &#8211; Policy type indicates quota (if shown)\n  &#8211; Statement is present\n&#8211; If OCI rejects the statement:\n  &#8211; Confirm the compartment name is correct\n  &#8211; Confirm you selected the correct policy type (Quota)\n  &#8211; Check the official quota statement syntax and quota resource type names (see resources section)<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 3: Create the first VCN (should succeed)<\/h3>\n\n\n\n<p><strong>Console steps<\/strong>\n1. Navigation menu \u2192 <strong>Networking<\/strong> \u2192 <strong>Virtual Cloud Networks<\/strong>.\n2. Select compartment: <code>quota-lab<\/code>.\n3. Click <strong>Create VCN<\/strong>.\n4. Choose <strong>VCN with Internet Connectivity<\/strong> <em>or<\/em> <strong>VCN Only<\/strong> (either is fine; VCN Only is simplest).\n5. Name: <code>vcn-1<\/code>\n6. Click <strong>Create VCN<\/strong>.<\/p>\n\n\n\n<p><strong>Expected outcome<\/strong>\n&#8211; <code>vcn-1<\/code> is created successfully in <code>quota-lab<\/code>.<\/p>\n\n\n\n<p><strong>Verification<\/strong>\n&#8211; In the VCN list for <code>quota-lab<\/code>, confirm <code>vcn-1<\/code> is in <strong>Available<\/strong> state.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 4: Attempt to create a second VCN (should fail)<\/h3>\n\n\n\n<p><strong>Console steps<\/strong>\n1. Still in <strong>Networking \u2192 Virtual Cloud Networks<\/strong> with compartment <code>quota-lab<\/code>\n2. Click <strong>Create VCN<\/strong>\n3. Name: <code>vcn-2<\/code>\n4. Click <strong>Create VCN<\/strong><\/p>\n\n\n\n<p><strong>Expected outcome<\/strong>\n&#8211; OCI rejects the request due to quota enforcement.\n&#8211; You should see an error indicating quota\/limit exceeded (exact wording varies).<\/p>\n\n\n\n<p><strong>Verification<\/strong>\n&#8211; Confirm <code>vcn-2<\/code> does <strong>not<\/strong> appear as available.\n&#8211; If an entry exists in a failed\/provisioning state, open it to see error details.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 5: Validate with Audit (governance traceability)<\/h3>\n\n\n\n<p><strong>Console steps<\/strong>\n1. Navigation menu \u2192 <strong>Identity &amp; Security<\/strong> \u2192 <strong>Audit<\/strong>.\n2. Filter by:\n   &#8211; Compartment: where the quota policy is stored (often root)\n   &#8211; Time window: last 15\u201360 minutes\n3. Look for events related to policy creation\/update.\n4. Optionally also inspect events around the failed VCN creation attempt (it may show as a failed API call in service logs; availability depends on OCI\u2019s audit event coverage for the target service operations).<\/p>\n\n\n\n<p><strong>Expected outcome<\/strong>\n&#8211; You can see a record of quota policy creation in Audit logs.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Validation<\/h3>\n\n\n\n<p>You have successfully validated Compartment Quotas if:\n&#8211; <code>vcn-1<\/code> exists in <code>quota-lab<\/code>\n&#8211; Creating <code>vcn-2<\/code> fails due to quota enforcement\n&#8211; The quota policy exists and is visible in the policies list\n&#8211; Audit shows governance change events for policy creation (and possibly failed calls)<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Troubleshooting<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\">Problem: Policy statement is rejected at creation time<\/h4>\n\n\n\n<p><strong>Likely causes<\/strong>\n&#8211; Wrong policy type (created as IAM policy instead of quota policy)\n&#8211; Incorrect quota statement syntax\n&#8211; Wrong service name or quota resource type name (e.g., <code>virtual-network<\/code>, <code>vcn-count<\/code>)<\/p>\n\n\n\n<p><strong>Fix<\/strong>\n&#8211; Ensure the policy type is <strong>Quota<\/strong>\n&#8211; Check official quota statement syntax and supported quota types<br\/>\n  Official Quotas doc (start here): https:\/\/docs.oracle.com\/en-us\/iaas\/Content\/Identity\/Tasks\/managingquotas.htm (Verify URL if Oracle reorganizes docs)<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Problem: Second VCN creation succeeds (quota not enforced)<\/h4>\n\n\n\n<p><strong>Likely causes<\/strong>\n&#8211; Quota policy is stored\/targeted incorrectly\n&#8211; Statement targets wrong compartment name\n&#8211; Quota evaluation not applicable to that resource type (unsupported quota type)<\/p>\n\n\n\n<p><strong>Fix<\/strong>\n&#8211; Re-check the statement: compartment name must match exactly\n&#8211; Confirm the quota policy is active and saved\n&#8211; Confirm the quota type supports the resource you tested (verify in docs)<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Problem: Error message looks like \u201cNotAuthorizedOrNotFound\u201d<\/h4>\n\n\n\n<p><strong>Likely causes<\/strong>\n&#8211; OCI sometimes uses combined error messages for authorization\/limits\n&#8211; Your user lacks permissions to create the resource even before quotas are evaluated<\/p>\n\n\n\n<p><strong>Fix<\/strong>\n&#8211; Confirm you have IAM permission to create VCNs in <code>quota-lab<\/code>\n&#8211; Then re-test quota enforcement<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Cleanup<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Delete <code>vcn-1<\/code>:\n   &#8211; Networking \u2192 Virtual Cloud Networks \u2192 select <code>quota-lab<\/code> \u2192 open <code>vcn-1<\/code> \u2192 <strong>Terminate<\/strong><\/li>\n<li>Delete the quota policy <code>quota-lab-vcn-cap<\/code>:\n   &#8211; Identity &amp; Security \u2192 Policies \u2192 locate policy \u2192 <strong>Delete<\/strong><\/li>\n<li>Delete the compartment <code>quota-lab<\/code>:\n   &#8211; Identity &amp; Security \u2192 Compartments \u2192 open <code>quota-lab<\/code> \u2192 <strong>Delete Compartment<\/strong><br\/>\n   (Compartment deletion can take time; ensure all resources inside are deleted.)<\/li>\n<\/ol>\n\n\n\n<p><strong>Expected outcome<\/strong>\n&#8211; No remaining lab resources, and no ongoing cost.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">11. Best Practices<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Architecture best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Align quotas to your compartment strategy<\/strong>: quotas are easiest when compartments reflect ownership and environment boundaries.<\/li>\n<li><strong>Use layered governance<\/strong>:<\/li>\n<li>Service limits (Oracle) define maximum possible<\/li>\n<li>Compartment Quotas define internal allocation<\/li>\n<li>IAM policies define who can act<\/li>\n<li>Budgets define financial visibility and alerts<\/li>\n<li><strong>Design for growth<\/strong>: set quotas with headroom and a documented increase process; avoid \u201calways blocked\u201d pipelines.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">IAM\/security best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Restrict quota policy management<\/strong> to a small admin group (Platform\/Security).<\/li>\n<li><strong>Separate duties<\/strong>:<\/li>\n<li>App teams can provision resources<\/li>\n<li>Platform team controls quotas and guardrails<\/li>\n<li><strong>Use change control<\/strong> for quota updates: ticketing, approvals, and peer review (especially for production compartments).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Cost best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Put tighter quotas in <strong>non-prod<\/strong> than prod.<\/li>\n<li>Start conservative and increase based on observed usage.<\/li>\n<li>Review quotas quarterly with FinOps and platform teams.<\/li>\n<li>Combine quotas with <strong>budgets and alerts<\/strong>; quotas don\u2019t show spend, they limit capacity.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Performance best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Quotas are not a performance optimization feature; they\u2019re governance.<br\/>\n  The performance benefit is indirect: preventing unplanned scaling or sprawl.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Reliability best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Ensure production compartments have quota headroom for:<\/li>\n<li>Autoscaling events<\/li>\n<li>Incident response capacity increases<\/li>\n<li>DR testing (if performed in the same tenancy\/compartment structure)<\/li>\n<li>Document an emergency procedure to temporarily raise quotas.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Operations best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Create a <strong>\u201cquota exceeded\u201d runbook<\/strong>:<\/li>\n<li>How to identify the quota statement involved<\/li>\n<li>Who approves increases<\/li>\n<li>How to implement changes and confirm<\/li>\n<li>Use <strong>Audit<\/strong> logs to monitor quota policy changes.<\/li>\n<li>Keep quota policies named clearly and consistently:<\/li>\n<li><code>quota-&lt;env&gt;-&lt;domain&gt;-&lt;purpose&gt;<\/code> (example: <code>quota-dev-network-cap<\/code>)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Governance\/tagging\/naming best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Tag quota policies (freeform\/defined tags where supported) to track owner, environment, and business unit.<\/li>\n<li>Standardize compartment naming so quota statements remain readable and maintainable.<\/li>\n<li>Keep quota statements small and modular (avoid one giant policy if it reduces clarity).<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">12. Security Considerations<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Identity and access model<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Compartment Quotas is enforced via OCI IAM control plane.<\/li>\n<li>Managing quota policies is a privileged action. Treat it like changing firewall rules:<\/li>\n<li>Minimize who can change quotas<\/li>\n<li>Require review\/approval for production quota changes<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Encryption<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Quotas do not store customer data-plane payloads.<\/li>\n<li>Policy objects and audit logs are stored by OCI control plane; for compliance, focus on:<\/li>\n<li>Audit log retention and access controls<\/li>\n<li>Exporting logs to Object Storage with appropriate encryption settings (customer-managed keys where required)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Network exposure<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>No direct network exposure; quotas operate at the API authorization layer.<\/li>\n<li>However, if you use automation from CI\/CD, protect that pipeline\u2019s credentials because quotas will not stop <em>all<\/em> malicious actions\u2014only those exceeding configured caps.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Secrets handling<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Store OCI API keys, auth tokens, and instance principal credentials securely (Vault, CI secret store).<\/li>\n<li>Use least privilege so pipelines can\u2019t modify quota policies unless explicitly required.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Audit\/logging<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Enable and monitor <strong>Audit<\/strong> for changes to policies (including quota policies).<\/li>\n<li>Consider exporting audit logs to centralized logging\/SIEM for:<\/li>\n<li>Unauthorized quota increase attempts<\/li>\n<li>Changes outside change windows<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Compliance considerations<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Quotas help demonstrate \u201cpreventive controls\u201d in governance frameworks, but they don\u2019t replace:<\/li>\n<li>IAM least privilege<\/li>\n<li>Network segmentation<\/li>\n<li>Configuration compliance scanning<\/li>\n<li>Document quota policies as part of your control set (what\u2019s capped and why).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Common security mistakes<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Letting app teams modify quota policies for their compartments without oversight.<\/li>\n<li>Setting quotas too high in dev\/test, defeating the purpose.<\/li>\n<li>Relying on quotas as the only control (instead of layered governance).<\/li>\n<li>Not monitoring quota policy changes.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Secure deployment recommendations<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Centralize quota policies in a governance compartment or root (depending on your model).<\/li>\n<li>Use IaC with peer review for quota policies.<\/li>\n<li>Alert on quota policy changes (via audit log export + SIEM or notification workflows).<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">13. Limitations and Gotchas<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Not all services\/resources support quota types<\/strong>: quotas only work where OCI exposes quota resource types for that service. Always verify supported quota targets.<\/li>\n<li><strong>Quotas don\u2019t override Oracle service limits<\/strong>: service limits remain the ultimate ceiling.<\/li>\n<li><strong>Quotas can cause CI\/CD failures<\/strong>: Terraform applies or pipelines may fail suddenly if quotas are reached.<\/li>\n<li><strong>Error messages can be confusing<\/strong>: quota failures may appear similar to authorization or limit errors.<\/li>\n<li><strong>Existing resources usually remain<\/strong>: quotas typically prevent new creation rather than deleting existing resources.<\/li>\n<li><strong>Compartment hierarchy nuances<\/strong>: policy placement and targeting can be subtle; verify how quotas apply across parent\/child compartments in your model.<\/li>\n<li><strong>Region-specific behavior<\/strong>: because many resources are regional, quota evaluation may effectively be region-bound; if you require per-region quotas, verify supported conditional syntax.<\/li>\n<li><strong>Governance drift<\/strong>: quotas can become outdated if not reviewed; teams may request exceptions that accumulate.<\/li>\n<li><strong>Migration challenges<\/strong>: when reorganizing compartments, quota statements referencing compartment names\/targets may need updates and re-validation.<\/li>\n<li><strong>Naming dependence<\/strong>: quota statements can reference compartment identifiers logically; ensure stable naming or use best practices recommended by OCI.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">14. Comparison with Alternatives<\/h2>\n\n\n\n<p>Compartment Quotas is one part of governance. Here\u2019s how it compares to nearby options.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Key comparisons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>OCI Service Limits<\/strong>: Oracle-defined hard maximums per tenancy\/region; you can request increases. Not compartment-scoped allocations.<\/li>\n<li><strong>OCI Budgets<\/strong>: Alerting and monitoring based on spend; doesn\u2019t prevent provisioning.<\/li>\n<li><strong>IAM Policies<\/strong>: Control <em>who can do what<\/em>, not <em>how much<\/em> they can do.<\/li>\n<li><strong>Tag-based governance<\/strong>: Helps classification and automation; not a hard cap.<\/li>\n<li><strong>Terraform policy-as-code (process control)<\/strong>: Prevents merges\/applies via review gates; quotas still valuable as an enforcement backstop.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Comparison table<\/h3>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Option<\/th>\n<th>Best For<\/th>\n<th>Strengths<\/th>\n<th>Weaknesses<\/th>\n<th>When to Choose<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><strong>Compartment Quotas (OCI)<\/strong><\/td>\n<td>Hard caps per compartment<\/td>\n<td>Preventive control; tool-agnostic enforcement<\/td>\n<td>Limited to supported quota types; can block pipelines<\/td>\n<td>When you need enforceable per-team\/per-env ceilings<\/td>\n<\/tr>\n<tr>\n<td><strong>OCI Service Limits<\/strong><\/td>\n<td>Tenancy-wide max capacity<\/td>\n<td>Oracle-enforced; official upper bound<\/td>\n<td>Not for internal allocation; increase requests take time<\/td>\n<td>When you hit Oracle limits or plan capacity<\/td>\n<\/tr>\n<tr>\n<td><strong>OCI Budgets<\/strong><\/td>\n<td>Spend visibility and alerts<\/td>\n<td>Monetary view; good for FinOps<\/td>\n<td>Not preventive; alerts can be ignored<\/td>\n<td>When you need cost monitoring and alerting<\/td>\n<\/tr>\n<tr>\n<td><strong>OCI IAM Policies<\/strong><\/td>\n<td>Authorization<\/td>\n<td>Strong access control<\/td>\n<td>Doesn\u2019t cap usage<\/td>\n<td>Always\u2014baseline security and governance<\/td>\n<\/tr>\n<tr>\n<td><strong>AWS Service Quotas + SCPs (other cloud)<\/strong><\/td>\n<td>Quotas + org policy controls<\/td>\n<td>Mature org-level guardrails<\/td>\n<td>Different ecosystem; not OCI<\/td>\n<td>When operating in AWS organizations<\/td>\n<\/tr>\n<tr>\n<td><strong>Azure Policy + Quotas (other cloud)<\/strong><\/td>\n<td>Policy-based governance<\/td>\n<td>Rich compliance\/policy engine<\/td>\n<td>Different ecosystem; complexity<\/td>\n<td>When operating in Azure at scale<\/td>\n<\/tr>\n<tr>\n<td><strong>GCP Organization Policy + Quotas (other cloud)<\/strong><\/td>\n<td>Org constraints and quotas<\/td>\n<td>Strong org hierarchy<\/td>\n<td>Different ecosystem<\/td>\n<td>When operating in GCP organizations<\/td>\n<\/tr>\n<tr>\n<td><strong>Self-managed approval workflow<\/strong><\/td>\n<td>Human approvals<\/td>\n<td>Flexible<\/td>\n<td>Slow; error-prone; not enforced at API level<\/td>\n<td>When compliance requires manual approvals in addition to technical controls<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">15. Real-World Example<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Enterprise example: Shared OCI tenancy with many teams<\/h3>\n\n\n\n<p><strong>Problem<\/strong><br\/>\nA financial services enterprise runs dozens of application teams in one OCI tenancy. Teams share service limits, and dev environments regularly expand beyond intended size, causing unexpected spend and occasional resource contention.<\/p>\n\n\n\n<p><strong>Proposed architecture<\/strong>\n&#8211; Compartments structured as:\n  &#8211; <code>Shared-Services<\/code> (central networking, logging)\n  &#8211; <code>BusinessUnitA<\/code> \u2192 <code>Apps<\/code> \u2192 <code>Dev\/Test\/Prod<\/code>\n  &#8211; <code>BusinessUnitB<\/code> \u2192 <code>Apps<\/code> \u2192 <code>Dev\/Test\/Prod<\/code>\n&#8211; Compartment Quotas (quota policies) applied:\n  &#8211; Tight dev\/test quotas on network object sprawl and compute counts\n  &#8211; Production quotas sized to approved capacity with headroom\n&#8211; Budgets configured per compartment for financial visibility\n&#8211; Audit log export to SIEM for policy change monitoring<\/p>\n\n\n\n<p><strong>Why Compartment Quotas was chosen<\/strong>\n&#8211; Needed a <strong>preventive<\/strong> control that works across Console and automation.\n&#8211; Needed compartment-level allocation to prevent one BU from consuming shared capacity.\n&#8211; Complements IAM: teams can create resources, but only within allowed envelopes.<\/p>\n\n\n\n<p><strong>Expected outcomes<\/strong>\n&#8211; Reduced non-prod spend and sprawl\n&#8211; Fewer incidents from capacity contention\n&#8211; Clear governance workflow for quota increase requests\n&#8211; Improved auditability of governance changes<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Startup\/small-team example: Fast-moving product team<\/h3>\n\n\n\n<p><strong>Problem<\/strong><br\/>\nA startup uses OCI for staging and production. Engineers are experimenting quickly, and a few accidental resource creations caused unexpected bills.<\/p>\n\n\n\n<p><strong>Proposed architecture<\/strong>\n&#8211; Compartments:\n  &#8211; <code>prod<\/code>\n  &#8211; <code>staging<\/code>\n  &#8211; <code>sandbox<\/code>\n&#8211; Compartment Quotas:\n  &#8211; <code>sandbox<\/code>: strict quotas to prevent expensive provisioning\n  &#8211; <code>staging<\/code>: moderate quotas matching expected testing footprint\n  &#8211; <code>prod<\/code>: sized quotas with documented emergency increase path<\/p>\n\n\n\n<p><strong>Why Compartment Quotas was chosen<\/strong>\n&#8211; Minimal operational overhead\n&#8211; Immediate guardrails without building custom tooling\n&#8211; Works with Terraform and console equally<\/p>\n\n\n\n<p><strong>Expected outcomes<\/strong>\n&#8211; Safer experimentation\n&#8211; Fewer surprise bills\n&#8211; More predictable environment sizes<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">16. FAQ<\/h2>\n\n\n\n<p>1) <strong>Is \u201cCompartment Quotas\u201d the same as OCI Service Limits?<\/strong><br\/>\nNo. Service limits are Oracle-defined maximums for your tenancy\/region. Compartment Quotas are customer-defined caps to allocate usage within your tenancy.<\/p>\n\n\n\n<p>2) <strong>Do quotas apply to existing resources?<\/strong><br\/>\nTypically, quotas prevent <em>new<\/em> creation or scaling that would exceed the quota. They usually do not delete existing resources automatically.<\/p>\n\n\n\n<p>3) <strong>Are Compartment Quotas free?<\/strong><br\/>\nUsually, there is no separate charge to define quota policies. The costs come from the resources you create within quota boundaries. Verify current pricing terms on OCI pricing pages.<\/p>\n\n\n\n<p>4) <strong>Can I apply quotas to any OCI service?<\/strong><br\/>\nNo. Quotas only apply where OCI provides supported quota resource types for that service. Always verify supported targets in official docs.<\/p>\n\n\n\n<p>5) <strong>Do quotas work with Terraform?<\/strong><br\/>\nYes. Quotas are enforced by OCI APIs, so Terraform applies can fail if quotas would be exceeded. This is a feature (guardrail), but it can disrupt pipelines if not planned.<\/p>\n\n\n\n<p>6) <strong>What\u2019s the best way to roll out quotas without breaking teams?<\/strong><br\/>\nStart by observing current usage, set quotas slightly above current usage, communicate the policy, and introduce a clear quota increase process.<\/p>\n\n\n\n<p>7) <strong>Can I set quotas differently for dev vs prod?<\/strong><br\/>\nYes\u2014because quotas are compartment-scoped, dev and prod compartments can have different caps.<\/p>\n\n\n\n<p>8) <strong>Can quotas prevent spending directly (in dollars)?<\/strong><br\/>\nNot directly. Quotas limit resource counts\/capacity, not spend. Use Budgets for spend monitoring and alerts.<\/p>\n\n\n\n<p>9) <strong>How do I know which quota statement blocked my request?<\/strong><br\/>\nOCI error responses may indicate a quota\/limit issue but may not always point to the exact statement. Operationally, keep quota policies well-documented and searchable, and use runbooks to map typical errors to quota rules.<\/p>\n\n\n\n<p>10) <strong>Do quotas apply across regions?<\/strong><br\/>\nQuota policies are tenancy governance, but resource enforcement occurs where the resource is created (regional). If you need region-specific quotas, verify whether quota statements support region-based conditions.<\/p>\n\n\n\n<p>11) <strong>Who should be allowed to manage quota policies?<\/strong><br\/>\nTypically a small platform\/security governance group. Treat quota changes as privileged governance changes.<\/p>\n\n\n\n<p>12) <strong>Can I set quota to zero to block a resource type?<\/strong><br\/>\nOften you can effectively block creation by setting a quota to 0 for a supported quota type, but syntax\/support may vary\u2014verify in official docs.<\/p>\n\n\n\n<p>13) <strong>How do quotas interact with compartment hierarchy?<\/strong><br\/>\nThis can be nuanced. Quota statement targeting and inheritance depend on how policies are scoped and how OCI applies them. Verify inheritance behavior in official docs and test in non-prod.<\/p>\n\n\n\n<p>14) <strong>What happens when a quota is exceeded during an autoscaling event?<\/strong><br\/>\nThe scaling request can fail, potentially affecting availability. Production quotas should include headroom for scaling and incident response.<\/p>\n\n\n\n<p>15) <strong>How should I document quotas for auditors?<\/strong><br\/>\nExport quota policies and keep them under version control (where possible), document rationale per environment, and retain audit logs of changes.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">17. Top Online Resources to Learn Compartment Quotas<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Resource Type<\/th>\n<th>Name<\/th>\n<th>Why It Is Useful<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>Official documentation<\/td>\n<td>OCI Quotas \/ Managing Quotas (Quota Policies) \u2014 https:\/\/docs.oracle.com\/en-us\/iaas\/Content\/Identity\/Tasks\/managingquotas.htm<\/td>\n<td>Primary reference for quota concepts, syntax, and management workflow<\/td>\n<\/tr>\n<tr>\n<td>Official documentation<\/td>\n<td>OCI IAM Policies \u2014 https:\/\/docs.oracle.com\/en-us\/iaas\/Content\/Identity\/Concepts\/policies.htm<\/td>\n<td>Understand policy language patterns and governance model<\/td>\n<\/tr>\n<tr>\n<td>Official documentation<\/td>\n<td>OCI Compartments \u2014 https:\/\/docs.oracle.com\/en-us\/iaas\/Content\/Identity\/Tasks\/managingcompartments.htm<\/td>\n<td>Compartments are the foundation for quota scoping<\/td>\n<\/tr>\n<tr>\n<td>Official documentation<\/td>\n<td>OCI Service Limits \u2014 https:\/\/docs.oracle.com\/en-us\/iaas\/Content\/General\/Concepts\/servicelimits.htm<\/td>\n<td>Clarifies Oracle-set limits vs your quota policies<\/td>\n<\/tr>\n<tr>\n<td>Official documentation<\/td>\n<td>OCI Audit \u2014 https:\/\/docs.oracle.com\/en-us\/iaas\/Content\/Audit\/Concepts\/auditoverview.htm<\/td>\n<td>Track quota policy changes and governance actions<\/td>\n<\/tr>\n<tr>\n<td>Official pricing page<\/td>\n<td>Oracle Cloud Pricing \u2014 https:\/\/www.oracle.com\/cloud\/pricing\/<\/td>\n<td>Confirm pricing model and cost structure for governed services<\/td>\n<\/tr>\n<tr>\n<td>Official pricing tool<\/td>\n<td>OCI Cost Estimator \u2014 https:\/\/www.oracle.com\/cloud\/costestimator.html<\/td>\n<td>Estimate costs for resources that quotas will allow<\/td>\n<\/tr>\n<tr>\n<td>Official CLI docs<\/td>\n<td>OCI CLI Installation \u2014 https:\/\/docs.oracle.com\/en-us\/iaas\/Content\/API\/SDKDocs\/cliinstall.htm<\/td>\n<td>Helpful for scripting quota validation and governance workflows<\/td>\n<\/tr>\n<tr>\n<td>Official tutorials<\/td>\n<td>Oracle Cloud Tutorials \u2014 https:\/\/docs.oracle.com\/en\/learn\/<\/td>\n<td>Find related IAM\/governance labs (availability varies)<\/td>\n<\/tr>\n<tr>\n<td>Official videos<\/td>\n<td>Oracle OCI YouTube channel \u2014 https:\/\/www.youtube.com\/user\/oracle<\/td>\n<td>Look for IAM\/governance videos and best practices (verify specific quota content)<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">18. Training and Certification Providers<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Institute<\/th>\n<th>Suitable Audience<\/th>\n<th>Likely Learning Focus<\/th>\n<th>Mode<\/th>\n<th>Website URL<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>DevOpsSchool.com<\/td>\n<td>DevOps engineers, SREs, platform teams<\/td>\n<td>OCI governance, DevOps practices, IaC<\/td>\n<td>Check website<\/td>\n<td>https:\/\/www.devopsschool.com\/<\/td>\n<\/tr>\n<tr>\n<td>ScmGalaxy.com<\/td>\n<td>Beginners to intermediate engineers<\/td>\n<td>SCM\/DevOps foundations, governance concepts<\/td>\n<td>Check website<\/td>\n<td>https:\/\/www.scmgalaxy.com\/<\/td>\n<\/tr>\n<tr>\n<td>CLoudOpsNow.in<\/td>\n<td>Cloud engineers, operations teams<\/td>\n<td>Cloud operations and governance<\/td>\n<td>Check website<\/td>\n<td>https:\/\/www.cloudopsnow.in\/<\/td>\n<\/tr>\n<tr>\n<td>SreSchool.com<\/td>\n<td>SREs, reliability and ops engineers<\/td>\n<td>SRE practices, operational governance<\/td>\n<td>Check website<\/td>\n<td>https:\/\/www.sreschool.com\/<\/td>\n<\/tr>\n<tr>\n<td>AiOpsSchool.com<\/td>\n<td>Ops teams exploring AIOps<\/td>\n<td>Monitoring\/automation and ops processes<\/td>\n<td>Check website<\/td>\n<td>https:\/\/www.aiopsschool.com\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">19. Top Trainers<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Platform\/Site<\/th>\n<th>Likely Specialization<\/th>\n<th>Suitable Audience<\/th>\n<th>Website URL<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>RajeshKumar.xyz<\/td>\n<td>DevOps\/cloud coaching (verify exact offerings)<\/td>\n<td>Engineers seeking guided learning<\/td>\n<td>https:\/\/rajeshkumar.xyz\/<\/td>\n<\/tr>\n<tr>\n<td>devopstrainer.in<\/td>\n<td>DevOps training (verify OCI coverage)<\/td>\n<td>Beginners to intermediate DevOps learners<\/td>\n<td>https:\/\/www.devopstrainer.in\/<\/td>\n<\/tr>\n<tr>\n<td>devopsfreelancer.com<\/td>\n<td>Freelance DevOps support\/training (verify services)<\/td>\n<td>Teams needing practical implementation help<\/td>\n<td>https:\/\/www.devopsfreelancer.com\/<\/td>\n<\/tr>\n<tr>\n<td>devopssupport.in<\/td>\n<td>DevOps support and enablement (verify offerings)<\/td>\n<td>Ops\/DevOps teams needing assistance<\/td>\n<td>https:\/\/www.devopssupport.in\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">20. Top Consulting Companies<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Company<\/th>\n<th>Likely Service Area<\/th>\n<th>Where They May Help<\/th>\n<th>Consulting Use Case Examples<\/th>\n<th>Website URL<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>cotocus.com<\/td>\n<td>Cloud\/DevOps consulting (verify portfolio)<\/td>\n<td>Landing zone governance, IaC pipelines, operations<\/td>\n<td>Compartment strategy + quotas + IAM design review; rollout runbooks<\/td>\n<td>https:\/\/www.cotocus.com\/<\/td>\n<\/tr>\n<tr>\n<td>DevOpsSchool.com<\/td>\n<td>DevOps and cloud consulting<\/td>\n<td>Platform enablement and governance automation<\/td>\n<td>Implement quota policies as code; CI\/CD guardrails; operational training<\/td>\n<td>https:\/\/www.devopsschool.com\/<\/td>\n<\/tr>\n<tr>\n<td>DEVOPSCONSULTING.IN<\/td>\n<td>DevOps consulting (verify offerings)<\/td>\n<td>DevOps process and tooling<\/td>\n<td>Governance workflows, automation, deployment pipelines<\/td>\n<td>https:\/\/www.devopsconsulting.in\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">21. Career and Learning Roadmap<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">What to learn before Compartment Quotas<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>OCI fundamentals: regions, availability domains, compartments<\/li>\n<li>OCI IAM basics: groups, dynamic groups, policies<\/li>\n<li>Basic networking: VCNs, subnets, gateways (for practical quota examples)<\/li>\n<li>Cost basics: how OCI billing aligns with resource usage<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">What to learn after Compartment Quotas<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>OCI Budgets and Cost Analysis (FinOps)<\/li>\n<li>Audit log export and SIEM integration<\/li>\n<li>Terraform on OCI (Resource Manager or Terraform CLI)<\/li>\n<li>Landing zone patterns (compartment hierarchy, shared services, guardrails)<\/li>\n<li>Policy-as-code and change management for governance artifacts<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Job roles that use it<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Cloud\/Platform Architect<\/li>\n<li>Cloud Engineer \/ DevOps Engineer<\/li>\n<li>SRE \/ Operations Engineer<\/li>\n<li>Security Engineer \/ Cloud Security Architect<\/li>\n<li>FinOps Analyst \/ FinOps Engineer (in collaboration with platform teams)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Certification path (if available)<\/h3>\n\n\n\n<p>Oracle certifications change over time; look for OCI architect\/admin tracks and ensure they include governance and IAM objectives.<br\/>\nVerify current certifications here: https:\/\/education.oracle.com\/<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Project ideas for practice<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Build a compartment hierarchy for a 3-environment app (dev\/test\/prod) and define quota envelopes.<\/li>\n<li>Implement quotas + budgets + audit export for a small \u201clanding zone.\u201d<\/li>\n<li>Create a Terraform module that provisions compartments and quota policies (verify provider support for quota policy type).<\/li>\n<li>Run a game day: intentionally hit quota limits in a test compartment and practice the operational workflow.<\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">22. Glossary<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>OCI (Oracle Cloud Infrastructure)<\/strong>: Oracle Cloud\u2019s IaaS\/PaaS platform.<\/li>\n<li><strong>Tenancy<\/strong>: Your top-level OCI account boundary.<\/li>\n<li><strong>Compartment<\/strong>: Logical container for organizing and isolating OCI resources.<\/li>\n<li><strong>IAM (Identity and Access Management)<\/strong>: OCI service for authentication and authorization.<\/li>\n<li><strong>Policy<\/strong>: A set of statements defining permissions or governance rules.<\/li>\n<li><strong>Quota policy<\/strong>: A policy containing quota statements that cap resource usage.<\/li>\n<li><strong>Service limits<\/strong>: Oracle-defined maximum resource limits for a tenancy\/region.<\/li>\n<li><strong>Control plane<\/strong>: Management layer handling APIs, provisioning, governance, IAM.<\/li>\n<li><strong>Data plane<\/strong>: Runtime layer where application data flows (compute\/network\/storage usage).<\/li>\n<li><strong>Audit<\/strong>: OCI service that records API calls and governance events.<\/li>\n<li><strong>FinOps<\/strong>: Financial operations; discipline of managing cloud spend.<\/li>\n<li><strong>IaC (Infrastructure as Code)<\/strong>: Managing infrastructure with declarative\/config code (e.g., Terraform).<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">23. Summary<\/h2>\n\n\n\n<p>Compartment Quotas in Oracle Cloud (implemented through <strong>quota policies<\/strong>) is a Governance and Administration control that enforces <strong>hard caps on resource creation and scaling within compartments<\/strong>. It matters because it prevents cost overruns and capacity contention <em>before<\/em> they occur, and it provides guardrails that apply consistently across Console, CLI, SDKs, and Terraform.<\/p>\n\n\n\n<p>Cost-wise, the quota feature itself is typically not billed; the value comes from avoiding unplanned resource provisioning. Security-wise, quotas complement IAM by limiting <em>how much<\/em> can be created even when someone has permission to create resources, and Audit helps track quota policy changes.<\/p>\n\n\n\n<p>Use Compartment Quotas when you need enforceable per-team\/per-environment allocation in a shared OCI tenancy. Next, deepen your governance posture by pairing quotas with <strong>Budgets<\/strong>, <strong>Audit log export<\/strong>, and <strong>IaC-based policy management<\/strong> (where supported), then validate with a landing-zone style compartment strategy.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Governance and Administration<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[70,62],"tags":[],"class_list":["post-909","post","type-post","status-publish","format-standard","hentry","category-governance-and-administration","category-oracle-cloud"],"_links":{"self":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts\/909","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/comments?post=909"}],"version-history":[{"count":0,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts\/909\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/media?parent=909"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/categories?post=909"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/tags?post=909"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}