Usage Guardrails
Usage guardrails give administrators the ability to generate alarms if the number of resources in a specific service exceeds a set amount. These guardrails exist for a wide number of resources across many services in AWS and GCP.
Note that the Usage guardrails are not related to the Approved > Usage policy in the Approved guardrails family.
Usage guardrails have a consistent form:
{provider} > {service} > {resource} > Usage
AWS > EC2 > Instance > Usage
GCP > Network > Firewall > Usage
These policies also have consistent options that can be configured:
Skip
Check: Usage <= 85% of Limit
Check: Usage <= 100% of Limit
Note that Guardrails will never destroy resources even if the limit is exceeded, and will not prevent users from creating resources once the Usage control moves into the alarm state.
The above policies have a sub setting to determine said limit, again with a consistent form:
{provider} > {service} > {resource} > Usage
AWS > EC2 > Instance > Usage > Limit
GCP > Network > Firewall > Usage > Limit
The limit policy checks the total number of resource types within a given account. This value can either be set statically by an administrator or a calculated policy can be written to set the value dynamically.
Example Guardrail: AWS > EC2 > Instance > Usage
The AWS > EC2 > Instance > Usage
policy queries an AWS account for the amount
of EC2 instance that exist. The policy AWS > EC2 > Instance > Usage > Limit
determines the amount of resources that can exist before the Usage guardrail
triggers an alarm.
Suppose two organizations have a limit of 50 EC2 instance that can be active at any one time. The first organization has a soft limit, and the second organization has a hard limit.
AWS > EC2 > Instance > Usage > Limit
set to50
.AWS > EC2 > Instance > Usage
set toCheck: Usage <= 100% of limit
AWS > EC2 > Instance > Usage > Limit
set to50
.AWS > EC2 > Instance > Usage
set toCheck: Usage<= 85% of limit