Skip to main content

Overview

Cluster Advanced Settings allow you to fine-tune infrastructure-level parameters for your Qovery-managed Kubernetes clusters. These settings provide granular control over networking, logging, security, resource allocation, and cloud provider-specific features.

Cloud Provider Availability

Settings are tagged with their supported cloud providers:
https://mintcdn.com/qovery/Nvnl0g5BHzA0XQmy/images/logos/cloud-providers/aws-icon.svg?fit=max&auto=format&n=Nvnl0g5BHzA0XQmy&q=85&s=12ef689645255696bfa4054d6e3aeaff

AWS

Amazon Web Services
https://mintcdn.com/qovery/Nvnl0g5BHzA0XQmy/images/logos/cloud-providers/gcp-icon.svg?fit=max&auto=format&n=Nvnl0g5BHzA0XQmy&q=85&s=e38f243f4f39d204ebc65102ab2a7e3c

GCP

Google Cloud Platform
https://mintcdn.com/qovery/Nvnl0g5BHzA0XQmy/images/logos/cloud-providers/azure-icon.svg?fit=max&auto=format&n=Nvnl0g5BHzA0XQmy&q=85&s=0d214ad250aa99938f4f1796bb506fb9

Azure

Microsoft Azure
https://mintcdn.com/qovery/Nvnl0g5BHzA0XQmy/images/logos/cloud-providers/scaleway-icon.svg?fit=max&auto=format&n=Nvnl0g5BHzA0XQmy&q=85&s=98d01c5b36e963048f139a17f6ff72a8

Scaleway

Scaleway

Configuring Cluster Advanced Settings

The easiest way to configure cluster advanced settings is directly from the Qovery Console:
1

Navigate to Cluster Settings

Go to your cluster page and click on Settings
2

Open Advanced Settings

In the settings menu, select Advanced Settings
3

Configure Settings

Browse and configure the advanced settings you need. Settings are organized by category for easy navigation.
4

Save and Redeploy

Click Save and redeploy your cluster for changes to take effect
Cluster Advanced Settings in Console
Use the “Show only overridden settings” toggle to filter and view only the settings you’ve customized from their default values.
After updating cluster advanced settings, you must redeploy the cluster for changes to take effect.

Via Qovery API

You can also configure advanced settings using the Qovery API: 
curl -X PATCH "https://api.qovery.com/cluster/{cluster_id}/advancedSettings" \
  -H "Authorization: Token YOUR_API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "loki.log_retention_in_week": 24,
    "nginx.hpa.min_number_instances": 3,
    "database.postgresql.deny_any_access": false,
    "database.postgresql.allowed_cidrs": ["10.0.0.0/16"]
  }'

Via Terraform

Use the Qovery Terraform Provider to manage cluster advanced settings as code: 
resource "qovery_cluster" "my_cluster" {
  name                = "production-cluster"
  organization_id     = var.organization_id
  cloud_provider      = "AWS"
  region              = "us-east-1"

  advanced_settings_json = jsonencode({
    "loki.log_retention_in_week" = 24
    "nginx.hpa.min_number_instances" = 3
    "nginx.controller.enable_client_ip" = true
    "database.postgresql.deny_any_access" = false
    "database.postgresql.allowed_cidrs" = ["10.0.0.0/16"]
  })
}

Cluster sizing

cluster.profile

Cloud Provider: AWS Scaleway GCP Azure Type: string Description: Defines the cluster sizing profile, which determines the default resource allocation and performance characteristics of the cluster.
Choosing a larger profile may incur higher costs but provides better performance and capacity for workloads. Here are detailed insights to help you choose the right profile:
  • Small: Suitable for development, testing, or small-scale applications with low resource demands.
    • 3-5 nodes | 12-20 vCPUs | 24-40 GB RAM | ~50-100 pods
    • Node size: 2-4 vCPUs, 4-8 GB RAM per node
    • Use cases: Development, staging, small internal tools
  • Medium: A balanced option for moderate workloads, suitable for most production applications.
    • 6-10 nodes | 48-80 vCPUs | 96-160 GB RAM | ~200-400 pods
    • Node size: 4-8 vCPUs, 8-16 GB RAM per node
    • Use cases: Small to medium production apps, multi-tenant dev environments
  • Large: Designed for high-traffic applications or workloads requiring significant resources.
    • 11-20 nodes | 176-320 vCPUs | 352-640 GB RAM | ~500-1000 pods
    • Node size: 8-16 vCPUs, 16-32 GB RAM per node
    • Use cases: Enterprise production applications, microservices architectures
  • ExtraLarge: Ideal for enterprise-level applications with intensive resource needs and high availability requirements.
    • 20+ nodes | 400+ vCPUs | 800+ GB RAM | 1000+ pods
    • Node size: 16-32+ vCPUs, 32-64+ GB RAM per node
    • Use cases: Large-scale production, ML/AI workloads, intensive data processing
Valid values: Small, Medium, Large, ExtraLarge Default Value: Medium

Logs

aws.cloudwatch.eks_logs_retention_days

Cloud Provider: AWS Type: integer Description: Maximum retention days in CloudWatch for EKS logs. Valid values: 0, 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 2192, 2557, 2922, 3288, 3653 Default Value: 90

aws.vpc.enable_s3_flow_logs

Cloud Provider: AWS Type: boolean Description: Enable flow logs on the cluster VPC and store them in an S3 bucket. VPC flow logs capture information about IP traffic going to and from network interfaces in your VPC. Use Case: Required for compliance frameworks (SOC 2, PCI-DSS, HIPAA) that mandate network traffic logging. Also useful for security investigations and troubleshooting connectivity issues. Default Value: false

aws.vpc.flow_logs_retention_days

Cloud Provider: AWS Type: integer Description: Set the number of retention days for flow logs. Set to 0 for unlimited retention. Default Value: 365

aws.vpc.enable_nat_gateway_secondary_eip

Cloud Provider: AWS Type: boolean Description: Enable a secondary Elastic IP (EIP) per NAT Gateway. When enabled, each of the 3 NAT Gateways in your VPC receives an additional EIP, doubling the number of outbound public IP addresses from 3 to 6. This is useful when your workloads interact with external services that have IP-based rate limits — more IPs means higher aggregate limits. Default Value: false
Enabling this setting creates 3 additional Elastic IPs in your AWS account. Each EIP incurs standard AWS charges. This setting only takes effect when the cluster uses NAT Gateways. Before enabling, verify that your AWS account has sufficient EIP quota (default is 5 per region). You can check and request an increase in the AWS Service Quotas console.

loki.log_retention_in_week

Cloud Provider: AWS Scaleway GCP Azure Type: integer Description: Maximum retention period (in weeks) for application logs collected by Loki and displayed in the Qovery console log viewer. Retention is enforced both at the Loki compactor level and via object storage lifecycle policies. Use Case: Increase for compliance requirements or debugging long-running issues. Decrease to save storage costs on the underlying object storage bucket. Default Value: 12 (84 days)

gcp.vpc.enable_flow_logs

Cloud Provider: GCP Type: boolean Description: Enable VPC flow logs on the cluster VPC (on each VPC subnetwork). See GCP VPC logs flow documentation. Default Value: false

gcp.vpc.flow_logs_sampling

Cloud Provider: GCP Type: float Description: Set VPC logs flow sampling percentage. Value should be within 0.0 (no sampling) to 1.0 (all logs) range. Default Value: 0.0

object_storage.enable_logging

Cloud Provider: AWS GCP Azure Type: boolean Description: Activate cluster buckets logging into a <bucket>-log bucket. See documentation for AWS and GCP. Default Value: false

DNS

dns.coredns.extra_config

Cloud Provider: AWS Scaleway Azure Type: string Description: Additional configuration to add to CoreDNS. This can be used to customize DNS resolution rules on the cluster. The value is appended to the default CoreDNS Corefile. Use Case: Forward specific domains to internal DNS servers (split-horizon DNS), resolve private hosted zones, or add custom caching rules. Default Value: null Examples:
Route queries for your internal domain to a private DNS server:
corp.internal:53 {
    errors
    cache 30
    forward . 10.0.0.2
}

Image Registry

registry.image_retention_time

Cloud Provider: AWS Type: integer Description: Allows you to specify an amount in seconds after which images in the default registry are deleted.
Changing this setting will only affect new ECR repositories created after the change. Existing repositories will not be affected.
Default Value: 31536000 (1 year)

registry.mirroring_mode

Cloud Provider: AWS Type: string Description: Allows you to specify the image mirroring mode to be used for each image deployed on this cluster. Valid values:
  • Service — each service gets its own mirror repository (qovery-mirror-{service_id}). Provides better isolation but creates more repositories. Works on all cluster types.
  • Cluster — all services in the cluster share a single mirror repository (qovery-mirror-cluster-{cluster_id}). Fewer repositories, but requires registry lifecycle policy support for automated image cleanup.
Cluster mode is only available on cluster types that support registry lifecycle policies: EKS, GKE, AKS (and their self-managed variants). It is not supported on DOKS, Scaleway Kapsule, or full self-managed clusters.
Default Value: Service

cloud_provider.container_registry.tags

Cloud Provider: AWS Scaleway GCP Azure Type: Map<String, String> Description: Add additional tags on the cluster dedicated registry. Default Value: {} Example: 
{
  "cloud_provider.container_registry.tags": {
    "Environment": "Production",
    "Team": "Platform"
  }
}

Network - Load Balancer

aws.eks.enable_alb_controller

Cloud Provider: AWS Type: boolean Description: Enable the AWS ALB controller to manage the load balancer for the cluster.
Enabling this feature will create a 10 min max downtime on your application’s public access (time to delete, replace and propagate DNS of the new load balancer).
Use Case: For custom VPCs (Qovery Managed VPC does not require these), you need to add labels to subnets: kubernetes.io/role/elb=1 on public subnets, kubernetes.io/role/internal-elb=1 on private subnets, and kubernetes.io/cluster/<cluster-name>=shared on all subnets. Default Value: true

aws.eks.alb_controller.replicas

Cloud Provider: AWS Type: integer Description: Sets AWS ALB controller number of replicas. For production clusters, it’s recommended to have at least 2 replicas for high availability. Default Value: 2

aws.eks.alb_controller.vpa.vcpu.min_in_milli_cpu

Cloud Provider: AWS Type: integer Description: Sets AWS ALB controller VPA (vertical pod autoscaling) vCPU minimum value in milli CPU. Default Value: 250

aws.eks.alb_controller.vpa.vcpu.max_in_milli_cpu

Cloud Provider: AWS Type: integer Description: Sets AWS ALB controller VPA (vertical pod autoscaling) vCPU maximum value in milli CPU. Default Value: 250

aws.eks.alb_controller.vpa.memory.min_in_mib

Cloud Provider: AWS Type: integer Description: Sets AWS ALB controller VPA (vertical pod autoscaling) memory minimum value in mebibyte. Default Value: 128

aws.eks.alb_controller.vpa.memory.max_in_mib

Cloud Provider: AWS Type: integer Description: Sets AWS ALB controller VPA (vertical pod autoscaling) memory maximum value in mebibyte. Default Value: 128

load_balancer.size

Cloud Provider: Scaleway Type: string Description: Allows you to specify the load balancer size in front of your cluster. Valid values: lb-s (200 Mbps), lb-gp-m (500 Mbps), lb-gp-l (1 Gbps), lb-gp-xl (4 Gbps) Default Value: lb-s

Network - NGINX Ingress

nginx.vcpu.request_in_milli_cpu

Cloud Provider: AWS Scaleway GCP Azure Type: integer Description: vCPU request value in millicores assigned to NGINX pods. Default Value: 200

nginx.vcpu.limit_in_milli_cpu

Cloud Provider: AWS Scaleway GCP Azure Type: integer Description: vCPU limit value in millicores assigned to NGINX pods. Default Value: 700

nginx.memory.request_in_mib

Cloud Provider: AWS Scaleway GCP Azure Type: integer Description: Memory request value in MiB assigned to NGINX pods. Default Value: 768

nginx.memory.limit_in_mib

Cloud Provider: AWS Scaleway GCP Azure Type: integer Description: Memory limit value in MiB assigned to NGINX pods. Default Value: 768

nginx.hpa.cpu_utilization_percentage_threshold

Cloud Provider: AWS Scaleway GCP Azure Type: integer Description: HPA CPU threshold in percentage assigned to NGINX deployment. Default Value: 50

nginx.hpa.min_number_instances

Cloud Provider: AWS Scaleway GCP Azure Type: integer Description: Minimum number of NGINX replicas for horizontal pod autoscaling. Default Value: 2

nginx.hpa.max_number_instances

Cloud Provider: AWS Scaleway GCP Azure Type: integer Description: Maximum number of NGINX replicas for horizontal pod autoscaling. Default Value: 25

nginx.controller.enable_client_ip

Cloud Provider: AWS Scaleway GCP Azure Type: boolean Description: Enables ngx_http_realip_module module to get the real client IP address. Default Value: false

nginx.controller.enable_compression

Cloud Provider: AWS Scaleway GCP Azure Type: boolean Description: Enables compression (Brotli) for HTTP responses. When disabled, content will not be compressed, which may increase bandwidth usage but reduce CPU load. Default Value: true

nginx.controller.use_forwarded_headers

Cloud Provider: AWS Scaleway GCP Azure Type: boolean Description: Passes incoming X-Forwarded-For header upstream. See documentation. Default Value: false

nginx.controller.compute_full_forwarded_for

Cloud Provider: AWS Scaleway GCP Azure Type: boolean Description: Append the remote address to the X-Forwarded-For header instead of replacing it. See documentation. Default Value: false

nginx.controller.log_format_upstream

Cloud Provider: AWS Scaleway GCP Azure Type: string Description: Allows to customize NGINX log-format. Default Value: null

nginx.controller.log_format_escaping

Cloud Provider: AWS Scaleway GCP Azure Type: string Description: Allows to customize NGINX log-format-escaping setting. Valid values: Default, JSON, None Default Value: Default

nginx.controller.http_snippet

Cloud Provider: AWS Scaleway GCP Azure Type: string Description: Allows to customize NGINX http-snippet configuration. Used for cluster-level NGINX configuration that applies to all services. Use Case: See Rate Limiting Guide for practical examples. Default Value: null

nginx.controller.server_snippet

Cloud Provider: AWS Scaleway GCP Azure Type: string Description: Allows to customize NGINX server-snippet configuration. Used for server-level NGINX configuration. Use Case: See Rate Limiting Guide for practical examples. Default Value: null

nginx.controller.limit_request_status_code

Cloud Provider: AWS Scaleway GCP Azure Type: integer Description: Allows to customize NGINX limit-req-status-code. Commonly set to 429 (Too Many Requests) for rate limiting. Default Value: null (defaults to 503)

nginx.controller.custom_http_errors

Cloud Provider: AWS Scaleway GCP Azure Type: string Description: Allows to customize NGINX custom-http-errors. Default Value: null Example: "404,503"

nginx.default_backend.enabled

Cloud Provider: AWS Scaleway GCP Azure Type: boolean Description: Allows enabling the default_backend for NGINX.
If you don’t specify custom image repository and tag, ensure your cluster includes nodes with amd64 architecture.
Default Value: false

nginx.default_backend.image_repository

Cloud Provider: AWS Scaleway GCP Azure Type: string Description: Specifies the Docker image repository used for the default_backend. Default Value: null

nginx.default_backend.image_tag

Cloud Provider: AWS Scaleway GCP Azure Type: string Description: Defines the image tag used by default_backend. Default Value: null

Network - Gateway API

k8s.deploy_api_gateway

Cloud Provider: AWS Type: boolean Description: Deploys Gateway API resources on the cluster if true.
  • Gateway API will be deployed on the cluster alongside Ingress NGINX controller, and both will be active. - It will allow you to access your service using a dedicated service URL pointing to the Gateway API controller instead of Ingress NGINX controller.
Default Value: false

k8s.use_api_gateway

Cloud Provider: AWS Type: boolean Description: Makes Gateway API the default routing component.
  • This might cause a 30 seconds - 3 minutes downtime on your custom DNS due to DNS propagation.
  • When enabled, all new services will be exposed through Gateway API instead of Ingress NGINX controller. - NGINX controller will still be deployed in the cluster an will remain until we’ve fully migrated to Gateway API, but it will not be used for routing.
Default Value: false

envoy.hpa.cpu_average_utilization_percentage_threshold

Cloud Provider: AWS Scaleway GCP Azure Type: float Description: HPA CPU average utilization threshold for the Envoy data plane managed by Envoy Gateway, expressed as a value between 0.0 and 1.0 (e.g., 0.8 for 80%). When CPU usage exceeds this threshold, Kubernetes scales the Envoy proxy replicas serving traffic. This setting applies to EnvoyProxy.spec.provider.kubernetes.envoyHpa. Learn more in the EnvoyProxy HPA documentation. Valid values: 0.0 to 1.0 Default Value: null (uses Kubernetes default behavior)

envoy.hpa.memory_average_utilization_percentage_threshold

Cloud Provider: AWS Scaleway GCP Azure Type: float Description: HPA memory average utilization threshold for the Envoy data plane managed by Envoy Gateway, expressed as a value between 0.0 and 1.0 (e.g., 0.8 for 80%). When memory usage exceeds this threshold, Kubernetes scales the Envoy proxy replicas serving traffic. This setting applies to EnvoyProxy.spec.provider.kubernetes.envoyHpa. Learn more in the EnvoyProxy HPA documentation. Valid values: 0.0 to 1.0 Default Value: null (uses Kubernetes default behavior)

envoy.hpa.min_number_instances

Cloud Provider: AWS Scaleway GCP Azure Type: integer Description: Minimum number of Envoy data-plane replicas managed by Envoy Gateway for horizontal pod autoscaling. This ensures a baseline level of availability and traffic-serving capacity. Must be less than or equal to envoy.hpa.max_number_instances. Default Value: 2 for production clusters, 1 for non-production clusters

envoy.hpa.max_number_instances

Cloud Provider: AWS Scaleway GCP Azure Type: integer Description: Maximum number of Envoy data-plane replicas managed by Envoy Gateway for horizontal pod autoscaling. This sets an upper limit on traffic-serving scale and resource consumption. Must be greater than or equal to envoy.hpa.min_number_instances. Default Value: 25

envoy.gateway.hpa.cpu_average_utilization_percentage_threshold

Cloud Provider: AWS Scaleway GCP Azure Type: float Description: HPA CPU average utilization threshold for the Envoy Gateway control-plane deployment, expressed as a value between 0.0 and 1.0 (e.g., 0.8 for 80%). When CPU usage exceeds this threshold, Kubernetes scales the envoy-gateway controller deployment. This setting applies to the Gateway Helm chart HPA for the control plane. Valid values: 0.0 to 1.0 Default Value: null (uses Kubernetes default behavior)

envoy.gateway.hpa.memory_average_utilization_percentage_threshold

Cloud Provider: AWS Scaleway GCP Azure Type: float Description: HPA memory average utilization threshold for the Envoy Gateway control-plane deployment, expressed as a value between 0.0 and 1.0 (e.g., 0.8 for 80%). When memory usage exceeds this threshold, Kubernetes scales the envoy-gateway controller deployment. This setting applies to the Gateway Helm chart HPA for the control plane. Valid values: 0.0 to 1.0 Default Value: null (uses Kubernetes default behavior)

envoy.gateway.hpa.min_number_instances

Cloud Provider: AWS Scaleway GCP Azure Type: integer Description: Minimum number of Envoy Gateway control-plane replicas for horizontal pod autoscaling. This ensures baseline controller availability for reconciliation and configuration updates. Must be less than or equal to envoy.gateway.hpa.max_number_instances. Default Value: 2 for production clusters, 1 for non-production clusters

envoy.gateway.hpa.max_number_instances

Cloud Provider: AWS Scaleway GCP Azure Type: integer Description: Maximum number of Envoy Gateway control-plane replicas for horizontal pod autoscaling. This sets an upper limit on controller scaling and resource consumption. Must be greater than or equal to envoy.gateway.hpa.min_number_instances. Default Value: 5

envoy.vcpu.request_in_milli_cpu

Cloud Provider: AWS Scaleway GCP Azure Type: integer Description: vCPU request value in millicores assigned to Envoy Gateway pods. This defines the minimum CPU resources guaranteed for each pod. Must be less than or equal to envoy.vcpu.limit_in_milli_cpu. Default Value: 100

envoy.vcpu.limit_in_milli_cpu

Cloud Provider: AWS Scaleway GCP Azure Type: integer Description: vCPU limit value in millicores assigned to Envoy Gateway pods. This defines the maximum CPU resources that each pod can consume. Must be greater than or equal to envoy.vcpu.request_in_milli_cpu. Default Value: 1000

envoy.memory.request_in_mib

Cloud Provider: AWS Scaleway GCP Azure Type: integer Description: Memory request value in MiB assigned to Envoy Gateway pods. This defines the minimum memory resources guaranteed for each pod. Must be less than or equal to envoy.memory.limit_in_mib. Default Value: 256

envoy.memory.limit_in_mib

Cloud Provider: AWS Scaleway GCP Azure Type: integer Description: Memory limit value in MiB assigned to Envoy Gateway pods. This defines the maximum memory resources that each pod can consume. Must be greater than or equal to envoy.memory.request_in_mib. Default Value: 1024

envoy.gateway_api.http_request_timeout_seconds

Cloud Provider: AWS Scaleway GCP Azure Type: integer (unsigned) Description: Sets the default request timeout in seconds for Envoy Gateway BackendTrafficPolicy. This value is used when services do not define network.gateway_api.http_request_timeout_seconds. Use Case: Configure a cluster-wide timeout baseline for Gateway API routes while still allowing service-level overrides when needed.
After changing this setting, redeploy your applications and services in this cluster to apply the new timeout on generated Gateway API resources.
Default Value: null (uses Envoy Gateway default) Example: 
90

envoy.gateway_api.http_connection_idle_timeout_seconds

Cloud Provider: AWS Scaleway GCP Azure Type: integer (unsigned) Description: Sets the default idle connection timeout in seconds for Envoy Gateway BackendTrafficPolicy. This value is used when services do not define network.gateway_api.http_connection_idle_timeout_seconds. Use Case: Apply a cluster-wide default for idle HTTP backend connections while keeping service-level tuning available.
After changing this setting, redeploy your applications and services in this cluster to apply the new timeout on generated Gateway API resources.
Default Value: null (uses Envoy Gateway default) Example: 
120

envoy.client_ip_detection.x_forwarded_for.number_trusted_hops

Cloud Provider: AWS Scaleway GCP Azure Type: integer Description: Number of trusted hops in the X-Forwarded-For header for client IP detection. This setting determines how many proxy hops to trust when extracting the real client IP address from the X-Forwarded-For header. See Envoy Gateway documentation for more details.
For customers migrating from NGINX: This replaces the NGINX use_forwarded_headers and compute_full_forwarded_for settings. Instead of a boolean flag, Envoy uses a hop count to precisely control which IP addresses in the X-Forwarded-For chain to trust.
How to configure:
  • Set to 1 if your traffic passes through 1 trusted proxy (e.g., AWS ALB only)
  • Set to 2 if your traffic passes through 2 trusted proxies (e.g., CloudFront → ALB)
  • Set to 0 to use only the direct connection IP (equivalent to NGINX use_forwarded_headers: false)
  • Leave as null to use Envoy’s default behavior
Example: If a request arrives with X-Forwarded-For: client-ip, proxy1-ip, proxy2-ip and you set number_trusted_hops: 2, Envoy will trust the last 2 hops (proxy1 and proxy2) and identify client-ip as the real client. Default Value: null (uses Envoy default behavior)

envoy.log_format

Cloud Provider: AWS Scaleway GCP Azure Type: string (JSON format) Description: Custom log format for Envoy Gateway access logs. Qovery only allows JSON format as it enables all the Qovery capabilities for application logging and tracing. The value must be a JSON object (provided as a string) with Envoy command operators. See Envoy Gateway access logging documentation for available format variables and configuration options.
For customers migrating from NGINX: This replaces the NGINX log_format_upstream setting. Envoy uses its own format string with command operators like %REQ(X-HEADER)%, %RESP(X-HEADER)%, and %DURATION% instead of NGINX’s $variable syntax.
Default Value: If not specified, the following JSON format is used: 
{
  "start_time": "%START_TIME%",
  "method": "%REQ(:METHOD)%",
  "x-envoy-origin-path": "%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%",
  "protocol": "%PROTOCOL%",
  "response_code": "%RESPONSE_CODE%",
  "response_flags": "%RESPONSE_FLAGS%",
  "response_code_details": "%RESPONSE_CODE_DETAILS%",
  "connection_termination_details": "%CONNECTION_TERMINATION_DETAILS%",
  "upstream_transport_failure_reason": "%UPSTREAM_TRANSPORT_FAILURE_REASON%",
  "bytes_received": "%BYTES_RECEIVED%",
  "bytes_sent": "%BYTES_SENT%",
  "duration": "%DURATION%",
  "x-envoy-upstream-service-time": "%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%",
  "x-forwarded-for": "%REQ(X-FORWARDED-FOR)%",
  "user-agent": "%REQ(USER-AGENT)%",
  "x-request-id": "%REQ(X-REQUEST-ID)%",
  ":authority": "%REQ(:AUTHORITY)%",
  "upstream_host": "%UPSTREAM_HOST%",
  "upstream_cluster": "%UPSTREAM_CLUSTER%",
  "upstream_local_address": "%UPSTREAM_LOCAL_ADDRESS%",
  "downstream_local_address": "%DOWNSTREAM_LOCAL_ADDRESS%",
  "downstream_remote_address": "%DOWNSTREAM_REMOTE_ADDRESS%",
  "requested_server_name": "%REQUESTED_SERVER_NAME%",
  "route_name": "%ROUTE_NAME%",
  "qovery_com_associated_service_id": "%REQ(x-qovery-com-associated-service-id)%",
  "qovery_com_environment_id": "%REQ(x-qovery-com-environment-id)%"
}
When customizing the log format, you must include these two Qovery-specific fields for service logging to work properly:
  • "qovery_com_associated_service_id": "%DYNAMIC_METADATA(envoy.lb:qovery_com_associated_service_id)%"
  • "qovery_com_environment_id": "%DYNAMIC_METADATA(envoy.lb:qovery_com_environment_id)%"
Without these fields, Qovery will not be able to properly associate logs with your services and environments.
Example: Custom JSON format with simplified fields (note the required Qovery fields): 
{
  "timestamp": "%START_TIME%",
  "method": "%REQ(:METHOD)%",
  "path": "%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%",
  "protocol": "%PROTOCOL%",
  "status": "%RESPONSE_CODE%",
  "duration_ms": "%DURATION%",
  "bytes_sent": "%BYTES_SENT%",
  "bytes_received": "%BYTES_RECEIVED%",
  "client_ip": "%REQ(X-FORWARDED-FOR)%",
  "user_agent": "%REQ(USER-AGENT)%",
  "request_id": "%REQ(X-REQUEST-ID)%",
  "qovery_com_associated_service_id": "%DYNAMIC_METADATA(envoy.lb:qovery_com_associated_service_id)%",
  "qovery_com_environment_id": "%DYNAMIC_METADATA(envoy.lb:qovery_com_environment_id)%"
}

envoy.controller.custom_http_errors

Cloud Provider: AWS Scaleway GCP Azure Type: list of integers Description: List of HTTP status codes for which Envoy Gateway should serve custom error pages. When you specify a status code in this list, Envoy Gateway will intercept that error and serve a hardcoded HTML error page instead of passing through the upstream error response. Each HTTP error code has its own hardcoded HTML page built into Envoy Gateway.
The hardcoded error pages cannot be customized at this time. If you need to customize error pages for your use case, please contact us and we can extend this feature.
Valid values: HTTP status codes from 100 to 599 Default Value: null Example: [404, 503, 502, 500] - This will serve custom hardcoded HTML pages for Not Found, Service Unavailable, Bad Gateway, and Internal Server Error responses.

envoy.controller.enable_compression

Cloud Provider: AWS Scaleway GCP Azure Type: boolean Description: Enables HTTP response compression in Envoy Gateway. When enabled, Envoy Gateway automatically compresses HTTP responses using multiple compression algorithms to reduce bandwidth usage and improve performance. Compression algorithms enabled:
  • Gzip - Compression level 6 (widely supported, good compression ratio)
  • Brotli - Quality level 6 (better compression than Gzip, modern browsers)
  • Zstd - Compression level 6 (fastest compression, newest standard)
Envoy Gateway automatically selects the best compression algorithm based on the client’s Accept-Encoding header.
For customers migrating from NGINX: This replaces NGINX’s compression settings (enable-brotli and use-gzip). The main difference is that Envoy Gateway adds Zstd as a third compression algorithm alongside Gzip and Brotli. All compression levels match NGINX defaults (level 6).
Default Value: true

envoy.default_backend.enabled

Cloud Provider: AWS Scaleway GCP Azure Type: boolean Description: Enables the default backend for Envoy Gateway. The default backend serves a generic error page for requests that don’t match any route. Default Value: false

envoy.default_backend.image

Cloud Provider: AWS Scaleway GCP Azure Type: string Description: Specifies the Docker image used for the default backend. Default Value: null

envoy.default_backend.tag

Cloud Provider: AWS Scaleway GCP Azure Type: string Description: Defines the image tag used by the default backend. Default Value: null

Network - Database Access Control

database.postgresql.deny_any_access

Cloud Provider: AWS Type: boolean Description: Deny any access to all PostgreSQL databases. When enabled, no CIDR (including allowed_cidrs) can reach the database — this is a hard deny that overrides everything.
  • Managed databases: Access is removed instantly
  • Container databases: Access is removed only after redeployment
Default Value: false

database.postgresql.allowed_cidrs

Cloud Provider: AWS Type: string Description: List of allowed CIDR ranges for PostgreSQL database access. Only traffic from these CIDRs can reach the database. Ignored if database.postgresql.deny_any_access is true. Default Value: ["0.0.0.0/0"] Example: Restrict to your VPN and office IPs: 
["10.0.0.0/8", "203.0.113.0/24"]

database.mysql.deny_any_access

Cloud Provider: AWS Type: boolean Description: Deny any access to all MySQL databases. When enabled, this overrides allowed_cidrs.
  • Managed databases: Access is removed instantly
  • Container databases: Access is removed only after redeployment
Default Value: false

database.mysql.allowed_cidrs

Cloud Provider: AWS Type: string Description: List of allowed CIDR ranges for MySQL database access. Ignored if database.mysql.deny_any_access is true. Default Value: ["0.0.0.0/0"]

database.mongodb.deny_any_access

Cloud Provider: AWS Type: boolean Description: Deny any access to all MongoDB databases. When enabled, this overrides allowed_cidrs.
  • Managed databases: Access is removed instantly
  • Container databases: Access is removed only after redeployment
Default Value: false

database.mongodb.allowed_cidrs

Cloud Provider: AWS Type: string Description: List of allowed CIDR ranges for MongoDB database access. Ignored if database.mongodb.deny_any_access is true. Default Value: ["0.0.0.0/0"]

database.redis.deny_any_access

Cloud Provider: AWS Type: boolean Description: Deny any access to all Redis databases. When enabled, this overrides allowed_cidrs.
  • Managed databases: Access is removed instantly
  • Container databases: Access is removed only after redeployment
Default Value: false

database.redis.allowed_cidrs

Cloud Provider: AWS Type: string Description: List of allowed CIDR ranges for Redis database access. Ignored if database.redis.deny_any_access is true. Default Value: ["0.0.0.0/0"]

Service Resources

allow_service_cpu_overcommit

Cloud Provider: AWS Scaleway GCP Azure Type: boolean Description: Authorize CPU overcommit (limit > request) for services deployed within this cluster. When enabled, pods can burst above their CPU request up to the configured limit when spare capacity is available on the node.
CPU overcommit can cause CPU throttling and unpredictable latency when nodes are under pressure. Use with caution in production.
Use Case: Once enabled, you can update the service advanced setting resources.override.limit.cpu_in_milli to set a CPU limit higher than the request. Default Value: false

allow_service_ram_overcommit

Cloud Provider: AWS Scaleway GCP Azure Type: boolean Description: Authorize memory overcommit (limit > request) for services deployed within this cluster. When enabled, pods can use more memory than their request up to the configured limit.
Memory overcommit is riskier than CPU overcommit. Unlike CPU (which is throttled), exceeding memory limits causes the pod to be OOM-killed. If multiple pods on the same node exceed their requests simultaneously, the node can become unstable.
Use Case: Once enabled, you can update the service advanced setting resources.override.limit.ram_in_mib to set a memory limit higher than the request. Default Value: false

IAM & Security

aws.iam.enable_admin_group_sync

Cloud Provider: AWS Type: boolean Description: Enable IAM admin group sync. See IAM permissions setup.
aws.iam.admin_group must be set when enable_admin_group_sync is true.
Default Value: true

aws.iam.admin_group

Cloud Provider: AWS Type: string Description: Allows you to specify the IAM group name associated with the Qovery user. Configure IAM group permissions for cluster access. Default Value: Admins

aws.iam.enable_sso

Cloud Provider: AWS Type: boolean Description: Enable SSO sync allowing IAM users to connect to cluster using SSO.
aws.iam.sso_role_arn must be set when enable_sso is true.
Default Value: false

aws.iam.sso_role_arn

Cloud Provider: AWS Type: string Description: Allows you to specify the SSO role ARN to be used to connect to your cluster. Default Value: ""

aws.eks.encrypt_secrets_kms_key_arn

Cloud Provider: AWS Type: string Description: Allows you to activate KMS encryption of your Kubernetes secrets. Specify the key ARN of your AWS KMS key.
It won’t be possible to go back once this feature is activated.
Default Value: null

k8s.api.allowed_public_access_cidrs

Cloud Provider: AWS GCP Azure Type: string Description: Contains additional CIDRs that should be whitelisted to access the Kubernetes API. Use this to allow your team or CI/CD pipelines to reach the K8s API when qovery.static_ip_mode is enabled.
qovery.static_ip_mode should be set to true to make this setting effective.
Default Value: [] Example: 
["203.0.113.0/24", "198.51.100.10/32"]

Miscellaneous

aws.eks.ec2.metadata_imds

Cloud Provider: AWS Type: string Description: Specify the IMDS version you want to use. Valid values:
  • required — IMDSv2 only (recommended). Forces all metadata requests to use session tokens, which protects against SSRF attacks that try to steal instance credentials.
  • optional — IMDSv1 and v2. Use only if you have legacy workloads that don’t support IMDSv2.
Default Value: required

aws.eks.ec2.ami

Cloud Provider: AWS Type: string Description: Specify the AMI you want to use for EKS worker nodes (Karpenter only). Valid values:
  • AmazonLinux2 (Deprecated, not working after Kubernetes 1.32)
  • AmazonLinux2023 (Default Amazon AMI, recommended)
  • Bottlerocket (Focuses on security and maintainability)
  • ami-xxx — A custom AMI ID (e.g. ami-0123456789abcdef0). Assumes AL2023-based by default.
  • my-custom-ami-* — A custom AMI name pattern with optional wildcards. Assumes AL2023-based by default.
  • al2:ami-xxx or al2:my-ami-* — A custom AMI based on Amazon Linux 2.
  • al2023:ami-xxx or al2023:my-ami-* — A custom AMI based on Amazon Linux 2023 (explicit).
  • bottlerocket:ami-xxx or bottlerocket:my-ami-* — A custom AMI based on Bottlerocket.
Custom AMIs without a family prefix are assumed to be AL2023-based. Use a prefix (al2:, al2023:, bottlerocket:) to specify the base OS so that Karpenter generates the correct bootstrap configuration. This setting only applies to Karpenter-managed nodes (not managed node groups). GPU nodes are not affected by this setting.
Default Value: AmazonLinux2023

aws.metrics_server.replicas

Cloud Provider: AWS Type: integer Description: Specify the number of replicas for the metrics-server pod. Set to 2 or more in production for high availability. Default Value: 1

qovery.static_ip_mode

Cloud Provider: AWS GCP Type: boolean Description: Enable the static IP mode for the Qovery control plane and automatically activate the private endpoint on the Kubernetes API and add the Qovery IP to the CIDR whitelist.
If you need to connect to the Kubernetes cluster from your network, make sure to add your CIDR to k8s.api.allowed_public_access_cidrs.
DockerHub credentials are required to activate this feature. Configure them in Organization settings > Container registry. Why? DockerHub has a rate limit by IP. Since the Qovery control plane will be seen as a single IP, you need authenticated access to increase the limit.
Default Value: false

storageclass.fast_ssd

Cloud Provider: AWS Scaleway GCP Azure Type: string Description: Specify the Kubernetes storageClass to be used for storage attached to your container databases and applications. Override this if you need a custom storageClass (e.g., for encryption, specific IOPS, or a different disk type). Default Value: "" (empty — each cloud provider uses its own default) When left empty, Qovery uses the following storageClasses per provider:
Cloud ProviderStorageClassDisk Type
AWSaws-ebs-gp3-0General Purpose SSD (GP3)
GCPgcp-pd-balancedBalanced persistent disk
Azureazure-standard-ssd-zrsStandard SSD with zone-redundant storage
Scalewayscw-sbv-ssd-0Block Storage SSD
AWS GP2 → GP3 migration: If your cluster still uses aws-ebs-gp2-0 (legacy), we recommend migrating to aws-ebs-gp3-0. GP3 offers better baseline performance (3,000 IOPS and 125 MB/s included) at a lower cost than GP2. Set storageclass.fast_ssd to aws-ebs-gp3-0 and redeploy your cluster.
GCP also supports gcp-pd-ssd for higher IOPS. Azure supports azure-premium-lrs, azure-premium-v2-lrs, azure-premium-zrs, azure-ultra-ssd-lrs, and azure-standard-ssd-lrs.

Next Steps

Service Advanced Settings

Configure service-level advanced settings

Rate Limiting Guide

Implement rate limiting with NGINX

IP Authorization Guide

Configure IP and header-based authorization

Cluster Management

Learn about cluster operations

Qovery API Reference

Explore the full Qovery API
https://mintcdn.com/qovery/Nvnl0g5BHzA0XQmy/images/logos/terraform-icon.svg?fit=max&auto=format&n=Nvnl0g5BHzA0XQmy&q=85&s=a0e5acfcbe26b4b86d136930f5b22a57

Terraform Provider

Manage infrastructure as code