Skip to main content

Overview

Cluster Advanced Settings allow you to fine-tune infrastructure-level parameters for your Qovery-managed Kubernetes clusters. These settings provide granular control over networking, logging, security, resource allocation, and cloud provider-specific features.
Cluster advanced settings are currently configured via the Qovery API. Console support is coming soon.

Cloud Provider Availability

Settings are tagged with their supported cloud providers:
https://mintcdn.com/qovery/bC94RbU5OE288_w9/images/logos/cloud-providers/aws-icon.svg?fit=max&auto=format&n=bC94RbU5OE288_w9&q=85&s=39fdefda6b2a184faa10bc1d85b46f7d

AWS

Amazon Web Services
https://mintcdn.com/qovery/bC94RbU5OE288_w9/images/logos/cloud-providers/gcp-icon.svg?fit=max&auto=format&n=bC94RbU5OE288_w9&q=85&s=193518027f66a4ac6a82d008c61b3c5d

GCP

Google Cloud Platform
https://mintcdn.com/qovery/bC94RbU5OE288_w9/images/logos/cloud-providers/azure-icon.svg?fit=max&auto=format&n=bC94RbU5OE288_w9&q=85&s=e01d2f798fbdc429f1f4d013772a8be2

Azure

Microsoft Azure
https://mintcdn.com/qovery/bC94RbU5OE288_w9/images/logos/cloud-providers/scaleway-icon.svg?fit=max&auto=format&n=bC94RbU5OE288_w9&q=85&s=9e27c1725260aba1a6fbfcaa78b63370

Scaleway

Scaleway

Quick Reference

Settings by Category

SettingCloud ProvidersDefaultDescription
aws.cloudwatch.eks_logs_retention_daysAWS90CloudWatch EKS logs retention
aws.vpc.enable_s3_flow_logsAWSfalseEnable VPC flow logs to S3
aws.vpc.flow_logs_retention_daysAWS365VPC flow logs retention days
loki.log_retention_in_weekAll12Kubernetes pods logs retention
gcp.vpc.enable_flow_logsGCPfalseEnable VPC flow logs
gcp.vpc.flow_logs_samplingGCP0.0VPC flow logs sampling rate
object_storage.enable_loggingAWS, GCP, AzurefalseEnable bucket logging
SettingCloud ProvidersDefaultDescription
nginx.vcpu.request_in_milli_cpuAll200NGINX CPU request (millicores)
nginx.vcpu.limit_in_milli_cpuAll700NGINX CPU limit (millicores)
nginx.memory.request_in_mibAll768NGINX memory request (MiB)
nginx.memory.limit_in_mibAll768NGINX memory limit (MiB)
nginx.hpa.cpu_utilization_percentage_thresholdAll50HPA CPU threshold (%)
nginx.hpa.min_number_instancesAll2Minimum NGINX replicas
nginx.hpa.max_number_instancesAll25Maximum NGINX replicas
nginx.controller.enable_client_ipAllfalseEnable real IP module
nginx.controller.enable_compressionAlltrueEnable Brotli compression
nginx.controller.use_forwarded_headersAllfalseUse X-Forwarded-For headers
nginx.controller.compute_full_forwarded_forAllfalseAppend to X-Forwarded-For
nginx.controller.log_format_upstreamAllnullCustom log format
nginx.controller.log_format_escapingAllDefaultLog format escaping
nginx.controller.http_snippetAllnullHTTP-level NGINX config
nginx.controller.server_snippetAllnullServer-level NGINX config
nginx.controller.limit_request_status_codeAllnullRate limit HTTP status
nginx.controller.custom_http_errorsAllnullCustom error pages
SettingCloud ProvidersDefaultDescription
aws.eks.enable_alb_controllerAWStrueEnable AWS ALB controller
aws.eks.alb_controller.vpa.vcpu.min_in_milli_cpuAWS250ALB controller min CPU
aws.eks.alb_controller.vpa.vcpu.max_in_milli_cpuAWS250ALB controller max CPU
aws.eks.alb_controller.vpa.memory.min_in_mibAWS128ALB controller min memory
aws.eks.alb_controller.vpa.memory.max_in_mibAWS128ALB controller max memory
load_balancer.sizeScalewaylb-sLoad balancer size
nginx.default_backend.enabledAllfalseEnable default backend
nginx.default_backend.image_repositoryAllnullDefault backend image
nginx.default_backend.image_tagAllnullDefault backend image tag
SettingCloud ProvidersDefaultDescription
database.postgresql.deny_any_accessAWSfalseBlock all PostgreSQL access
database.postgresql.allowed_cidrsAWS0.0.0.0/0PostgreSQL allowed CIDRs
database.mysql.deny_any_accessAWSfalseBlock all MySQL access
database.mysql.allowed_cidrsAWS0.0.0.0/0MySQL allowed CIDRs
database.mongodb.deny_any_accessAWSfalseBlock all MongoDB access
database.mongodb.allowed_cidrsAWS0.0.0.0/0MongoDB allowed CIDRs
database.redis.deny_any_accessAWSfalseBlock all Redis access
database.redis.allowed_cidrsAWS0.0.0.0/0Redis allowed CIDRs
SettingCloud ProvidersDefaultDescription
registry.image_retention_timeAWS31536000Image retention (seconds)
registry.mirroring_modeAWSServiceImage mirroring mode
cloud_provider.container_registry.tagsAllRegistry tags
SettingCloud ProvidersDefaultDescription
aws.iam.enable_admin_group_syncAWStrueEnable admin group sync
aws.iam.admin_groupAWSAdminsIAM admin group name
aws.iam.enable_ssoAWSfalseEnable SSO support
aws.iam.sso_role_arnAWS""SSO role ARN
aws.eks.encrypt_secrets_kms_key_arnAWSnullKMS key for secrets encryption
k8s.api.allowed_public_access_cidrsAWS, GCP, Azure[]Kubernetes API CIDR whitelist
SettingCloud ProvidersDefaultDescription
allow_service_cpu_overcommitAllfalseAllow CPU overcommit
allow_service_ram_overcommitAllfalseAllow memory overcommit
SettingCloud ProvidersDefaultDescription
dns.coredns.extra_configAWS, Scaleway, AzurenullCoreDNS custom config
aws.eks.ec2.metadata_imdsAWSrequiredIMDS version
aws.eks.ec2.amiAWSAmazonLinux2023EC2 AMI type
qovery.static_ip_modeAWS, GCPfalseStatic IP for control plane
storageclass.fast_ssdAllvariesFast SSD storage class
Use the Settings by Category tables above to quickly find settings. The Cloud Providers column shows which cloud platforms support each setting.

Configuring Cluster Advanced Settings

Via Qovery API

Advanced settings are configured using the Qovery API: 
curl -X PATCH "https://api.qovery.com/cluster/{cluster_id}/advancedSettings" \
  -H "Authorization: Token YOUR_API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "loki.log_retention_in_week": 24,
    "nginx.hpa.min_number_instances": 3,
    "database.postgresql.deny_any_access": false,
    "database.postgresql.allowed_cidrs": ["10.0.0.0/16"]
  }'

Via Terraform

Use the Qovery Terraform Provider to manage cluster advanced settings as code: 
resource "qovery_cluster" "my_cluster" {
  name                = "production-cluster"
  organization_id     = var.organization_id
  cloud_provider      = "AWS"
  region              = "us-east-1"

  advanced_settings_json = jsonencode({
    "loki.log_retention_in_week" = 24
    "nginx.hpa.min_number_instances" = 3
    "nginx.controller.enable_client_ip" = true
    "database.postgresql.deny_any_access" = false
    "database.postgresql.allowed_cidrs" = ["10.0.0.0/16"]
  })
}
After updating cluster advanced settings, you must redeploy the cluster for changes to take effect.

Detailed Settings Reference

Logs

Cloud Provider: AWS Type: Integer Default: 90Maximum retention days in CloudWatch for EKS logs.Valid values: 0, 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 2192, 2557, 2922, 3288, 3653Example:
{
  "aws.cloudwatch.eks_logs_retention_days": 30
}
Cloud Provider: AWS Type: Boolean Default: falseEnable flow logs on the cluster VPC and store them in an S3 bucket.Example:
{
  "aws.vpc.enable_s3_flow_logs": true
}
Cloud Provider: AWS Type: Integer Default: 365Set the number of retention days for flow logs. Set to 0 for unlimited retention.Example:
{
  "aws.vpc.flow_logs_retention_days": 90
}
Cloud Provider: All Type: Integer Default: 12 (84 days)Maximum Kubernetes pods (containers/applications/jobs/cronjobs) retention logs in weeks.Example:
{
  "loki.log_retention_in_week": 24
}
Cloud Provider: GCP Type: Boolean Default: falseEnable VPC flow logs on the cluster VPC (on each VPC subnetwork). See GCP VPC logs flow documentation.Example:
{
  "gcp.vpc.enable_flow_logs": true
}
Cloud Provider: GCP Type: Float Default: 0.0Set VPC logs flow sampling percentage. Value should be within 0.0 (no sampling) to 1.0 (all logs) range.Example:
{
  "gcp.vpc.flow_logs_sampling": 0.5
}
Cloud Provider: AWS, GCP, Azure Type: Boolean Default: falseActivate cluster buckets logging into a <bucket>-log bucket.See documentation for AWS and GCP.Example:
{
  "object_storage.enable_logging": true
}

DNS

Cloud Provider: AWS, Scaleway, Azure Type: String Default: nullAdditional configuration to add to CoreDNS. This can be used to customize DNS resolution rules on the cluster.Example:
{
  "dns.coredns.extra_config": "example.com:53 {\n    errors\n    cache 30\n    forward . 8.8.8.8 8.8.4.4\n}"
}
CoreDNS format:
example.com:53 {
    errors
    cache 30
    forward . 8.8.8.8 8.8.4.4
}

Image Registry

Cloud Provider: AWS Type: Integer Default: 31536000 (1 year)Allows you to specify an amount in seconds after which images in the default registry are deleted.
Changing this setting will only affect new ECR repositories created after the change. Existing repositories will not be affected.
Example:
{
  "registry.image_retention_time": 15768000
}
Cloud Provider: AWS Type: String Default: ServiceAllows you to specify the image mirroring mode to be used for each image deployed on this cluster.Valid values: Service, ClusterExample:
{
  "registry.mirroring_mode": "Cluster"
}
Cloud Provider: All Type: Map<String, String> Default: {}Add additional tags on the cluster dedicated registry.Example:
{
  "cloud_provider.container_registry.tags": {
    "Environment": "Production",
    "Team": "Platform"
  }
}

Network - Load Balancer

Cloud Provider: AWS Type: Boolean Default: trueEnable the AWS ALB controller to manage the load balancer for the cluster.
Enabling this feature will create a 10 min max downtime on your application’s public access (time to delete, replace and propagate DNS of the new load balancer).
Requirements for custom VPCs (Qovery Managed VPC does not require these):
  • On public subnets: add label kubernetes.io/role/elb=1
  • On private subnets: add label kubernetes.io/role/internal-elb=1
  • On all subnets: add label kubernetes.io/cluster/<cluster-name>=shared
Example:
{
  "aws.eks.enable_alb_controller": true
}
Cloud Provider: AWS Type: Integer Default: 250Sets AWS ALB controller VPA (vertical pod autoscaling) vCPU minimum value in milli CPU.Example:
{
  "aws.eks.alb_controller.vpa.vcpu.min_in_milli_cpu": 500
}
Cloud Provider: AWS Type: Integer Default: 250Sets AWS ALB controller VPA (vertical pod autoscaling) vCPU maximum value in milli CPU.Example:
{
  "aws.eks.alb_controller.vpa.vcpu.max_in_milli_cpu": 1000
}
Cloud Provider: AWS Type: Integer Default: 128Sets AWS ALB controller VPA (vertical pod autoscaling) memory minimum value in mebibyte.Example:
{
  "aws.eks.alb_controller.vpa.memory.min_in_mib": 256
}
Cloud Provider: AWS Type: Integer Default: 128Sets AWS ALB controller VPA (vertical pod autoscaling) memory maximum value in mebibyte.Example:
{
  "aws.eks.alb_controller.vpa.memory.max_in_mib": 512
}
Cloud Provider: Scaleway Type: String Default: lb-sAllows you to specify the load balancer size in front of your cluster.Valid values:
  • lb-s: 200 Mbps
  • lb-gp-m: 500 Mbps
  • lb-gp-l: 1 Gbps
  • lb-gp-xl: 4 Gbps
Example:
{
  "load_balancer.size": "lb-gp-l"
}

Network - NGINX Ingress

Cloud Provider: AllConfigure CPU and memory resources for NGINX ingress controller pods:
SettingTypeDefaultDescription
nginx.vcpu.request_in_milli_cpuInteger200CPU request (millicores)
nginx.vcpu.limit_in_milli_cpuInteger700CPU limit (millicores)
nginx.memory.request_in_mibInteger768Memory request (MiB)
nginx.memory.limit_in_mibInteger768Memory limit (MiB)
Example:
{
  "nginx.vcpu.request_in_milli_cpu": 500,
  "nginx.vcpu.limit_in_milli_cpu": 1000,
  "nginx.memory.request_in_mib": 1024,
  "nginx.memory.limit_in_mib": 2048
}
Cloud Provider: AllConfigure horizontal pod autoscaling for NGINX ingress controller:
SettingTypeDefaultDescription
nginx.hpa.cpu_utilization_percentage_thresholdInteger50CPU threshold (%)
nginx.hpa.min_number_instancesInteger2Minimum replicas
nginx.hpa.max_number_instancesInteger25Maximum replicas
Example:
{
  "nginx.hpa.cpu_utilization_percentage_threshold": 70,
  "nginx.hpa.min_number_instances": 3,
  "nginx.hpa.max_number_instances": 50
}
Cloud Provider: All Type: Boolean Default: falseEnables ngx_http_realip_module module to get the real client IP address.Example:
{
  "nginx.controller.enable_client_ip": true
}
Cloud Provider: All Type: Boolean Default: trueEnables compression (Brotli) for HTTP responses. When disabled, content will not be compressed, which may increase bandwidth usage but reduce CPU load.Example:
{
  "nginx.controller.enable_compression": false
}
Cloud Provider: All Type: Boolean Default: falsePasses incoming X-Forwarded-For header upstream. See documentation.Example:
{
  "nginx.controller.use_forwarded_headers": true
}
Cloud Provider: All Type: Boolean Default: falseAppend the remote address to the X-Forwarded-For header instead of replacing it. See documentation.Example:
{
  "nginx.controller.compute_full_forwarded_for": true
}
Cloud Provider: All Type: String Default: nullAllows to customize NGINX log-format.Example:
{
  "nginx.controller.log_format_upstream": "$remote_addr - $remote_user [$time_local] \"$request\" $status $body_bytes_sent"
}
Cloud Provider: All Type: String Default: DefaultAllows to customize NGINX log-format-escaping setting.Valid values: Default, JSON, NoneExample:
{
  "nginx.controller.log_format_escaping": "JSON"
}
Cloud Provider: All Type: String Default: nullAllows to customize NGINX http-snippet configuration.Used for cluster-level NGINX configuration that applies to all services.Example:
{
  "nginx.controller.http_snippet": "limit_req_zone \"$server_name\" zone=global:10m rate=10r/s;"
}
See Rate Limiting Guide for practical examples.
Cloud Provider: All Type: String Default: nullAllows to customize NGINX server-snippet configuration.Used for server-level NGINX configuration.Example:
{
  "nginx.controller.server_snippet": "location / {\n    limit_req zone=global;\n}"
}
See Rate Limiting Guide for practical examples.
Cloud Provider: All Type: Integer Default: null (defaults to 503)Allows to customize NGINX limit-req-status-code.Commonly set to 429 (Too Many Requests) for rate limiting.Example:
{
  "nginx.controller.limit_request_status_code": 429
}
Cloud Provider: All Type: String Default: nullAllows to customize NGINX custom-http-errors.Example:
{
  "nginx.controller.custom_http_errors": "404,503"
}
Cloud Provider: AllConfigure a custom default backend for NGINX:
SettingTypeDefaultDescription
nginx.default_backend.enabledBooleanfalseEnable default backend
nginx.default_backend.image_repositoryStringnullDocker image repository
nginx.default_backend.image_tagStringnullDocker image tag
If you don’t specify custom image repository and tag, ensure your cluster includes nodes with amd64 architecture.
Example:
{
  "nginx.default_backend.enabled": true,
  "nginx.default_backend.image_repository": "myregistry/custom-backend",
  "nginx.default_backend.image_tag": "1.0.0"
}

Network - Database Access Control

Cloud Provider: AWS Applies to: Container and Managed Databases
SettingTypeDefaultDescription
database.postgresql.deny_any_accessBooleanfalseDeny all PostgreSQL access
database.postgresql.allowed_cidrsArray[“0.0.0.0/0”]Allowed CIDR ranges
  • Managed databases: Access is removed instantly
  • Container databases: Access is removed only after redeployment
Example:
{
  "database.postgresql.deny_any_access": false,
  "database.postgresql.allowed_cidrs": ["10.0.0.0/16", "10.1.0.0/16"]
}
Cloud Provider: AWS Applies to: Container and Managed Databases
SettingTypeDefaultDescription
database.mysql.deny_any_accessBooleanfalseDeny all MySQL access
database.mysql.allowed_cidrsArray[“0.0.0.0/0”]Allowed CIDR ranges
  • Managed databases: Access is removed instantly
  • Container databases: Access is removed only after redeployment
Example:
{
  "database.mysql.deny_any_access": false,
  "database.mysql.allowed_cidrs": ["10.0.0.0/16"]
}
Cloud Provider: AWS Applies to: Container and Managed Databases
SettingTypeDefaultDescription
database.mongodb.deny_any_accessBooleanfalseDeny all MongoDB access
database.mongodb.allowed_cidrsArray[“0.0.0.0/0”]Allowed CIDR ranges
  • Managed databases: Access is removed instantly
  • Container databases: Access is removed only after redeployment
Example:
{
  "database.mongodb.deny_any_access": false,
  "database.mongodb.allowed_cidrs": ["10.0.0.0/16"]
}
Cloud Provider: AWS Applies to: Container and Managed Databases
SettingTypeDefaultDescription
database.redis.deny_any_accessBooleanfalseDeny all Redis access
database.redis.allowed_cidrsArray[“0.0.0.0/0”]Allowed CIDR ranges
  • Managed databases: Access is removed instantly
  • Container databases: Access is removed only after redeployment
Example:
{
  "database.redis.deny_any_access": false,
  "database.redis.allowed_cidrs": ["10.0.0.0/16"]
}

Service Resources

Cloud Provider: All Type: Boolean Default: falseAuthorize CPU overcommit (limit > request) for services deployed within this cluster.
Using overcommit on pod resources can lead to instability on your cluster and we strongly discourage it. Be careful when using this feature.
Once enabled, you can update the service advanced setting resources.override.limit.cpu_in_mib.Example:
{
  "allow_service_cpu_overcommit": true
}
Cloud Provider: All Type: Boolean Default: falseAuthorize memory overcommit (limit > request) for services deployed within this cluster.
Using overcommit on pod resources can lead to instability on your cluster and we strongly discourage it. Be careful when using this feature.
Once enabled, you can update the service advanced setting resources.override.limit.ram_in_mib.Example:
{
  "allow_service_ram_overcommit": true
}

IAM & Security

Cloud Provider: AWS
SettingTypeDefaultDescription
aws.iam.enable_admin_group_syncBooleantrueEnable IAM admin group sync
aws.iam.admin_groupStringAdminsIAM admin group name
Configure IAM group permissions for cluster access. See IAM permissions setup.
aws.iam.admin_group must be set when enable_admin_group_sync is true.
Example:
{
  "aws.iam.enable_admin_group_sync": true,
  "aws.iam.admin_group": "QoveryAdmins"
}
Cloud Provider: AWS
SettingTypeDefaultDescription
aws.iam.enable_ssoBooleanfalseEnable SSO support
aws.iam.sso_role_arnString""SSO role ARN
Enable SSO sync allowing IAM users to connect to cluster using SSO.
aws.iam.sso_role_arn must be set when enable_sso is true.
Example:
{
  "aws.iam.enable_sso": true,
  "aws.iam.sso_role_arn": "arn:aws:iam::123456789012:role/QoverySSO"
}
Cloud Provider: AWS Type: String Default: nullAllows you to activate KMS encryption of your Kubernetes secrets. Specify the key ARN of your AWS KMS key.
It won’t be possible to go back once this feature is activated.
Example:
{
  "aws.eks.encrypt_secrets_kms_key_arn": "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012"
}
Cloud Provider: AWS, GCP, Azure Type: Array Default: []Contains additional CIDRs that should be whitelisted to access the Kubernetes API.
qovery.static_ip_mode should be set to true to make this setting effective.
Example:
{
  "k8s.api.allowed_public_access_cidrs": ["100.100.100.0/32", "200.200.200.0/24"]
}

Miscellaneous

Cloud Provider: AWS Type: String Default: requiredSpecify the IMDS version you want to use.Valid values:
  • required: IMDS v2 only
  • optional: IMDS v1 and v2
Example:
{
  "aws.eks.ec2.metadata_imds": "optional"
}
Cloud Provider: AWS Type: String Default: AmazonLinux2023Specify the AMI you want to use for EKS nodes.Valid values:
  • AmazonLinux2: Deprecated, not working after Kubernetes 1.32
  • AmazonLinux2023: Default Amazon AMI (recommended)
  • Bottlerocket: Focuses on security and maintainability
Example:
{
  "aws.eks.ec2.ami": "Bottlerocket"
}
Cloud Provider: AWS, GCP Type: Boolean Default: falseEnable the static IP mode for the Qovery control plane and automatically:
  1. Activate the private endpoint on the Kubernetes API
  2. Add the Qovery IP to the CIDR whitelist
If you need to connect to the Kubernetes cluster from your network, make sure to add your CIDR to k8s.api.allowed_public_access_cidrs.
DockerHub credentials are required to activate this feature. Configure them in Organization settings > Container registry.Why? DockerHub has a rate limit by IP. Since the Qovery control plane will be seen as a single IP, you need authenticated access to increase the limit.
Example:
{
  "qovery.static_ip_mode": true
}
Type: String Default: Cloud provider specificSpecify the Kubernetes storageClass to be used for storage attached to your container databases and applications.Example:
{
  "storageclass.fast_ssd": "gp3"
}

Best Practices

Begin with Qovery’s default cluster settings and only modify when you have a specific infrastructure requirement. Defaults are optimized for most use cases.
Always test cluster advanced settings changes in development or staging clusters before applying to production.
Keep track of why you changed specific cluster settings. This helps with troubleshooting and knowledge sharing across your infrastructure team.
After modifying cluster advanced settings, closely monitor cluster health, resource usage, and service performance for 24-48 hours.
Manage cluster advanced settings through Terraform to maintain consistency and enable version control.
  • Always configure allowed_cidrs for database access instead of allowing 0.0.0.0/0
  • Use VPC CIDR ranges for internal database access
  • Enable database access logs with object_storage.enable_logging
  • Use k8s.api.allowed_public_access_cidrs to restrict Kubernetes API access
  • Enable nginx.controller.enable_client_ip for accurate IP-based security
  • Configure appropriate rate limiting with NGINX snippets
  • Enable VPC flow logs for audit trails
  • Set appropriate log retention periods to balance cost and compliance
  • Use image retention policies to clean up old container images
  • Configure NGINX HPA based on actual traffic patterns
  • Monitor VPC flow logs sampling to avoid excessive storage costs
  • Set nginx.hpa.min_number_instances to at least 2 (default)
  • Configure appropriate NGINX resource limits for your traffic
  • Enable ALB controller on AWS for better load distribution
  • Use proper load balancer sizing on Scaleway
  • Enable VPC flow logs in production for network troubleshooting
  • Configure appropriate log retention for compliance requirements
  • Use custom NGINX log formats for better insights
  • Enable object storage logging for audit trails

Troubleshooting

Symptoms: Cluster deployment fails or becomes unavailable after modifying advanced settings.Common Causes:
  • Invalid NGINX snippet syntax
  • Incompatible resource allocations
  • Incorrect CIDR formatting in allowed_cidrs
  • Missing required settings (e.g., admin_group when sync enabled)
Resolution:
  1. Check cluster deployment logs for specific error messages
  2. Verify NGINX snippet syntax using NGINX documentation
  3. Validate CIDR notation (e.g., 10.0.0.0/16)
  4. Revert to default settings and apply changes incrementally
  5. Contact Qovery support with cluster ID and settings applied
Symptoms: Applications can’t connect to databases after changing allowed_cidrs.Troubleshooting:
  1. For managed databases: Changes apply immediately, verify CIDR includes your application VPC
  2. For container databases: Requires database redeployment to take effect
  3. Verify CIDR format is correct (e.g., ["10.0.0.0/16"] not "10.0.0.0/16")
  4. Check that deny_any_access is set to false
  5. Verify database security groups in cloud provider console
Resolution:
  • Ensure application subnet is included in allowed_cidrs
  • For container databases, redeploy the database service
  • Check VPC peering configuration if using cross-VPC access
Symptoms: Services not accessible, 502/503 errors, or NGINX pods not starting.Check:
  1. NGINX pod status: kubectl get pods -n qovery
  2. NGINX logs: Check cluster logs in Qovery Console
  3. HPA status: kubectl get hpa -n qovery
  4. Resource limits: Verify NGINX isn’t resource-constrained
Common Issues:
  • Invalid http_snippet or server_snippet syntax
  • Resource limits too low for traffic volume
  • HPA min/max instances misconfigured
  • Custom default backend image not accessible
Resolution:
  1. Remove custom snippets and redeploy to isolate issue
  2. Increase NGINX resource limits if pods are OOMKilled
  3. Verify custom default backend image is publicly accessible
  4. Check NGINX configuration: kubectl exec -n qovery nginx-pod -- nginx -T
Symptoms: Rate limits not enforced, all requests get through.Verify:
  1. NGINX snippet syntax is correct in http_snippet and server_snippet
  2. Cluster has been redeployed after settings change
  3. Rate limit zone names match between declaration and usage
  4. Using correct variable (e.g., $server_name vs $remote_addr)
Testing:
# Test rate limit with curl
for i in {1..20}; do curl -w "%{http_code}\n" https://your-app.com; done
See Rate Limiting Guide for detailed examples.
Symptoms: Qovery control plane can’t connect to cluster after enabling static IP mode.Check:
  1. DockerHub credentials configured in Organization settings
  2. Private Kubernetes API endpoint is accessible
  3. k8s.api.allowed_public_access_cidrs includes your IP if needed
  4. No network policies blocking Qovery IP
Resolution:
  1. Verify DockerHub credentials are valid
  2. Add Qovery support IP to allowed CIDRs if provided
  3. Check VPC routing and security groups
  4. Contact Qovery support for static IP whitelist
Symptoms: Can’t connect to cluster using AWS SSO or IAM group.Verify:
  1. aws.iam.admin_group matches your IAM group name exactly
  2. IAM user is member of specified admin group
  3. aws.iam.sso_role_arn is correct if using SSO
  4. Cluster has been redeployed after IAM settings change
Test Connection:
# Download kubeconfig from Qovery Console
export KUBECONFIG=./kubeconfig.yaml
kubectl get nodes
Resolution:
  1. Verify IAM group membership in AWS Console
  2. Check IAM policy permissions include necessary Kubernetes access
  3. Redeploy cluster to apply IAM configuration changes

Use Cases & Examples

Example 1: Production Cluster with Enhanced Security

{
  "loki.log_retention_in_week": 52,
  "aws.vpc.enable_s3_flow_logs": true,
  "aws.vpc.flow_logs_retention_days": 365,
  "object_storage.enable_logging": true,
  "database.postgresql.deny_any_access": false,
  "database.postgresql.allowed_cidrs": ["10.0.0.0/16"],
  "database.mysql.deny_any_access": false,
  "database.mysql.allowed_cidrs": ["10.0.0.0/16"],
  "k8s.api.allowed_public_access_cidrs": ["203.0.113.0/24"],
  "qovery.static_ip_mode": true,
  "aws.eks.encrypt_secrets_kms_key_arn": "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012"
}

Example 2: High-Traffic Cluster with Scaled NGINX

{
  "nginx.hpa.min_number_instances": 5,
  "nginx.hpa.max_number_instances": 50,
  "nginx.hpa.cpu_utilization_percentage_threshold": 60,
  "nginx.vcpu.request_in_milli_cpu": 500,
  "nginx.vcpu.limit_in_milli_cpu": 2000,
  "nginx.memory.request_in_mib": 1024,
  "nginx.memory.limit_in_mib": 2048,
  "nginx.controller.enable_compression": true
}

Example 3: Development Cluster with Relaxed Settings

{
  "loki.log_retention_in_week": 4,
  "registry.image_retention_time": 2592000,
  "nginx.hpa.min_number_instances": 2,
  "nginx.hpa.max_number_instances": 10,
  "database.postgresql.deny_any_access": false,
  "database.postgresql.allowed_cidrs": ["0.0.0.0/0"]
}

Example 4: Cluster with Custom Rate Limiting

{
  "nginx.controller.http_snippet": "limit_req_zone \"$server_name\" zone=global:10m rate=100r/s;",
  "nginx.controller.server_snippet": "location / {\n    limit_req zone=global burst=200 nodelay;\n}",
  "nginx.controller.limit_request_status_code": 429
}
See Rate Limiting Guide and IP Authorization Guide for more examples.

Next Steps

Service Advanced Settings

Configure service-level advanced settings

Rate Limiting Guide

Implement rate limiting with NGINX

IP Authorization Guide

Configure IP and header-based authorization

Cluster Management

Learn about cluster operations

Qovery API Reference

Explore the full Qovery API
https://mintcdn.com/qovery/bC94RbU5OE288_w9/images/logos/terraform-icon.svg?fit=max&auto=format&n=bC94RbU5OE288_w9&q=85&s=e435f4dfa945bf74f2ed7deff23e009d

Terraform Provider

Manage infrastructure as code