> ## Documentation Index
> Fetch the complete documentation index at: https://www.qovery.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.
# AWS Cluster Preflight Checks
> Understand the automatic prerequisite validation checks that run before AWS EKS cluster creation
Before deploying a new AWS EKS cluster, Qovery automatically runs prerequisite validation checks to ensure your AWS environment is properly configured. If any check fails, deployment is blocked and a clear report shows what needs to be fixed.
Preflight checks run automatically when you create or deploy an AWS EKS cluster. No additional configuration is required.
## Checks Performed
### Quota Checks (All Modes)
Qovery verifies that your AWS account has sufficient resource quotas in the target region:
| Resource | Default AWS Limit | Required by Qovery |
| ----------------------- | ----------------- | ------------------------------------------ |
| EKS clusters per region | 100 | 1 per cluster |
| Elastic IPs | 5 | 3-6 depending on NAT Gateway configuration |
| VPCs per region | 5 | 1 per cluster |
| NAT Gateways per AZ | Per-AZ limit | 1 per AZ used |
Qovery attempts to query your actual quota limits via the [AWS Service Quotas API](https://docs.aws.amazon.com/servicequotas/latest/userguide/intro.html). If the `servicequotas:GetServiceQuota` permission is not granted, Qovery falls back to AWS default limits and displays a **WARN** in the report. To get accurate quota checks, add the following permission to your IAM policy:
```json theme={null}
{
"Effect": "Allow",
"Action": "servicequotas:GetServiceQuota",
"Resource": "*"
}
```
### Availability Zone Checks (All Modes)
The target region must have a minimum of **3 Availability Zones**. This is required to ensure high availability for EKS workloads.
### VPC Configuration Checks (Custom VPC Mode Only)
When using the **Deploy on my existing VPC** option, Qovery validates your VPC setup:
* **VPC exists** and has `enable_dns_hostnames = true`
* **All 15 required subnets exist** (5 subnet types x 3 Availability Zones)
* **Required tags** are present on subnets:
| Subnet Type | Required Tag | Value |
| --------------- | ------------------------------------------- | ------------------- |
| All subnets | `kubernetes.io/cluster/qovery-{cluster_id}` | `shared` |
| Public subnets | `kubernetes.io/role/elb` | `1` |
| Private subnets | `kubernetes.io/role/internal-elb` | \`\` (empty string) |
| Private subnets | `karpenter.sh/discovery` | `{cluster_name}` |
### IAM Checks (Managed and Custom VPC Modes)
Qovery verifies that:
* AWS credentials are valid
* Basic permissions are present to create and manage cluster resources
## Reading the Preflight Report
After checks complete, Qovery displays a summary report in the deployment logs:
```
========================================================================
AWS Deployment Preflight Report
========================================================================
[PASS] EKS cluster quota ........................ 3/100 clusters
[PASS] Elastic IP quota ......................... 2/5 allocated
[FAIL] VPC subnet tags
-> Missing tag 'kubernetes.io/role/elb' on subnet-abc123
-> Fix: Add tag 'kubernetes.io/role/elb=1' to public subnets
[WARN] IAM permissions .......................... Could not fully verify
------------------------------------------------------------------------
Result: 1 FAILED | 1 WARNING | 2 PASSED
Deployment BLOCKED - fix FAILED checks before retrying
========================================================================
```
Each check is reported with one of three statuses:
| Status | Meaning |
| -------- | ------------------------------------------------------ |
| **PASS** | Check succeeded, no action needed |
| **WARN** | Potential issue detected but deployment is not blocked |
| **FAIL** | Check failed, deployment is blocked until resolved |
If any check has a **FAIL** status, deployment will not proceed. You must fix the reported issues and retry.
## Common Issues and Fixes
**Symptom**: `[FAIL] Elastic IP quota` in the preflight report.
**Fix**: Request a quota increase through the [AWS Service Quotas console](https://console.aws.amazon.com/servicequotas/). Navigate to **Amazon EC2 > Elastic IPs** and request an increase. Qovery requires 3-6 Elastic IPs depending on your NAT Gateway configuration.
**Symptom**: `[FAIL] VPC subnet tags` with details about missing tags.
**Fix**: Add the required Kubernetes tags to your subnets. For Custom VPC setups, ensure:
* All subnets have `kubernetes.io/cluster/qovery-{cluster_id} = shared`
* Public subnets have `kubernetes.io/role/elb = 1`
* Private subnets have `kubernetes.io/role/internal-elb = ""`
* Private subnets have `karpenter.sh/discovery = {cluster_name}`
You can add tags in the AWS Console under **VPC > Subnets > Tags**, or via the AWS CLI:
```bash theme={null}
aws ec2 create-tags --resources subnet-abc123 \
--tags Key=kubernetes.io/role/elb,Value=1
```
**Symptom**: `[FAIL] VPC DNS hostnames` in the preflight report.
**Fix**: Enable DNS hostnames on your VPC. In the AWS Console, go to **VPC > Your VPC > Actions > Edit VPC settings** and enable **DNS hostnames**. Or via the AWS CLI:
```bash theme={null}
aws ec2 modify-vpc-attribute --vpc-id vpc-abc123 \
--enable-dns-hostnames '{"Value": true}'
```
**Symptom**: `[FAIL] Availability Zones` indicating fewer than 3 AZs.
**Fix**: Choose a different AWS region that has at least 3 Availability Zones. Most standard AWS regions (e.g., `us-east-1`, `eu-west-1`, `ap-southeast-1`) meet this requirement. Some smaller or newer regions may not.
**Symptom**: `[WARN] EKS cluster quota access` (or Elastic IP / VPC quota access) with message "Could not query real quota, using default limit".
**Cause**: Your IAM policy does not include the `servicequotas:GetServiceQuota` permission. Qovery falls back to AWS default limits which may not reflect your actual account quotas.
**Fix**: Add the `servicequotas:GetServiceQuota` permission to your IAM policy:
```json theme={null}
{
"Effect": "Allow",
"Action": "servicequotas:GetServiceQuota",
"Resource": "*"
}
```
This is optional — preflight checks still work without it, but quota comparisons will use AWS default limits instead of your actual limits.
**Symptom**: `[FAIL] VPC quota` in the preflight report.
**Fix**: Either delete unused VPCs in the target region or request a quota increase via the [AWS Service Quotas console](https://console.aws.amazon.com/servicequotas/) under **Amazon VPC > VPCs per Region**.
## Quick Reference
| Issue | Fix |
| ---------------------------------- | ---------------------------------------------------------------------------- |
| Quota limits using defaults (WARN) | Add `servicequotas:GetServiceQuota` permission to your IAM policy (optional) |
| Elastic IP quota exceeded | Request quota increase via AWS Service Quotas console |
| Missing subnet tags | Add required Kubernetes tags to your subnets (see Custom VPC docs) |
| VPC DNS hostnames disabled | Enable `enable_dns_hostnames` on your VPC |
| Insufficient AZs | Choose a region with at least 3 Availability Zones |