I don't really have a setup to test this, but if I create an elasticache redis cluster with more than 1 node, how exactly would a security group have to look like to be very secure but without breaking the cluster itself?
Lets say I create a security group that allows ingress from itself and my kubernetes nodes on port 6379 and allow all on egress to itself and kubernetes.
Like this for example:
resource "aws_security_group" "tools_elasticache_default" {
name = "tools-elasticache-default"
description = "Allow traffic from tools cluster to elasticache instance"
vpc_id = module.tools_cluster.vpc_id
ingress {
description = "Incomming redis traffic"
from_port = 6379
to_port = 6379
protocol = "tcp"
self = "true"
security_groups = [for x in module.tools_cluster.node_security_groups : x.id ]
}
egress {
description = "Outgoing redis traffic"
from_port = 0
to_port = 0
protocol = "-1"
self = "true"
security_groups = [for x in module.tools_cluster.node_security_groups : x.id ]
}
tags = merge(var.tags, {
"shared" = "true"
})
}
Would this break my elasticache cluster since it is ec2 under the hood and security groups are on a per instance base? Since I haven't explicitly specified redis cluster communication ports like those stated here?
To my understanding the cluster should be broken since one redis node could egress to another node on port 3333 but his request would be dropped on the missing ingress rule for it on the other cluster participant.
Or is AWS implicitly managing those rules and makes sure the ports for inter cluster communication are always allowed?
Any help would be greatly appreciated. Thanks!
