3

I made a redis cluster and created a new security group called cache-access. If I ssh into an ec2 server and try to access a cache node, it works if two conditions are met:

  1. ec2 server belongs to cache-access security group
  2. cache-access security group opens inbound 6379 port

It makes sense to me to whitelist ec2 access via security group (#1), considering a group may need to scale up or down, so whitelisting ip addresses wouldn't work.

It doesn't make sense why I need to open the port (#2). The ec2 instance is not running redis-server. The elasticache servers are the ones listening on 6379.

Why does the ec2 security group need the 6379 port open to work?

AJcodez
  • 233
  • 4
  • 11
  • What security group does the cache node belong to? – ceejayoz Jun 16 '15 at 18:29
  • It's in vpn, so it doesn't have a cache security group, it has security group(s) assigned, in my case just `cache-access`. – AJcodez Jun 16 '15 at 18:32
  • Well, that's why. – ceejayoz Jun 16 '15 at 18:39
  • I see it now. It still doesn't make sense to me to have a sg for elasticache at all tho. What other port would i want open for a *managed redis cluster*? Like i'm not gonna host my mom's friend's website on 8080 on a *managed redis cluster*. Whatever. – AJcodez Jun 17 '15 at 21:13
  • ElastiCache has security groups because just like any other set of servers you might want to limit who has access to it. You might be running several apps in your AWS account and only want to let one app's servers access the cache. You might want to limit access just to a PHP tier and not let your database tier have access. – ceejayoz Jun 17 '15 at 21:21
  • Yeah i get that aspect, i thought the sg was just to whitelist access, not also apply port configurations. – AJcodez Jun 17 '15 at 21:43

1 Answers1

4

[the ElastiCache server] has security group(s) assigned, in my case just cache-access

Security groups apply to ElastiCache servers just like they do to EC2 servers (they're EC2 under the hood, even).

Port 6379 doesn't need to be open for the EC2 servers, but it does need to be open for the Redis server. You could put the cache or EC2 servers in separate security groups if you'd prefer to keep their firewall rules separate.

ceejayoz
  • 32,469
  • 7
  • 81
  • 105
  • Thank you. It didn't occur to me the security group applied to the elasticache servers beyond granting access to ec2 instances. – AJcodez Jun 17 '15 at 21:15