Connect remotely to ElastiCache - Redis

Question

We are using ElastiCache - Redis for our site, we need to flush the Redis cache and when I try to connect to my ElastiCache - Redis remotely by this command from any PC

redis-cli -h example-redis-1.example.0001.euw1.cache.amazonaws.com -p 6379

It always says:

Could not connect to Redis at example-redis-1.example.0001.euw1.cache.amazonaws.com:6379: Connection refused not connected>

I have made sure that inbound rule allows 6379 from any IP and also tried to edit /etc/redis.conf to add bind example-redis-1.example.0001.euw1.cache.amazonaws.com but even than the error remains the same.

No, this is another server with another hosting provider from where I am trying to connect. All I need is to connect remotely to my Redis and clear the cache. — Farmi, Nov 25 '15 at 14:29

score 11 · Accepted Answer · answered Nov 25 '15 at 14:32

11

ElastiCache clusters can only be accessed directly from within the VPC in which it resides. This is because ElastiCache is not a secured service.

In order to connect to your ElastiCache remotely, you need to go through a bastion server or a NAT. AWS has created instructions here:

http://docs.aws.amazon.com/AmazonElastiCache/latest/UserGuide/Access.Outside.html

To use a bastion, you would SSH into your bastion EC2 instance that resides in your VPC. Once connected, you can tunnel your ElastiCache connection from your PC, or you can connect to your cache from your bastion's command prompt.

answered Nov 25 '15 at 14:32

Matt Houser

9,709
1
26
25

But, how they are connecting http://stackoverflow.com/questions/21917661/can-you-connect-to-amazon-elasticache-redis-outside-of-amazon – Farmi Nov 25 '15 at 14:52
1

They are using tunnels and/or bastions. – Matt Houser Nov 25 '15 at 15:14
NAT is for go-out not for go-in. – Z.Wei May 05 '20 at 18:07

score 7 · Answer 2 · answered Apr 05 '18 at 06:42

7

Step 1:

ssh -f -N -L6379:<your redis node endpoint>:6379 <your EC2 node that you use to connect to redis>

Example : ssh -f -N -L6379:redis.aps1.cache.amazonaws.com:6379 ubuntu@58.12.73.10

Step 2:

redis-cli -h 127.0.0.1 -p 6379

answered Apr 05 '18 at 06:42

anuj pradhan

171
1
2

Thanks a lot I was able to connect local redis gui server to my amazon elastic cache and was able to check all the things. Today it is the relevant answer. – wui Feb 11 '19 at 17:59
what if I need to connect to redis endpoint though 2 bastion hosts? – Searge Sep 15 '21 at 09:40

score 1 · Answer 3 · answered Nov 17 '18 at 21:43

The reason you are not able to connect to Elasticache nodes is that the DNS name or the endpoint only resolves to the IPs belonging to the VPC CIDR (not Public or Elastic IPs). As these IPs are not publically routable, the connection cannot be established over the internet.

You need a way to establish a route over to the internet to be able to access the node. This can be done by means of VPN or using NAT settings as told by @"Matt Houser"

I did not try the ssh tunnelling but it should work too. However, I am uncertain about Encryption-In-Transit's behaviour in this case so need to try out.

score 0 · Answer 4 · answered Mar 05 '19 at 00:17

0

You can also spin up OpenVPN Access server in that VPC. More information can be found in Using a VPN Server to connect to your AWS article

answered Mar 05 '19 at 00:17

Stanislav Hordiyenko

161
5

score 0 · Answer 5 · edited Nov 01 '19 at 09:10

The simplest way to trace the issue and fix it.
1. Are you able to telnet to redis instance on port 6379.
2. If not, check security groups inbound.
3. If yes, check if you have encryption at rest and encryption in transit checked during Redis setup
4. If so, redis-cli won't work on SSL, you need to have stunnel setup.

Follow the below guide from AWS to setup stunnel and connect to your Redis instance.

https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/in-transit-encryption.html#connect-tls

Connect remotely to ElastiCache - Redis

5 Answers5