12

We are using ElastiCache - Redis for our site, we need to flush the Redis cache and when I try to connect to my ElastiCache - Redis remotely by this command from any PC

redis-cli -h example-redis-1.example.0001.euw1.cache.amazonaws.com -p 6379

It always says:

Could not connect to Redis at example-redis-1.example.0001.euw1.cache.amazonaws.com:6379: Connection refused not connected>

I have made sure that inbound rule allows 6379 from any IP and also tried to edit /etc/redis.conf to add bind example-redis-1.example.0001.euw1.cache.amazonaws.com but even than the error remains the same.

Farmi
  • 369
  • 1
  • 4
  • 17
  • Are you connecting from inside your ElastiCache's VPC? – Matt Houser Nov 25 '15 at 14:28
  • No, this is another server with another hosting provider from where I am trying to connect. All I need is to connect remotely to my Redis and clear the cache. – Farmi Nov 25 '15 at 14:29

5 Answers5

11

ElastiCache clusters can only be accessed directly from within the VPC in which it resides. This is because ElastiCache is not a secured service.

In order to connect to your ElastiCache remotely, you need to go through a bastion server or a NAT. AWS has created instructions here:

http://docs.aws.amazon.com/AmazonElastiCache/latest/UserGuide/Access.Outside.html

To use a bastion, you would SSH into your bastion EC2 instance that resides in your VPC. Once connected, you can tunnel your ElastiCache connection from your PC, or you can connect to your cache from your bastion's command prompt.

Matt Houser
  • 9,709
  • 1
  • 26
  • 25
7

Step 1:

ssh -f -N -L6379:<your redis node endpoint>:6379 <your EC2 node that you use to connect to redis>

Example : ssh -f -N -L6379:redis.aps1.cache.amazonaws.com:6379 ubuntu@58.12.73.10

Step 2:

redis-cli -h 127.0.0.1 -p 6379
anuj pradhan
  • 171
  • 1
  • 2
  • Thanks a lot I was able to connect local redis gui server to my amazon elastic cache and was able to check all the things. Today it is the relevant answer. – wui Feb 11 '19 at 17:59
  • what if I need to connect to redis endpoint though 2 bastion hosts? – Searge Sep 15 '21 at 09:40
1

The reason you are not able to connect to Elasticache nodes is that the DNS name or the endpoint only resolves to the IPs belonging to the VPC CIDR (not Public or Elastic IPs). As these IPs are not publically routable, the connection cannot be established over the internet.

You need a way to establish a route over to the internet to be able to access the node. This can be done by means of VPN or using NAT settings as told by @"Matt Houser"

I did not try the ssh tunnelling but it should work too. However, I am uncertain about Encryption-In-Transit's behaviour in this case so need to try out.

DaiCode-1523
  • 111
  • 4
0

You can also spin up OpenVPN Access server in that VPC. More information can be found in Using a VPN Server to connect to your AWS article

0

The simplest way to trace the issue and fix it.
1. Are you able to telnet to redis instance on port 6379.
2. If not, check security groups inbound.
3. If yes, check if you have encryption at rest and encryption in transit checked during Redis setup
4. If so, redis-cli won't work on SSL, you need to have stunnel setup.

Follow the below guide from AWS to setup stunnel and connect to your Redis instance.

https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/in-transit-encryption.html#connect-tls

kenlukas
  • 2,886
  • 2
  • 14
  • 25
Prashanth
  • 1
  • 1