Connect remotely to ElastiCache - Redis

ssh amazon-web-services redis amazon-elasticache

We are using ElastiCache - Redis for our site, we need to flush the Redis cache and when I try to connect to my ElastiCache - Redis remotely by this command from any PC

redis-cli -h example-redis-1.example.0001.euw1.cache.amazonaws.com -p 6379

It always says:

Could not connect to Redis at example-redis-1.example.0001.euw1.cache.amazonaws.com:6379: Connection refused not connected>

I have made sure that inbound rule allows 6379 from any IP and also tried to edit /etc/redis.conf to add bind example-redis-1.example.0001.euw1.cache.amazonaws.com but even than the error remains the same.


Solution 1:

ElastiCache clusters can only be accessed directly from within the VPC in which it resides. This is because ElastiCache is not a secured service.

In order to connect to your ElastiCache remotely, you need to go through a bastion server or a NAT. AWS has created instructions here:

http://docs.aws.amazon.com/AmazonElastiCache/latest/UserGuide/Access.Outside.html

To use a bastion, you would SSH into your bastion EC2 instance that resides in your VPC. Once connected, you can tunnel your ElastiCache connection from your PC, or you can connect to your cache from your bastion's command prompt.

Solution 2:

Step 1:

ssh -f -N -L6379:<your redis node endpoint>:6379 <your EC2 node that you use to connect to redis>

Example : ssh -f -N -L6379:redis.aps1.cache.amazonaws.com:6379 [email protected]

Step 2: 

redis-cli -h 127.0.0.1 -p 6379

Solution 3:

The reason you are not able to connect to Elasticache nodes is that the DNS name or the endpoint only resolves to the IPs belonging to the VPC CIDR (not Public or Elastic IPs). As these IPs are not publically routable, the connection cannot be established over the internet.

You need a way to establish a route over to the internet to be able to access the node. This can be done by means of VPN or using NAT settings as told by @"Matt Houser"

I did not try the ssh tunnelling but it should work too. However, I am uncertain about Encryption-In-Transit's behaviour in this case so need to try out.

Related

New UPS Batteries Dying in Months
How to send captured packets to a different destination?
Size Limit of /etc/hosts (Linux)
docker, alpine, and matplotlib
How to copy all childs except one in Ansible?
What is the systemd-networkd equivalent of post-up? (dynamic bridge MAC configuration)
Install AWS SSL Certificate to EC2 instance without load balancer
How do I install an app from Windows Store using Powershell
Windows scheduled task fails to complete with error code 0xc000013a
Is there a distinction between 64 bit and 32 bit regedit?
this.Visible is not working in Windows Forms
Cause of Servlet's 'Response Already Committed' [duplicate]