Question: How Can I Make My ElastiCache Redis Publically Available?


Amazon ElastiCache for Redis is designed for use within Virtual Private Cloud (VPC) and is not meant to be accessed publicly by default. However, you can make your ElastiCache Redis cluster publically accessible by following these steps:

Create a new subnet group - Create a new cache subnet group with the desired subnets in your VPC. This will allow your Redis cluster to reside within this subnet group.

aws elasticache create-cache-subnet-group \ --cache-subnet-group-name <subnet_group_name> \ --cache-subnet-group-description "Private Subnet Group" \ --subnet-ids <comma_separated_subnet_ids>

Create a new security group - Create a new security group that allows inbound traffic from the desired IP addresses to the Redis port (default 6379).

aws ec2 create-security-group \ --group-name <security_group_name> \ --description "Security group for public access to Redis" aws ec2 authorize-security-group-ingress \ --group-id <security_group_id> \ --protocol tcp \ --port 6379 \ --cidr <source_ip_range>

Replace <source_ip_range> with the desired IP range (e.g., for open access).

Create the Redis cluster - Create a new ElastiCache Redis cluster using the previously created subnet group and security group.

aws elasticache create-cache-cluster \ --cache-cluster-id <cluster_id> \ --engine "redis" \ --cache-node-type <cache_node_type> \ --num-cache-nodes 1 \ --cache-subnet-group-name <subnet_group_name> \ --security-group-ids <comma_separated_security_group_ids> \ --engine-version <redis_engine_version>

Set Up a NAT Instance with Port Forwarding - Since a NAT Gateway is not suitable for this task, set up a NAT instance that handles port forwarding for your Redis cluster.

  1. Launch a NAT Instance: Follow AWS documentation to launch a NAT instance in your VPC. Ensure it is placed in a public subnet with an Elastic IP assigned.

  2. Configure Port Forwarding: SSH into the NAT instance and configure iptables to forward traffic from the NAT instance's public IP on port 6379 to your Redis cluster.

    sudo iptables -t nat -A PREROUTING -p tcp --dport 6379 -j DNAT --to-destination <private_redis_ip>:6379 sudo iptables -t nat -A POSTROUTING -p tcp -d <private_redis_ip> --dport 6379 -j MASQUERADE
  3. Enable IP Forwarding: Ensure IP forwarding is enabled on the NAT instance.

    sudo sysctl -w net.ipv4.ip_forward=1

Update routing table - Update the routing table associated with your private subnet to route traffic through the NAT instance.

aws ec2 create-route \ --route-table-id <route_table_id> \ --destination-cidr-block \ --instance-id <nat_instance_id>

Please note that making your ElastiCache Redis cluster publicly accessible may expose it to security risks. Use the <source_ip_range> whitelist to reduce the risks of exposure. Make sure to enforce strong authentication and encryption mechanisms for connections to your cluster.

Was this content helpful?

White Paper

Free System Design on AWS E-Book

Download this early release of O'Reilly's latest cloud infrastructure e-book: System Design on AWS.

Free System Design on AWS E-Book

Start building today

Dragonfly is fully compatible with the Redis ecosystem and requires no code changes to implement.