Can you connect to Amazon ElastiСache Redis outside of Amazon?
Solution 1
Update 2018
The previous answer was accurate when written, however it is now possible with some configuration to access redis cache from outside using the directions according to Accessing ElastiCache Resources from Outside AWS
Old Answer
No, you can't without resorting to 'tricks' such as a tunnel, which maybe OK for testing but will kill any real benefit of using a super-fast cache with the added latency/overhead.
The Old FAQ under How is using Amazon ElastiCache inside a VPC different from using it outside?:
An Amazon ElastiCache Cluster, inside or outside a VPC, is never allowed to be accessed from the Internet
However, this language has been removed in the current faq
Solution 2
SSH port forwarding should do the trick. Try running this from you client.
ssh -f -N -L 6379:<your redis node endpoint>:6379 <your EC2 node that you use to connect to redis>
Then from your client
redis-cli -h 127.0.0.1 -p 6379
It works for me.
Please note that default port for redis is 6379 not 6739. And also make sure you allow the security group of the EC2 node that you are using to connect to your redis instance into your Cache security group.
Also, AWS now supports accessing your cluster more info here
Solution 3
These answers are out of date.
You can access elastic-cache outside of AWS by following these steps:
- Create a NAT instance in the same VPC as your cache cluster but in a public subnet.
- Create security group rules for the cache cluster and NAT instance.
- Validate the rules.
- Add an iptables rule to the NAT instance.
- Confirm that the trusted client is able to connect to the cluster.
- Save the iptables configuration.
For a more detailed description see the aws guide:
Solution 4
Not so old question, I ran to the same issue myself and solved it:
Sometimes, for developing reasons you need to access from outside (to avoid multi-deployments just for a simple bug-fix maybe?)
Amazon have published a new guide that uses the EC2 as proxies for the outside world:
Good luck!
Solution 5
BTW if anyone wants a windows EC2 solution, try these at the DOS prompt (on said windows EC2 machine):
To Add port-forwarding
C:\Users\Administrator>netsh interface portproxy add v4tov4 listenport=6379 listenaddress=10.xxx.64.xxx connectport=6379 connectaddress=xxx.xxxxxx.ng.0001.use1.cache.amazonaws.com
To list port-forwarded ports
C:\Users\Administrator>netsh interface portproxy show all
Listen on ipv4: Connect to ipv4:
Address Port Address Port
10.xxx.128.xxx 6379 xxx.xxxxx.ng.0001.use1.cache.amazonaws.com 6379
To remove port-forwarding
C:\Users\Administrator>netsh interface portproxy delete v4tov4 listenport=6379 listenaddress=10.xxx.128.xxx
Related videos on Youtube
10 : 38
02 : 31
15 : 50
22 : 07
03 : 50
09 : 28
48 : 51
09 : 15
26 : 44
Loic Duros
Updated on January 29, 2021Comments
-
Loic Duros over 3 years
I'm able to connect to an ElastiCache Redis instance in a VPC from EC2 instances. But I would like to know if there is a way to connect to an ElastiCache Redis node outside of Amazon EC2 instances, such as from my local dev setup or VPS instances provided by other vendors.
Currently when trying from my local set up:
redis-cli -h my-node-endpoint -p 6379I only get a timeout after some time.
-
Loic Duros about 10 yearsThanks for pointing out the port, just a typo. So, are you saying that SSH tunneling through EC2 is the only way to gain access to an elasticache node outside Amazon? Thanks,
-
Rico about 10 yearsThat's correct just like @E.J.Brennan mentioned in the other answer.
-
metalaureate over 9 yearsIs this still the case? The docs no longer say this - they claim redis is governed by standard security group policies, but I still can't get access to my redis node despite that. Strike that. Ref just moved: Amazon ElastiCache Nodes, deployed within a VPC, can never be accessed from the Internet or from EC2 Instances outside the VPC.
-
russellpierce over 8 yearsFor reference the approach Amazon mentions is a NAT instance. -
sming almost 8 yearsI feel that 'kill' is a bit strong. For instance we get no appreciable performance hit when running our apps outside of AWS (via such a tunnel). The tunnel's overheads are minuscule compared to DB operations, browser load, disk I/O and so on.
-
teddychan over 7 yearsupdate for node.js, now ioredis support DNS fail over. If you use the DNS hostname, it can be auto fail over without HAProxy.
-
Jason Jones over 7 yearsFYI, from the docs: "This approach should be used for testing and development purposes only. It is not recommended for production use" -
Shay Elkayam over 7 yearsYes, that's true @jasonjonesutah I have also mentioned this in my answer. A very bad idea for production but excellent for development. -
CenterOrbit about 6 years
-
Pysis almost 5 yearsI don't want a NAT instance, I want to check on it for a minute. Rico's answer is exactly what I wanted.
-
abby37 over 4 yearsYou gave the same answer in below mentioned post too, which have different requirement. How it can work in the given scenario also ?? stackoverflow.com/questions/38066908/…
-
Muthukumar K almost 4 yearsHow we can revoke ssh port forwarding...? -
Rico almost 4 yearsyou can kill the ssh process. On Linux:
kill -9 <pid> -
Sourabh about 3 yearsthis is not accessible. Could you add details here about stunnel ?
-
lele over 2 yearshow would the NAT allow access from the outside? the documentation specifies the following "Opening up the ElastiCache cluster to 0.0.0.0/0 does not expose the cluster to the Internet because it has no public IP address and therefore cannot be accessed from outside the VPC" Is there a way to allow this via NAT??
