Why does port 6379 need to be opened on the security group for elasticache?
[the ElastiCache server] has security group(s) assigned, in my case just
cache-access
Security groups apply to ElastiCache servers just like they do to EC2 servers (they're EC2 under the hood, even).
Port 6379 doesn't need to be open for the EC2 servers, but it does need to be open for the Redis server. You could put the cache or EC2 servers in separate security groups if you'd prefer to keep their firewall rules separate.
Related videos on Youtube
AJcodez
Updated on September 18, 2022Comments
-
AJcodez over 1 year
I made a redis cluster and created a new security group called
cache-access
. If I ssh into an ec2 server and try to access a cache node, it works if two conditions are met:- ec2 server belongs to
cache-access
security group cache-access
security group opens inbound 6379 port
It makes sense to me to whitelist ec2 access via security group (
#1
), considering a group may need to scale up or down, so whitelisting ip addresses wouldn't work.It doesn't make sense why I need to open the port (
#2
). The ec2 instance is not runningredis-server
. The elasticache servers are the ones listening on 6379.Why does the ec2 security group need the 6379 port open to work?
-
ceejayoz almost 9 yearsWhat security group does the cache node belong to?
-
AJcodez almost 9 yearsIt's in vpn, so it doesn't have a cache security group, it has security group(s) assigned, in my case just
cache-access
. -
ceejayoz almost 9 yearsWell, that's why.
-
AJcodez almost 9 yearsI see it now. It still doesn't make sense to me to have a sg for elasticache at all tho. What other port would i want open for a managed redis cluster? Like i'm not gonna host my mom's friend's website on 8080 on a managed redis cluster. Whatever.
-
ceejayoz almost 9 yearsElastiCache has security groups because just like any other set of servers you might want to limit who has access to it. You might be running several apps in your AWS account and only want to let one app's servers access the cache. You might want to limit access just to a PHP tier and not let your database tier have access.
-
AJcodez almost 9 yearsYeah i get that aspect, i thought the sg was just to whitelist access, not also apply port configurations.
- ec2 server belongs to
-
AJcodez almost 9 yearsThank you. It didn't occur to me the security group applied to the elasticache servers beyond granting access to ec2 instances.