How to gain access to Serverless Elasticache Redis from Firewalled VPC

0

I have been able to run an elasticache cluster within the Subnets of our VPC, using a security group that allowlists consuming lambdas. The security group allows 6379 and 6380 for members of the allowlist security group. The Lambdas have the allowlist security group attached.

This worked fine.

But, when we moved to serverless elasticache, the lambdas time out when trying to reach redis.

As far as I can tell, the elasticache vpc endpoints are created correctly and the allowlisting security group is attached to them fine. However, I get the impression that the actual redis workers are run outside of our VPC - are they not run on the Caspian platform in a separate VPC. The vpc endpoints are essentially smart proxies to this other VPC?

So, perhaps the firewall on our VPC, which only allows well known outbound traffic, is preventing connection to the actual redis nodes. If this is the case, where are they running, so I can allowlist them in our firewall rules?

Or, are there any other reasons why our Lambdas might not be able to access serverless redis?

  • The root cause for this was that we didn't connect to the serverless redis enforcing TLS/SSL. Without SSL, the connection just times out.

1 Answer
0

Hello.

I tried connecting to Elasticache Redis Serverless from Lambda in my environment.
As a result, the connection is successful.
I used the following code for confirmation.

import redis

redis_client = redis.RedisCluster(
        host='redis.serverless.apne1.cache.amazonaws.com',
        ssl=True
    )

def lambda_handler(event, context):
    print(redis_client.ping())
  1. I connected Lambda to the same VPC as Elasticache.
  2. I allowed the security group from Lambda in the security group inbound rule I configured on Elasticache.
    2.1. The inbound rule is set to allow port "6379".

So, why not try checking the connection using the above code?

profile picture
EXPERT
answered 2 months ago
  • I think I'm beyond that stage. I have the setup you describe, and it works with non-serverless Redis. I can even see traffic on the VPC endpoint that serverless redis adds to our VPC. My current theory is that the outbound connection from our VPC to the actual Redis VPC isn't possible.

  • The ssl=true is the important bit here. The connection we were using didn't enforce TLS, and thus hit the timeout.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions