Rationale
If ElastiCache/Redis deployments default encryption for both inflight and at-rest, then this could cause issues with connectivity for some clients, like redis-cli.
Solution Summary
[https://aws.amazon.com/premiumsupport/knowledge-center/elasticache-connect-redis-node/]
Two parts
- Deploy EC2 for your app/branch and run stunnel to Redis (then use SSM to SSH into the server and run Redis commands from CLI)
- Use SSM to port forward 2 x ports from your EC2 + stunnel setup to localhost, and connect with a desktop client.
Steps
- Using an ec2 I have an ec2 keypair for (app server):
INSTANCE_NAME=demo-app
- Find the instance ID based on Tag Name
INSTANCE_ID=$(aws ec2 describe-instances \
--filter “Name=tag:Name,Values=${INSTANCE_NAME}” \
--query “Reservations[].Instances[?State.Name == ‘running’].InstanceId[]” \
--output text)
- To connect to the EC2 to test connectivity
aws ssm start-session — target “${INSTANCE_ID}”
# — — — — — — — — — — — -
# On the EC2
# — — — — — — — — — — — -
- Test EC2 connectivity to redis is OK
curl -v telnet://master.demo.cache.amazonaws.com:6379
- Setup stunnel as per -
[https://aws.amazon.com/premiumsupport/knowledge-center/elasticache-connect-redis-node/]
- Install stunnel on ec2
sudo yum install -y stunnel
cat /etc/stunnel/redis-cli.conf
fips = no
setuid = root
setgid = root
pid = /var/run/stunnel.pid
debug = 7
options = NO_SSLv2
options = NO_SSLv3
[redis-cli]
client = yes
accept = 127.0.0.1:6379
connect = master.demo.cache.amazonaws.com:6379
[redis-cli-slave]
client = yes
accept = 127.0.0.1:6380
connect = demo.app.cache.amazonaws.com:6379
- Run stunnel (as root)
sudo stunnel /etc/stunnel/redis-cli.conf
- Check if it’s up
netstat -tulnp | grep -i stunnel
exit
# — — — — — — — — — — — -
# Back on the laptop
# — — — — — — — — — — — -
- Create 2 port forwarding tunnels for stunnel redis
aws ssm start-session --target $INSTANCE_ID \
--document-name AWS-StartPortForwardingSession \
--parameters ‘{“portNumber”:[“6379”],”localPortNumber”:[“6379”]}’
aws ssm start-session — target $INSTANCE_ID \
--document-name AWS-StartPortForwardingSession \
--parameters ‘{“portNumber”:[“6380”],”localPortNumber”:[“6380”]}’
- Now test from laptop
redis-cli -h localhost -p 6379 -a eNdU35somebigpasswordXpvD ping
Top comments (0)