Menu
Amazon ElastiCache
User Guide (API Version 2015-02-02)

Step 4: Authorize Access

This section assumes that you are familiar with launching and connecting to Amazon EC2 instances. For more information, go to the Amazon EC2 Getting Started Guide.

All ElastiCache clusters are designed to be accessed from an Amazon EC2 instance. A cluster and its related EC2 instance must be in the same Amazon Virtual Private Cloud (Amazon VPC). If you must access an ElastiCache cluster from somewhere other than an EC2 instance in the same VPC, as a workaround you can set up one or more EC2 hosts inside the cache's VPC to act as a proxy for the outside world. Setting up a host adds an extra network hop or extra Secure Sockets Layer (SSL) overhead and cost, or both. However, those costs are small for many use cases. You must grant the proxy EC2 instance access to your cluster. For information on accessing your ElastiCache resources from outside AWS, go to Accessing ElastiCache Resources from Outside AWS.

By default, network access to your cluster is limited to the user account that was used to launch it. Before you can connect to a cluster from an EC2 instance, you must authorize the EC2 instance to access the cluster. The steps required depend upon whether you launched your cluster into an Amazon VPC environment.

Before you continue, determine whether you launched your cluster into EC2-VPC or EC2-Classic.

To determine whether you launched your cluster into EC2-VPC or EC2-Classic using the AWS Management Console

  1. Sign in to the AWS Management Console and open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. Locate Supported Platforms in the upper-right corner.

    Under Supported Platforms, you will see either only VPC or both EC2 and VPC.

    If you see only VPC, continue at You Launched Your Cluster into EC2-VPC.

    If you see both EC2 and VPC, continue at You Launched Your Cluster into EC2-Classic.

For more information, see Detecting Your Supported Platforms and Whether You Have a Default VPC.

To determine whether you launched your cluster into EC2-VPC or EC2-Classic using the AWS Command Line Interface (AWS CLI)

  1. Open a command window.

  2. At the command prompt, run the following command.

    Copy
    aws ec2 describe-account-attributes

    If you see only VPC in the output, continue at You Launched Your Cluster into EC2-VPC.

    If you see both EC2 and VPC in the output, continue at You Launched Your Cluster into EC2-Classic.

You Launched Your Cluster into EC2-VPC

If you launched your cluster into an Amazon Virtual Private Cloud (Amazon VPC), you can connect to your ElastiCache cluster only from an Amazon EC2 instance that is running in the same Amazon VPC. In this case, you will need to grant network ingress to the cluster.

Caution

Opening up the ElastiCache cluster to 0.0.0.0/0 (Step 4.e.) does not expose the cluster to the Internet because it has no public IP address and therefore cannot be accessed from outside the VPC. However, the default security group may be applied to other Amazon EC2 instances in the customer’s account, and those instances may have a public IP address. If they happen to be running something on port 6379, then that service could be exposed unintentionally. Therefore, we recommend creating a VPC Security Group that will be used exclusively by ElastiCache. For more information, see Custom Security Groups.

To grant network ingress from an Amazon VPC security group to a cluster

  1. Sign in to the AWS Management Console and open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. In the left navigation pane, under Network & Security, select Security Groups.

  3. In the list of security groups, select the security group for your Amazon VPC. Unless you created a security group for ElastiCache use, this security group will be named default.

  4. Select Inbound tab, and then do the following:

    1. Select Edit.

    2. Select Add rule.

    3. In the Type column, select Custom TCP rule.

    4. In the Port range box, type the port number for your cluster node. This number must be the same one that you specified when you launched the cluster. The default ports are as follows:

      • Memcached: port 11211

      • Redis: port 6379

    5. In the Source box, select Anywhere which has the port range (0.0.0.0/0) so that any Amazon EC2 instance that you launch within your Amazon VPC can connect to your ElastiCache nodes.

    6. Select Save.

When you launch an Amazon EC2 instance into your Amazon VPC, that instance will be able to connect to your ElastiCache cluster.

You Launched Your Cluster into EC2-Classic

If you launched your cluster into EC2-Classic, to allow an Amazon EC2 instance to access your cluster you will need to grant the Amazon EC2 security group associated with the instance access to your cache security group.

To grant an Amazon EC2 security group access to a cluster

  1. Sign in to the AWS Management Console and open the ElastiCache console at https://console.aws.amazon.com/elasticache/.

  2. From the left navigation pane, select Cache Security Groups.

    A list of cache security groups appears.

  3. Select the default security group.

  4. From the list at the bottom of the screen, select the EC2 Security Group Name you want to authorize.

  5. Select Add to authorize access.

    Amazon EC2 instances that are associated with the security group are now authorized to connect to your ElastiCache cluster.

To revoke a security group's access, locate the security group in the list of authorized security groups, and then select Remove.