I made a redis cluster and created a new security group called cache-access. If I ssh into an ec2 server and try to access a cache node, it works if two conditions are met:
- ec2 server belongs to
cache-accesssecurity group cache-accesssecurity group opens inbound 6379 port
It makes sense to me to whitelist ec2 access via security group (#1), considering a group may need to scale up or down, so whitelisting ip addresses wouldn't work.
It doesn't make sense why I need to open the port (#2). The ec2 instance is not running redis-server. The elasticache servers are the ones listening on 6379.
Why does the ec2 security group need the 6379 port open to work?
Best Answer
Security groups apply to ElastiCache servers just like they do to EC2 servers (they're EC2 under the hood, even).
Port 6379 doesn't need to be open for the EC2 servers, but it does need to be open for the Redis server. You could put the cache or EC2 servers in separate security groups if you'd prefer to keep their firewall rules separate.