Setting up a connection
Available connection methods depend on whether the cluster sharding is enabled:
Encryption support
Encrypted SSL connections are supported for Managed Service for Redis clusters. To use SSL, enable TLS support when creating a cluster.
When using SSL to connect to a cluster with encryption support, disable application FQDN matching and certificate verification. Otherwise, you will not be able to connect to the cluster since Redis returns the host IP instead of the host FQDN, which produces an error when verifying the host name.
Accessing cluster hosts
You can connect to Managed Service for Redis cluster hosts:
-
Via the internet if the following conditions are met:
- Public access to hosts is configured.
- An SSL connection is used.
- Your cluster was created with TLS support.
-
From Yandex Cloud virtual machines located in the same cloud network.
- Create a virtual machine with a public IP in the same virtual network as the cluster.
- Connect to the created VM via SSH.
- From this VM, connect to Redis using one of the sample connection strings.
Configuring security groups
To connect to a cluster, security groups must include rules allowing traffic from certain ports, IP addresses, or from other security groups.
To connect to a cluster from a VM in Yandex Cloud, in its security groups, create rules, enabling:
- VM connections from the internet.
- Traffic between the VM and cluster hosts.
Example of rules for a VM:
-
For incoming traffic:
- Port range:
22
. - Protocol:
TCP
. - Source:
CIDR
. - CIDR blocks:
0.0.0.0/0
.
This rule lets you connect to the VM over SSH.
- Port range:
-
For outgoing traffic:
- Port range:
0-65535
. - Protocol:
Any
(Any
). - Destination name:
CIDR
. - CIDR blocks:
0.0.0.0/0
.
This rule allows all outgoing traffic, which enables you to both connect to the cluster and install the certificates and utilities the VMs need to connect to the cluster.
- Port range:
Security group settings for sharded and non-sharded clusters differ.
Configure all security groups in the cluster to allow incoming traffic from the security group where the VM is located on port 6379
for direct connections to the master host or 26379
for connections via Sentinel. If you created your cluster with SSL encryption support, specify port 6380
for direct encrypted connections to the master or 26379
for unencrypted connections using Sentinel.
Warning
Connecting to port 26379
enables you to request cluster information without authenticating. To restrict unauthorized cluster access with host public access enabled, do not specify this port in your security group settings.
To do this, create the following rule for incoming traffic:
-
Port range: create a separate rule for each port:
-
6379
: For direct unencrypted host connections. -
6380
: For direct host connections using SSL encryption. -
26379
: For cluster communication via Sentinel.To connect to a cluster using Sentinel, you must also create a rule enabling connections via port
6379
or6380
.
-
-
Protocol:
TCP
. -
Source:
Security group
. -
Security group: Security group assigned to the VM. If it is the same as the configured group, specify Current.
Configure all security groups in the cluster to enable incoming traffic from the security group where your VM is located on port 6379
. If a cluster is created with SSL encryption support, you should only specify port 6380
.
To do this, create the following rule for incoming traffic:
- Port range:
6379
or only6380
for clusters with SSL encryption support. - Protocol:
TCP
. - Source:
Security group
. - Security group: If your cluster and VM are in the same security group, select
Current
as the value. Otherwise, specify the VM security group.
Note
You can set more detailed rules for security groups, such as allowing traffic in only specific subnets.
Security groups must be configured correctly for all subnets that will include cluster hosts. If security group settings are incomplete or incorrect, you may lose access to the cluster if the master is switched manually or automatically.
For more information about security groups, see Security groups.
Getting an SSL certificate
To use an encrypted SSL connection, get an SSL certificate:
mkdir -p ~/.redis && \
wget "https://storage.yandexcloud.net/cloud-certs/CA.pem" \
--output-document ~/.redis/YandexInternalRootCA.crt && \
chmod 0655 ~/.redis/YandexInternalRootCA.crt
The certificate is saved to the ~/.redis/YandexInternalRootCA.crt
file.
mkdir $HOME\.redis; curl.exe -o $HOME\.redis\YandexInternalRootCA.crt https://storage.yandexcloud.net/cloud-certs/CA.pem
The certificate is saved to the $HOME\.redis\YandexInternalRootCA.crt
file.
To use graphical IDEs, save a certificate
Redis host FQDN
To connect to a host, you need its fully qualified domain name (FQDN). You can obtain it in one of the following ways:
-
In the management console
, copy the command for connecting to the cluster. This command contains the host FQDN. To get the command, go to the cluster page and click Connect. -
Look up the FQDN in the management console:
- Go to the cluster page.
- Go to Hosts.
- Copy the Host FQDN column value.