Contact UsGet started
© 2024 Iron Hive LLC Belgrade

Setting up a connection

Written by
Updated at September 6, 2024

Available connection methods depend on whether the cluster sharding is enabled:

Accessing cluster hosts

You can connect to Managed Service for Redis cluster hosts:

  • Via the internet if the following conditions are met:

  • From Yandex Cloud virtual machines located in the same cloud network.

    1. Create a virtual machine with a public IP in the same virtual network as the cluster.
    2. Connect to the created VM via SSH.
    3. From this VM, connect to Redis using one of the sample connection strings.

Encryption support

Encrypted SSL connections are supported for Managed Service for Redis clusters. To use SSL, enable TLS support when creating a cluster.

By default, Redis uses host IP addresses, not their FQDNs. This may prevent connection to Redis hosts in clusters with TLS support. To be able to connect to hosts, do one of the following:

  • Enable the use of FQDNs instead of IP addresses to replace a host's IP address with its FQDN. You can enable this setting when creating or updating a cluster.

    This will allow the Redis client to connect to Redis hosts both from Yandex Cloud VMs and over the internet, as well as request verification of the host's FQDN against the certificate, if required.

    Note

    Some clients do not support this setting and will fail to connect to the cluster hosts. Such clients expect an IP address and will produce errors if you provide an FQDN instead.

  • Disable verification of the host's FQDN against the certificate on the Redis client side.

    This will enable you to connect to Redis hosts from Yandex Cloud VMs.

Configuring security groups

To connect to a cluster, security groups must include rules allowing traffic from certain ports, IP addresses, or from other security groups.

To connect to a cluster from a VM in Yandex Cloud, in its security groups, create rules, enabling:

  • VM connections from the internet.
  • Traffic between the VM and cluster hosts.

Example of rules for a VM:

  • For incoming traffic:

    • Port range: 22.
    • Protocol: TCP.
    • Source: CIDR.
    • CIDR blocks: 0.0.0.0/0.

    This rule lets you connect to the VM over SSH.

  • For outgoing traffic:

    • Port range: 0-65535.
    • Protocol: Any (Any).
    • Destination name: CIDR.
    • CIDR blocks: 0.0.0.0/0.

    This rule allows all outgoing traffic, which enables you to both connect to the cluster and install the certificates and utilities the VMs need to connect to the cluster.

Security group settings for sharded and non-sharded clusters differ.

Configure all the cluster security groups to allow incoming traffic from the security group where the VM is located on port 6379 for direct connections to the master host or 26379 for connections via Sentinel. If you created your cluster with SSL encryption support, specify port 6380 for direct encrypted connections to the master or 26379 for unencrypted connections using Sentinel.

Warning

Connecting to port 26379 enables you to request cluster information without authenticating. To restrict unauthorized cluster access with host public access enabled, do not specify this port in your security group settings.

To do this, create the following rule for incoming traffic:

  • Port range: create a separate rule for each port:

    • 6379: For direct unencrypted host connections.

    • 6380: For direct host connections using SSL encryption.

    • 26379: For cluster communication via Sentinel.

      To connect to a cluster using Sentinel, you must also create a rule enabling connections via port 6379 or 6380.

  • Protocol: TCP.

  • Source: Security group.

  • Security group: Security group assigned to the VM. If it is the same as the configured group, specify Current.

Configure all the cluster security groups to allow incoming traffic on port 6379 from the security group where the VM is located. If a cluster is created with SSL encryption support, you should only specify port 6380.

To do this, create the following rule for incoming traffic:

  • Port range: 6379 or only 6380 for clusters with SSL encryption support.
  • Protocol: TCP.
  • Source: Security group.
  • Security group: If your cluster and VM are in the same security group, select Current. Otherwise, specify the VM security group.

Note

You can specify more detailed rules for your security groups, e.g., to allow traffic only in specific subnets.

You must configure security groups correctly for all subnets in which the cluster hosts will reside. If security group settings are incomplete or incorrect, you may lose access to the cluster if the master is switched manually or automatically.

For more information about security groups, see Security groups.

Getting an SSL certificate

To use an encrypted SSL connection, get an SSL certificate:

mkdir -p ~/.redis && \
wget "https://storage.yandexcloud.net/cloud-certs/CA.pem" \
     --output-document ~/.redis/YandexInternalRootCA.crt && \
chmod 0655 ~/.redis/YandexInternalRootCA.crt

The certificate is saved to the ~/.redis/YandexInternalRootCA.crt file.

mkdir $HOME\.redis; curl.exe -o $HOME\.redis\YandexInternalRootCA.crt https://storage.yandexcloud.net/cloud-certs/CA.pem

The certificate is saved to the $HOME\.redis\YandexInternalRootCA.crt file.

To use graphical IDEs, save a certificate to a local folder and specify the path to it in the connection settings.

Redis host FQDN

To connect to a host, you need its fully qualified domain name (FQDN). You can obtain it in one of the following ways:

  • Request a list of cluster hosts.

  • In the management console, copy the command for connecting to the cluster. This command contains the host FQDN. To get the command, go to the cluster page and click Connect.

  • Look up the FQDN in the management console:

    1. Go to the cluster page.
    2. Go to Hosts.
    3. Copy the Host FQDN column value.
Previous
Deleting a cluster
Next
Connecting to a non-sharded cluster