Network security
Redis Cloud supports two types of network security: IP Restrictions and VPCs. These features are available in most Redis Cloud configurations, as indicated in the table below:
VPC Support | IP Restructions | |
AWS | Pro and Ultimate | Essentials, Pro, and Ultimate |
GCP | Pro and Ultimate | Essentials, Pro, and Ultimate |
Azure | Ultimate | Ultimate |
IP and subnet restrictions
You can restrict database access to a configurable set of source IP addresses and subnets. This is roughly equivalent to using iptables to limit access to a host.
Adding restrictions
To restrict a database to a specific set of source IP addresses or subnets:
- From the admin console, navigate to the View Database screen for a particular database.
- Click on the edit icon to enter the Edit Database screen.
- Under the Access Control & Security subsection, click on the Source IP / Subnet slider.
- From here, you can use the UI to add individual IP addresses and subnets, one at a time.
Virtual private clouds
A Virtual Private Cloud (VPC) is an isolated set of resources within a public cloud, usually having its own subnets and VLAN.
Databases in Redis Cloud Pro and Ultimate are almost always deployed in a Redis Labs VPC. In most cases, you’ll need to create a VPC peering connection to access these databases. A VPC peering connection allows unrestricted network access between two VPCs.
How you create these connections, and the features supported, varies somewhat by public cloud. You can read about VPC usage for AWS, GCP, and Azure below.
VPCs with AWS
Subscriptions that run on AWS support two VPC options. To ensure that that you can securely connect to your database, you must either create a VPC peering connection or deploy your subscription in your own VPC.
Creating a VPC peering connection
Below are instructions for creating a VPC peering connection for AWS. One you’ve created this connection, you may also want to consider [configuring a CIDR whitelist] to allow connection only from specific IP address blocks or security groups.
To create a VPC peering connection:
- In Subscriptions, click on the subscription requiring a VPC peering connection
- In Security > VPC Peering, click
. You’ll then see form like the following:
-
Enter your VPC peering details:
- AWS Account ID
- AWS Region
- AWS VPC ID
- VPC CIDR (must not overlap with the Redis Labs CIDR block)
Then click Initiate Peering.
-
Next, you’ll need to approve the VPC peering request. To do that, log in to your AWS management console.
-
Go to: Services > VPC > Peering Connections
-
Select the peering connection with the Peering ID of your peering request.
-
Go to Description and note the Requester VPC CIDRs shown in the Peering Connection details.
-
Click Actions and select Accept Request.
-
To confirm, click Yes, Accept.
-
Finally, update your routing tables for the peering connection:
-
After you accept the peering request, click Modify my route tables now.
-
Find the ID of your VPC in the list of routes and select it.
-
Go to Routes and click on Edit Routes.
-
To add a route, click Add Route.
-
In the Destination field, enter the Requester VPC CIDRs shown when you accepted the peering request.
This is the Redis Cloud VPC CIDR address, to which your application’s VPC should connect
-
In the Target field, select Peering Connection and select the relevant Peering ID.
-
Click Save Routes and Close.
-
-
Once your VPC peering request is accepted, the status in your subscription’s VPC Peering tab will indicate ‘Peer Established’.
If you correctly follow these steps, you will be able to connect to your database. If you have any problems or questions, please don’t hesitate to contact Redis Labs support.
Configuring a CIDR whitelist
The CIDR whitelist defines a range of IP addresses and/or AWS security groups permitted to access databases in the Redis Cloud VPC.
To define the CIDR whitelist:
-
In Subscriptions, click on the subscription for VPC peering.
-
Go to: Security > CIDR Whitelist.
-
If there are no CIDR whitelist entries, click
. You’ll see a form similar to this:
-
Specify the Type of whitelist entry as either:
- IP Address: For the value, enter the IP block in CIDR format for the traffic that you want to allow access for.
- Security Group: For the value, enter the ID of the AWS security group to grant access to.
-
Click
.
-
Next, either:
- Add more whitelist entries by clicking
.
- Or apply the changes to the whitelist by selecting Apply all changes.
- Add more whitelist entries by clicking
Deploying in your own VPC
As an alternative to VPC peering, you can create a subscription directly in your own AWS VPC. You need to do this at the time you create your subscription.
- Navigate to the New Subscription page:
- Scroll to the bottom of this page, and under Customize Your Subscription, select Build a Plan.
On the next screen, look for the Networking subsection.
For where to deploy the subscription, select In an existing VPC. Then enter the subnet (Deployment CIDR) where you want your subscription deployed and enter your VPC ID.
One your subscription and databases have been provisioned, you’ll be able to access those databases directly from within your own VPC.
VPCs with GCP
Subscriptions that run on GCP require a VPC peering connection.
To create a VPC peering connection:
- In Subscriptions, click on the subscription requiring a VPC peering connection
- In Security > VPC Peering, click
. You’ll then see form like the following:
-
Enter your VPC peering details:
- GCP Project ID
- GCP Network name
Before you click Initiate Connection, be sure that you copy the gcloud
command generated at the bottom of the form:
- Run the
gcloud
command you just copied to approve the VPC peering connection.
Once your VPC peering request is accepted, the status in your subscription’s VPC Peering tab will indicate ‘Peer Established’.
If you correctly follow these steps, you will be able to connect to your database. If you have any problems or questions, please don’t hesitate to contact Redis Labs support.
VPCs with Azure
When you request a Redis Cloud Ultimate subscription, all databases will be deployed in your own Azure VPC.