redis-cli connection to Amazon ElastiCache Redis cluster hangs up

Asked 27/8, 2018 at 16:11 Answered 16/11, 2021 at 22:37

Solved amazon-web-services redis amazon-elasticache

I have installed and compiled Redis from source and am attempting to connect to an Amazon ElastiCache (Redis) cluster.

I can connect to the default localhost with no problem, but attempting to connect to an AWS endpoint causes what seems to be an infinite hangup.

With defaults:

$ redis-server /etc/redis.conf  # daemonized, uses localhost
$ redis-cli ping
PONG
$ sudo service redis_6379 status
Redis is running (12919)
$ redis-cli shutdown  # or sudo service redis_6379 stop

Now, here is an attempt to connect to the endpoint, copies from AWS documentation on the topic:

redis-cli -c -h my_example_endpoint_name.eaogs8.ng.0001.use1.cache.amazonaws.com -p 6379 ping

This hangs up infinitely without anything being issued to stderr/stdout.

(Please note this is an example endpoint name; I have verified I am using the primary endpoint listed at the AWS console.)

I suspect this may be related to the security group settings for the cluster on the AWS side but am not sure specifically what could/should be modified. I appreciate suggestions of what could be blocking the connection and can provide info on the cluster itself as needed.

Kirwan answered 27/8, 2018 at 16:11 Comment(1)

is there any way to connect to all the clusters using a single command ? – Subcelestial 8/1, 2021 at 9:2

The connection was being prohibited by the security groups of the EC2 instance and the ElastiCache cluster to which it was trying to connect not being properly aligned.

From the AWS docs:

All ElastiCache clusters are designed to be accessed from an Amazon EC2 instance. The most common scenario is to access an ElastiCache cluster from an Amazon EC2 instance in the same Amazon Virtual Private Cloud (Amazon VPC).

The steps that I took to correct this were:

Navigate to the ElastiCache Dashboard > Redis and click on the Cluster Name in question. This will show a Security Group field where the value is a Group ID such as sg-x8xxxxxx.
Navigate to your Security Groups table under https://console.aws.amazon.com/ec2 > Network & Security > Security Groups. Find the Group ID from step 1 and note its corresponding Group Name.
Navigate to your EC2 Management Console at https://console.aws.amazon.com/ec2 > Instances > Instances. For the server you are using to try to connect to the Redis cluster, take note of the Security Groups field. This must include whatever the Group Name was from step 2. If it doesn't, you need to add this security group. Check the box next to the server name, Actions > Networking > Change Security Groups. Add the security Group Name so that the two components share the same VPC.

You should now be able to connect with something like (example):

redis-cli -c -h mycachecluster.eaogs8.0001.usw2.cache.amazonaws.com -p 6379 ping

Kirwan answered 27/8, 2018 at 16:32 Comment(1)

Was so stuck and confused, until I realized my EC2 instance was in VPC "dan-test" and my redis was in VPC "dan-other-test" - this was the trigger to get it figured out, thanks! – Pend 19/7, 2019 at 21:37

I was also seeing the call to redis-cli hang up infinitely, but in my case it did not stem from incorrectly-configured security groups.

Instead, it occurred because I had created my Redis cluster with the 'Encryption in-transit' option set to 'Yes'. This meant my database endpoint needed to be accessed through an SSL tunnel, which redis-cli does not do.

For my application, encryption in-transit wasn't actually necessary so I created a new Redis cluster with that option not selected. More details on what you need to do differently when using in-transit encryption can be found here: https://aws.amazon.com/premiumsupport/knowledge-center/elasticache-connect-redis-node/

Picrotoxin answered 8/5, 2019 at 20:48 Comment(4)

I have encryption in transit = true, and it just means I need to supply the password (-a) and then I can connect via redis-cli from an ec2 instance in that VPC. Not sure what's different about my setup, but it works fine. – Pend 19/7, 2019 at 21:42

Had the same issue, did not realize the impact of TransitEncryptionEnabled field. Thanks for the info! – Carnahan 14/8, 2019 at 21:52

For anyone hitting the same thing, doc on how to connect with redis-cli at docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/… – Septempartite 6/3, 2021 at 20:49

I was facing the same issue. I set the encryption in transit to No and I was able to connect to the redis via redis-cli. – Unmoving 5/1, 2022 at 9:10

After confirming the security groups and seeing that we had 'Encryption in-transit' enabled, our redis-cli command which included -a/--askpass to supply a password was still hanging indefinitely and the --verbose flag wasn't showing anything. The aws docs which first calls for a custom build of the redis-cli is unnecessary, what is required though is to include the --tls flag as part of the command and then it works.

This form of command should work

redis-cli -h <primary endpoint> --tls -p <port> -a <password> <optional command>,

eg. redis-cli -h master.redis.abc7bh.usw2.cache.amazonaws.com --tls -p 6379 -a password ping

The redis-cli docker image versions 4.0.10 and 6.2.6 as well as redis-cli 6.2.6 installed through brew on a mac worked.

To run using a docker image you can use a command like docker run -it redis:6.2.6 /bin/bash and then run the redis-cli command above.

Dyanne answered 16/11, 2021 at 22:37 Comment(4)

--tls is what did it for me! – Goofball 15/12, 2022 at 18:37

--tls is the magic here! Thanks! – Shafer 23/1, 2023 at 15:33

Where can I find TLS certificates for elasticache redis cluster – Orbiculate 20/8, 2023 at 5:26

Unrecognized option or bad number of args for: '--tls' – Tatouay 27/2 at 21:11