ElastiCache
Contents
How to install Redis-cli
How to install Redis-cli on Amazon Linux 2:
$ sudo yum -y install openssl-devel gcc $ wget http://download.redis.io/redis-stable.tar.gz $ tar xvzf redis-stable.tar.gz $ cd redis-stable $ make distclean $ make redis-cli BUILD_TLS=yes $ sudo install -m 755 src/redis-cli /usr/local/bin/
Is there downtime when changing node type? (scaling up)
Reference:
[1] Cluster mode disabled
https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/Scaling.RedisReplGrps.ScaleUp.html
[2] Cluster mode enabled
https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/redis-cluster-vertical-scaling-scaling-up.html
[3] Making manual backups
https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/backups-manual.html
When the scale-up process is initiated, ElastiCache does the following:
1. Launches a replication group using the new node type.
2. Copies all the data from the current primary node to the new primary node.
3. Syncs the new read replicas with the new primary node.
4. Updates the DNS entries so they point to the new nodes. Because of this you don't have to update the endpoints in your application. For Redis 5.0.5 and above, you can scale auto failover enabled clusters while the cluster continues to stay online and serve incoming requests.On version 5.0.4 and below, you may notice a brief interruption of reads and writes on previous versions from the primary node while the DNS entry is updated .
5. Deletes the old nodes (CLI/API: replication group). You will notice a brief interruption (a few seconds) of reads and writes from the old nodes because the connections to the old nodes will be disconnected.
In conclusion, there will be minimal downtime (associated with DNS updates) during scaling up process. Due to the DNS record will be updated to point to the new nodes, you will notice a brief interruption.
For Cluster mode disabled: [1]
During this process, there may be a brief interruption of reads and writes for other versions from the primary node while the DNS entry is updated. you might see less than 1 second downtime for nodes running on 5.0.5 versions and above and a few seconds for older versions.
For Cluster mode enabled: [2]
During this process, your Redis cluster will continue to serve requests with minimal downtime.
Recommendation
As the scale up/down processes rely on creating nodes with newly selected node types and synchronizing the new nodes with the previous ones. We recommend that you initiate scale up/down during hours when you expect data traffic to be at its minimum.
Additionally, you can create a manual backup of the cluster [3] before making modifications to your cluster in case you need to restore the data.
How to connect to an Amazon ElastiCache In-Transit encryption-enabled Redis node using redis-cli
video: https://www.youtube.com/watch?v=p9hl4GLaxqE&t=4s
Short description
The redis-cli client doesn't support SSL/TLS connections. To use the redis-cli to access an ElastiCache for Redis node (cluster mode disabled) with in-transit encryption, use the stunnel package in your Linux-based clients. The stunnel command creates an SSL tunnel to Redis nodes specified in the stunnel configuration. After establishing the tunnel, you can use the redis-cli to connect an in-transit encryption enabled cluster node.
Note: To connect to Redis nodes (cluster-mode enabled) with in-transit encryption, use Redis clients that natively support SSL and Cluster Mode Enabled Clusters. For more information, see Redis.io/clients on the Redis website. Resolution
1. Connect to your Linux client instance using SSH and install the stunnel package:
On CentOS-based systems:
$sudo yum install stunnel
On Debian-based systems (Ubuntu 16):
$sudo apt-get install stunnel
2. In the redis-cli.conf file, add a Redis cluster endpoint to one or more connection parameters:
# cat /etc/stunnel/redis-cli.conf fips = no setuid = root setgid = root pid = /var/run/stunnel.pid debug = 7 options = NO_SSLv2 options = NO_SSLv3 [redis-cli] client = yes accept = 127.0.0.1:6379 connect = master.ssltest.wif0lh.use1.cache.amazonaws.com:6379 [redis-cli-replica] client = yes accept = 127.0.0.1:6380 connect = ssltest-002.ssltest.wif0lh.use1.cache.amazonaws.com:6379
In this example, the config file has two connections, the redis-cli and the redis-cli-replica. The parameters are set as follows:
- client set to yes, to specify this stunnel instance is a client.
- accept is set to the client IP. In this example, the primary is set to the Redis default of 127.0.0.1 on port 6379. The replica must call a different port and it is set to 6380. You can use the ephemeral ports 1024 to 65535.
- connect is set to the Redis server endpoint. For more information, see Finding connection endpoints.
3. Start stunnel.
$ sudo stunnel /etc/stunnel/redis-cli.conf
Use the netstat command to confirm that the tunnels have started:
# netstat -tulnp | grep -i stunnel tcp 0 0 127.0.0.1:6379 0.0.0.0:* LISTEN 3189/stunnel tcp 0 0 127.0.0.1:6380 0.0.0.0:* LISTEN 3189/stunnel
4. You can now use the redis-cli to connect to the encrypted Redis node using the local endpoint of the tunnel:
# src/redis-cli -h localhost -p 6379 -a MySecretPassword localhost:6379>set foo "bar" OK localhost:6379>get foo "bar"
Note: If your instance is password-protected, then the -a MySecretPassword option in redis-cli performs the authentication without needing the AUTH command. For more information, see redis-cli, the Redis command line interface on the Redis website.
This example uses telnet to connect to the Redis server:
# telnet localhost 6379 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. auth MySecretPassword +OKget foo $3 bar
Run the pkill command to stop and close the SSL tunnels:
$ sudo pkill stunnel
Example LUA Script
eval "redis.call('set','value1','1') local sum = 0 for i=1,10000000000000000 do sum = sum + i end return 'ok'" 0
Test SSL connection to Redis cluster if in-transit encryption is enabled
openssl s_client -connect elasticache_endpoint:6379
It will provide a long output where the last line should be “OK”, then you can run “AUTH <passphrase>” if authentication is enabled, or otherwise just run redis commands like INFO. It will confirm that the engine is reachable.