AWS Elasticache Redis
Cloud.gov offers aws-elasticache-redis Redis as a service.
Plans
| Service Name | Plan Name | Description | Number of nodes |
|---|---|---|---|
aws-elasticache-redis | redis-dev | Single EC node for non-prod use only | 1 |
aws-elasticache-redis | redis-3node | 3 node EC, persistent storage, 512Mb memory limit | 3 |
aws-elasticache-redis | redis-5node | 5 node EC, persistent storage, 512Mb memory limit | 5 |
aws-elasticache-redis | redis-3node-large | 3 node EC, persistent storage, 1.3GB memory limit | 3 |
aws-elasticache-redis | redis-5node-large | 5 node EC, persistent storage, 1.3GB memory limit | 5 |
Pricing
AWS Elasticache instances will consume Cloud.gov resource credits; more information is available on the pricing page.
How to create an instance
To create a service instance, run the following command (replace my-ec-service
with a name for the service):
cf create-service aws-elasticache-redis redis-3node my-ec-service
Setting optional parameters
There are several optional parameters that you can specify when creating a new instance:
| Name | Description | Default Value |
|---|---|---|
engineVersion | Specifies a supported major version in Redis (must be in "") | 7.1 |
A couple of notes regarding the optional version parameter:
- It only supports major version numbers; if you specify a minor/patch level version, e.g., "6.2.1" , the command will fail with the exception of 5.0.6 which is a major version with a minor version release.
- The version number must be provided in double quotes (
"); this is because the value is treated as a string to account for different versions.
These are the current supported major versions for Redis, along with their EOL dates on AWS:
| Version | End of Standard Support | End of Extended Support |
|---|---|---|
| 5.0.6 | 1/31/2026 | 1/31/2029 |
| 6.0 | 1/31/2027 | 1/31/2030 |
| 6.2 | 1/31/2027 | 1/31/2030 |
| 7.0 | (not yet published) | (not yet published) |
| 7.1 | (not yet published) | (not yet published) |
Cloud.gov support will periodically notify customers to migrate to versions under Standard Support to manage platform costs and to support long-term viability of your applications.
Examples of optional parameters
If you want to specify the engine version:
cf create-service aws-elasticache-redis \
${SERVICE_PLAN_NAME} \
${SERVICE_NAME} \
-c '{"engineVersion": "6.2"}'
Managing backups
As part of the aws-elasticache-redis service, AWS will be doing daily snapshots of all EC instances between 06:00-07:00 UTC. The service is configured to keep 3 snapshots. If you need one of these automated snapshots restored, please email support@cloud.gov.
For manual backups, the Elasticache service does not expose access to files generated by the Elasticache Redis SAVE command. To back up data from your Elasticache Redis instance, you can iterate over keys, fetch their values and expiration times using DUMP and TTL, and save them to a file. To restore, use the RESTORE command for each saved key.
Please see https://github.com/cloud-gov/aws-redis-example our AWS Elasticache Redis example repo for some ideas on moving data as well.
Connecting to your Elasticache service locally
To facilitate backing up your Elasticache service, Cloud.gov offers port forwarding if SSH is enabled for your organization and application. Follow the following instructions to create a service key and use it to set up a SSH tunnel.
Create a service key to access Elasticache credentials:
cf create-service-key my-elasticache my-key
Connect to your Elasticache service using port forwarding (see
Using SSH). You'll need to leave the cf ssh
command running and follow the next steps in a different terminal so that you
can access the remote Elasticache instance from your local environment. These
steps assume you have jq installed locally.
elasticache_credentials=$(cf service-key my-elasticache my-key | tail -n +3)
# CF CLI v7
elasticache_hostname=$(echo "${elasticache_credentials}" | jq -r '.hostname')
elasticache_port=$(echo "${elasticache_credentials}" | jq -r '.port')
elasticache_password=$(echo "${elasticache_credentials}" | jq -r '.password')
# CF CLI v8
elasticache_hostname=$(echo "${elasticache_credentials}" | jq -r '.credentials.hostname')
elasticache_port=$(echo "${elasticache_credentials}" | jq -r '.credentials.port')
elasticache_password=$(echo "${elasticache_credentials}" | jq -r '.credentials.password')
cf ssh my-app -L "8000:${elasticache_hostname}:${elasticache_port}"
You can now connect to your Elasticache service from your local machine using
port 8000 and the password set to $elasticache_password, e.g. using the
latest version of Redis CLI:
redis-cli -a "${elasticache_password}" -p 8000 --tls
Connecting to your Elasticache service from your application
As with other services on Cloud.gov, you can bind your Elasticache service to your application, which will generate credentials for accessing your service and set them as environment variables on your application.
Your application code can then retrieve these credentials from the environment variables and use them to connect to your Elasticache service.
Connecting over TLS
By default, all Elasticache instances provisioned by the broker are encrypted in transit, meaning TLS must be used when connecting to them.
Previous versions of the broker generated a uri credential value that was
incorrect for connecting to Elasticache instances over TLS. Specifically, in the
uri credential value, a URI scheme of redis:// (with s) was used, but when
connecting over TLS a URI scheme of rediss:// is required (with ss).
While that issue has been fixed,
if you want to update any existing credentials for an application to get the
correct uri value, then you should unbind and rebind your service to the
application.
Encryption
Every AWS Elasticache instance configured through Cloud.gov is encrypted at rest and encrypted in transit. We use the industry standard AES-256 encryption algorithm to encrypt your data on the server that hosts your AWS Elasticache instance.
Rotating credentials
You can rotate credentials by creating a new instance and deleting the existing instance. If this is not an option, email support@cloud.gov to request rotating the credentials manually.
The broker in GitHub
You can find the broker here: https://github.com/cloud-gov/aws-broker.