Opsworks : Rails Layer connect to Elasticache : Redis

Question

I am attempting to connect my Rails Application running in Opsworks to an Elasticache Redis Layer. I just can't get it to work.

My current configuration:

1 Stack (2 instances)
Layers
- Rails App Server - MySQL

The rails app is in the AWS-OpsWorks-Rails-App-Server Security Group.

1 ElasticCache Cluster The ES cluster is in the default security sg-ff58559a (VPC)(active) Security Group.

I am using the 'Primary Endpoint' to attempt to connect.

This value is visible from the
ElastiCache>Replication Groups
dashboard.

It looks similar to this:
<name>.oveuui.ng.0001.use1.cache.amazonaws.com:6379

In my rails console (after SSH into the rails layer) I try:

>r = Redis.new(:url => 'redis://<name>.oveuui.ng.0001.use1.cache.amazonaws.com:6379')
>r.connected

The results is:

Redis::CannotConnectError: Timed out connecting to Redis on...

Answer 1

If you launched your cluster into an Amazon Virtual Private Cloud (Amazon VPC), you can connect to your ElastiCache cluster only from an Amazon EC2 instance that is running in the same Amazon VPC. In this case, you will need to grant network ingress to the cluster. To grant network ingress from an Amazon VPC security group to a cluster:

1.Sign in to the AWS Management Console and open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

2.In the left navigation pane, under Network & Security, click Security Groups.

3.In the list of security groups, click the security group for your Amazon VPC. If you are a new ElastiCache user, this security group will be named default.

4.Click Inbound tab, and then do the following:

a. Click Edit.

b. Click Add rule.

c. In the Type column, select Custom TCP rule.

d. In the Port range box, type the port number for your cache cluster node. This number must be the same one that you specified when you launched the cluster. The default ports are as follows:

 Memcached: port 11211

 Redis: port 6379

e. In the Source box, select Anywhere which has the port range (0.0.0.0/0) so that any Amazon EC2 instance that you launch within your Amazon VPC can connect to your ElastiCache nodes..

f. Click Save.

http://docs.aws.amazon.com/AmazonElastiCache/latest/UserGuide/GettingStarted.AuthorizeAccess.html

Answer 2

Amazon only lets servers in the same security group as your Elasticache server talk to it.

This blog post walks you through the process of adding your Rails Server Layer to the right security group: http://aws.amazon.com/blogs/aws/using-aws-elasticache-for-redis-with-aws-opsworks/. It assumes that when you created your Elasticache cluster you chose the "default" security group, which seems to be the case. If so, go to OpsWorks -> (select the right Stack) -> Layers, and click on Security for your Rails App Server layer. You should see this:

You want to ensure that you've added the "default" security group and then restart your instances. Note that when I did this, it still didn't work. I decided to go look at the details of my instance in the EC2 console (instead of in the OpsWorks console) and found that the new "default" security group that I had added to the layer actually had not propagated to my instance. I don't know why this was the case, so I deleted the instance and created a whole new one, and this new instance had the "AWS-OpsWorks-Rails-App-Server" and "default" security groups applied to it successfully. So, keep that in mind in case things don't work right away and click on the instance to see its settings and confirm that both security groups are displayed.

Let me know if this works for you.