8

I have been reading through the Elastic Beanstalk and ElastiCache documentation on creating a connection between my EB instance and my Redis endpoint. I have added my endpoint to my session configuration in my Node.js app, but it doesn't appear that it is connecting to my Redis instance as indicated by an error that is getting thrown when accessing any pages that use the session. I know that the security groups between the Elastic Beanstalk and ElastiCache need to be the same, but do I need make adjustments to my environment to attach the two?

Here is my Redis connection in my Node.js app:

//Session Cookie
app.use(cookieParser());
app.use(session({
    store: new RedisStore({
        host: 'redis-production.dfdfa.0001.use1.cache.amazonaws.com',
        port: 6379
    }), 
    secret: process.env.SECRET,
    resave: true,
    saveUninitialized: true,
    cookie: {
        httpOnly: true,
        secure: false //turn to true on production once https is in place
    }
}));
cphill
  • 5,596
  • 16
  • 89
  • 182
  • What is the error? – Piyush Patil Aug 15 '16 at 00:20
  • `Error: req.flash() requires sessions` `at /var/app/current/app/controllers/site-routes.js:34:15` which is linked to this code: `siteRoutes.route('/login') .get(function(req, res){ res.render('pages/site/login.hbs',{ error: req.flash('error') }); })` which has been an issue in the past when I didn't have a redis correctly configured. – cphill Aug 15 '16 at 00:36

1 Answers1

11

I'm not sure what you mean by this:

I know that the security groups between the Elastic Beanstalk and ElastiCache need to be the same

They don't need to be the same security group, if that is what you are saying. And they don't need to have the exact same settings, if that is what you are saying. Here's what you need to do:

  1. Elastic Beanstalk Servers are in a specific security group. We will call this SG1.
  2. ElastiCache instances are in a specific security group. We will call this SG2.
  3. Add a rule in SG2 that allows traffic on the port you specified when you configured the ElastiCache instances. The default port is 6379. In this Security Group rule use the ID of SG1 in the source field. For example if SG1 has an ID of sg-123456then enter that in the source field.

Once you have completed those steps then all Elastic Beanstalk instances will have access to your ElastiCache Redis instance(s).

Mark B
  • 183,023
  • 24
  • 297
  • 295
  • thanks for clearing up the confusion I had with the security group dependencies. What is the field type that I should be using to input the `sg-123456` value? – cphill Aug 15 '16 at 01:03
  • I'm not sure what you mean by "field type". You need to find the "Group ID" of the EB security group, it will be formatted like "sg-xxxxx". Find that, and copy/paste that into the "Source" field of the inbound rule in your ElastiCache security group. If you start typing "sg" in the "Source" field it will bring up a list of your security groups to chose from. – Mark B Aug 15 '16 at 01:43
  • @MarkB If they are both on the same security group should I add any rules? what could those rules be? IF no, why I'm still getting a timeout error when I try to connect from Elastic Beanstalk to ElastiCache? – Mouneer May 05 '19 at 12:30
  • @Mouneer having two resources share a security group in AWS is meaningless. This does not by itself open any means of communication between the two resources. You have to define a specific inbound rule for any network traffic. – Mark B May 05 '19 at 15:01
  • @MarkB but docs are saying that default inbound rules of any security group is to "Allow inbound traffic from instances assigned to the same security group." https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html I have this `sg-xxxxxxx` rule defined. What could be the problem? – Mouneer May 06 '19 at 12:54
  • @Mouneer no that is specifically talking about the one default inbound rule in the one default security group that comes with your default VPC. That is not the way "all security groups" work by default. Does the `sg-xxxxx` rule you have defined match the ID of the security group you defined it in? – Mark B May 06 '19 at 13:13
  • @MarkB yes if the SG ID is `sg-123456789`, the rule is defined as the same ID `sg-123456789`. – Mouneer May 06 '19 at 13:54
  • @MarkB the problem was that my client connector needs the link of the Redis without the protocol part. – Mouneer May 27 '19 at 10:10