[SOLVED] Exposing AWS Elasticache Redis Instance Publicly with Pulumi Fails

Exposing AWS Elasticache Redis Instance Publicly with Pulumi Fails

Question: I'm trying to expose an AWS Elasticache Redis instance publicly using Pulumi. The Redis setup uses the @pulumi/aws package, and I'm working within a VPC configured with public subnets, an internet gateway, and a route table for outbound access.

I've attached a security group to the Redis instance allowing access on port 6379 from any IP. Despite this, the Redis instance remains unreachable from the internet. Here's the relevant Pulumi code:

import * as aws from '@pulumi/aws';
import * as pulumi from '@pulumi/pulumi';

const stackName = pulumi.getStack();

const vpc = new aws.ec2.Vpc(`vpc-${stackName}`, {
  cidrBlock: '10.0.0.0/16',
  enableDnsHostnames: true,
  enableDnsSupport: true,
});

const subnet1 = new aws.ec2.Subnet(`subnet1-${stackName}`, {
  vpcId: vpc.id,
  availabilityZone: 'us-east-1a',
  cidrBlock: '10.0.26.0/24',
  mapPublicIpOnLaunch: true,
});

const igw = new aws.ec2.InternetGateway(`igw-${stackName}`, { vpcId: vpc.id });

const routeTable = new aws.ec2.RouteTable(`routeTable-${stackName}`, {
  vpcId: vpc.id,
  routes: [{ cidrBlock: '0.0.0.0/0', gatewayId: igw.id }],
});

new aws.ec2.RouteTableAssociation(`rta-${stackName}`, {
  subnetId: subnet1.id,
  routeTableId: routeTable.id,
});

export const redisSecurityGroup = new aws.ec2.SecurityGroup(`redis-sg-${stackName}`, {
  vpcId: vpc.id,
  ingress: [{ fromPort: 6379, toPort: 6379, protocol: 'tcp', cidrBlocks: ['0.0.0.0/0'] }],
  egress: [{ fromPort: 0, toPort: 0, protocol: '-1', cidrBlocks: ['0.0.0.0/0'] }],
});

export const redisCache = new aws.elasticache.ServerlessCache(`redisCache-${stackName}`, {
  engine: 'redis',
  name: `redis-${stackName}`,
  securityGroupIds: [redisSecurityGroup.id],
  subnetIds: [subnet1.id],
  userGroupId: '<YOUR_USER_GROUP_ID>',
});

I've tried the following without success:

Verified that mapPublicIpOnLaunch is set to true on the subnets. Configured the security group to allow all ingress/egress on port 6379. Ensured a public route exists with the internet gateway for outgoing connections. Is there a specific configuration step I’m missing to make Redis accessible over the internet?

Environment:

Pulumi versions:

"@pulumi/aws": "^6.56.1",
"@pulumi/awsx": "^2.16.1",
"@pulumi/esc-sdk": "^0.10.2",
"@pulumi/pulumi": "^3.137.0",

AWS Elasticache version: Redis 7.1 Node.js: 22

Solution

AWS ElastiCache instances are never assigned a public IP. Amazon made the design decision that ElastiCache instances could never be directly accessible via the Internet.

Per the ElastiCache documentation, Amazon recommends creating a NAT instance to route the traffic to ElastiCache.