This page explains how manage in-transit encryption for your cluster.
For an overview of in-transit encryption for Memorystore for Redis Cluster, see About in-transit encryption.
You can only enable in-transit encryptions when you initially create your Memorystore cluster. In-transit encryption cannot be disabled for clusters created in this way.
Create an instance with in-transit encryption
Console
Follow the steps at Create a Memorystore for Redis Cluster instance.
gcloud
To create a Redis cluster that has in-transit encryption run the create
command:
gcloud redis clusters create INSTANCE_ID \ --region=REGION_ID \ --network=NETWORK \ --replica-count=REPLICA_COUNT \ --node-type=NODE_TYPE \ --shard-count=SHARD_COUNT \ --transit-encryption-mode=server-authentication
Replace the following:
INSTANCE_ID is the ID of the Memorystore for Redis Cluster instance you're creating. Your instance ID must be 1 to 63 characters and use only lowercase letters, numbers, or hyphens. It must start with a lowercase letter and end with a lowercase letter or number.
REGION_ID is the region where you want the instance placed.
NETWORK is the network used to create your instance. It must use the format:
projects/NETWORK_PROJECT_ID/global/networks/NETWORK_ID
. The network ID used here must match the network ID used by the service connection policy. Otherwise, thecreate
operation fails.REPLICA_COUNT is your desired number of replicas (per shard). Accepted values are
0
,1
, and2
.NODE_TYPE is your chosen node type. Accepted values are:
redis-shared-core-nano
redis-standard-small
redis-highmem-medium
redis-highmem-xlarge
For more details on node types and cluster configurations, see Cluster and node specification.
SHARD_COUNT determines the number of shards in your instance. Shard count determines the total memory capacity for storing cluster data. To see more details about cluster specification, see Cluster and node specification.
For example:
gcloud redis clusters create my-instance \ --region=us-central1 \ --network=projects/my-project-335118/global/networks/default \ --replica-count=1 \ --node-type=redis-highmem-medium \ --shard-count=3 \ --transit-encryption-mode=server-authentication
Download the certificate authorities
If in-transit encryption is enabled on your cluster, you see the certificates of
the Certificate Authorities when you run the
get-cluster-certificate-authority
command:
gcloud redis clusters get-cluster-certificate-authority INSTANCE_ID
Replace the following:
- INSTANCE_ID is the ID of your Memorystore for Redis Cluster instance.
The response body includes certificates for all applicable Certificate Authorities.
Install Certificate Authorities on your client
You must install your cluster's Certificate Authorities on the connecting client. CA installation can vary depending on the client type. The steps below explain how to install a CA on a Compute Engine Linux VM.
Connect with SSH to your Compute Engine Linux client.
Create a file called
server_ca.pem
in your client:sudo vim /tmp/server_ca.pem
Download Certificate Authorities and paste them into the previously created
server_ca.pem
file.The text of the CAs must be formatted correctly. Your
server_ca.pem
file should look something like this:-----BEGIN CERTIFICATE----- MIIDnTCCAoWgAwIBAgIBADANBgkqhkiG9w0BAQsFADCBhTEtMCsGA1UELhMkNzYx NTc4OGMtMTI2Yi00Nzk0LWI2MWMtY2YxOWE2Y2Y1ZjNiMTEwLwYDVQQDEyhHb29n bGUgQ2xvdWQgTWVtb3J5c3RvcmUgUmVkaXMgU2VydmVyIENBMRQwEgYDVQQKEwtH b29nbGUsIEluYzELMAkGA1UEBhMCVVMwHhcNMjAwOTE3MjEzNDE1WhcNMzAwOTE1 MjEzNTE1WjCBhTEtMCsGA1UELhMkNzYxNTc4OGMtMTI2Yi00Nzk0LWI2MWMtY2Yx OWE2Y2Y1ZjNiMTEwLwYDVQQDEyhHb29nbGUgQ2xvdWQgTWVtb3J5c3RvcmUgUmVk aXMgU2VydmVyIENBMRQwEgYDVQQKEwtHb29nbGUsIEluYzELMAkGA1UEBhMCVVMw ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCyDKmDHZm6tzMhNtKOnp8H 8+zTv1qA6OkBToVqCjKTTMGO18ovNtAAMjbGvclLuJNLbA2WTTWVttHen6Cn82h0 3gG9HMk9AwK1cVT7gW072h++TRsYddIRlwnSweRWL8jUX+PNt7CjFqH+sma/Hb1m CktHdBOa897JiYHrMVNTcpS8SFwwz05yHUTEVGlHdkvlaJXfHLe6keCMABLyjaMh 1Jl4gZI2WqLMV680pJusK6FI6q/NmqENFc9ywMEg395lHTK9w9e014WIXg0q7sU3 84ChVVS2yYOMEUWeov4Qx6XeVfA4ss5t7OCqsMQkvslkE90mJZcVvhBj3QvTH9Rz AgMBAAGjFjAUMBIGA1UdEwEB/wQIMAYBAf8CAQAwDQYJKoZIhvcNAQELBQADggEB AJkn+MDE4V10DZn4uEc0s0Mg4FEMC1fDewmDYwSNnxRlzfEi+wAX2AaqrJ4m4Qa7 xIyuSYxArEOY6QeyJyw7/06dom8aAv4aO2p8hE04Ih6QwaTMFIlT2Jf6TidVd3eT wfjwFJVoJ+dgxsaCv2uMFZWee5aRHmKzj9LhqPwpWnTs9Q/qmOheUNoe2/1i8yvn 662M7RZMR7fZH6ETsdz5w1nPXXiRqJ7K0EGKoPNjMlYK3/U1X3sazI4tpMNgTdxG rnNh9Sd9REMBmDCPj9dUI9k4hQX4yQZp96fnLT6cet22OPajEKnpzyqJs1s4iX/g lEtWs4V/YBhKA56CW6ASZS8= -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIDnTCCAoWgAwIBAgIBADANBgkqhkiG9w0BAQsFADCBhTEtMCsGA1UELhMkYjg4 ZTUzYTMtODdmNC00N2VhLWJjN2MtYTdhMzM4NmIwZmU4MTEwLwYDVQQDEyhHb29n bGUgQ2xvdWQgTWVtb3J5c3RvcmUgUmVkaXMgU2VydmVyIENBMRQwEgYDVQQKEwtH b29nbGUsIEluYzELMAkGA1UEBhMCVVMwHhcNMjAwOTE4MjEzMTI3WhcNMzAwOTE2 MjEzMjI3WjCBhTEtMCsGA1UELhMkYjg4ZTUzYTMtODdmNC00N2VhLWJjN2MtYTdh MzM4NmIwZmU4MTEwLwYDVQQDEyhHb29nbGUgQ2xvdWQgTWVtb3J5c3RvcmUgUmVk aXMgU2VydmVyIENBMRQwEgYDVQQKEwtHb29nbGUsIEluYzELMAkGA1UEBhMCVVMw ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDEO4Zs/So5DA6wtftkAElD 8BVREob4gby2mGBYAtd3JJQKFC+zIqCf2DhrWihrCeXhsdsZqJUF16E3MsCCWS2T UWt6T37zObU2fzKmb7X+TSw1tunIUcIXwWzoMhqdGrIvfI9guMbF+KssQIjDMs9M G/hY6cY1NB5THOxXqcxzYrwSKB1EE160EDz4RgKAYQhw7AyVOBBAbWqA5pTEDuUy qpsz+NFpKYTwaeTpzil0xIl0JJS3DOd4G7ZnMG2wFT2j3wt+P0SkAPuOWgmX82iO gGmKoaCh3KcICie/rZRTfsRPjMm+yswRQRDeLB5eoMmH+gbUInVZU0qOJ/7gOYEb AgMBAAGjFjAUMBIGA1UdEwEB/wQIMAYBAf8CAQAwDQYJKoZIhvcNAQELBQADggEB AF4xlEbwLUK5VjoKlJBtKXLYrYcW+AbQLhZQFP8exE8bOW7p39h+5J0nl3ItPxu6 97BCt1P5TFisba8pBxaExiDsYmjKQrhtizMkzl5h9hGksOgoLlAqaaxfA97+Q9Tq 5gaYChESur/159Z3jiM47obKoZmHfgSgr//7tjII7yZxUGhOjIVffv/fEa4aixqM 0yH1V1s8hWHZeui2VFrHmTxY20IH9ktyedjSUgnFXzsEH6sbR18p0wBZqyrrtURs DaUIeoOHfHgEJM8k/wphSJI0V6pMC6nax2JhexLTRiUsiGTLRDe3VtsdWqS2DLa9 9DmrfdF0eFrfWw3VRNLwwXg= -----END CERTIFICATE-----
Your file, as seen in the previous example, should use the following guidelines:
Copy the entire Certificate Authority including the
-----BEGIN CERTIFICATE-----
and-----END CERTIFICATE-----
lines.Make sure that the text of the CAs are completely left justified. There should be no spaces in front of any line of the CAs.
Each Certificate Authority should be added on a new line. No blank lines should exist between CAs.
Configure your client for in-transit encryption
The client that you use to connect to the cluster must support TLS or use a third-party sidecar to enable TLS.
If your client supports TLS, configure it to point to your Redis instance's IP,
port 6379
, and the file containing the Certificate Authority. If you choose to
use a sidecar, we recommend using Stunnel.
Securely connect to a Memorystore cluster using Stunnel and telnet
For instructions on using Stunnel to enable in-transit encryption on a Compute Engine client, see Securely connect to a Memorystore instance using Stunnel and telnet.
Manage Certificate Authority rotation
You should install all downloadable Certificate Authorities on clients accessing your cluster.
Installing the new CAs, in addition to the previous CAs, once they become available is the simplest form of ensuring that you have the necessary CAs when the Certificate Authority rotation event occurs.
All you need to do to make sure that you have the required CA is to make sure that the CAs saved in your client file match those shown when downloading Certificate Authorities. Both new CAs and old CAs are active during rotation to ensure minimal downtime.
Code sample for connecting to an instance that uses in-transit encryption
To view a code sample on how to set up a client library to connect to an instance that uses in-transit encryption, see In-transit encryption client library code sample.