This page describes the security provided for your Memorystore for Redis instance.
A Memorystore for Redis instance isn't publicly accessible. Access to the instance is limited only to the clients that can establish a private services access connection. For instructions on setting up connectivity, see Networking.
Management of Memorystore for Redis instances is secured using Identity and Access Management (IAM) role-based access control. For more information, see Access control with IAM.
Encryption
All network data to and from Memorystore for Redis is encrypted in transit at the network level according to Google Cloud's default protection for any VM to VM traffic.
Memorystore for Redis doesn't encrypt data in memory and it doesn't use disks during replication.
Security best practices
We recommend that you access your Memorystore for Redis instance by using trusted clients inside of the trusted environments. Don't expose the instance to the internet directly, or, in general, to an environment where untrusted clients can access the instance's TCP port or UNIX socket directly.
For example, if a web application uses an instance as a database, cache, or messaging system, then the clients inside of the frontend (the web side) of the application query the instance to generate pages or to perform operations that the user requests. In this case, the web application mediates access between the instance and the untrusted clients. These clients are the user browsers that access the web application.
We recommend that you mediate untrusted access to the instance by using a layer that does the following:
- Implements access control lists (ACLs)
- Validates user inputs
- Decides which operations to perform against the instance
For more information about security from Redis' point of view, see Redis security.