TLS encryption overview

This page gives an overview of Transport Layer Security (TLS) for Memorystore for Redis.

For instructions on creating a Redis instance with TLS, see Creating a Redis instance with TLS.

Introduction

Memorystore for Redis supports encrypting client to server traffic using Transport Layer Security (TLS). Enabling TLS protects your Redis instance data in-transit between the client and the Memorystore instance by using the TLS protocol. When this optional encryption is enabled Redis clients communicate exclusively across a secure port connection that is encrypted using TLS. Redis clients that are not configured for TLS will be blocked. If you choose to enable TLS you are responsible for ensuring that your Redis client is capable of using the TLS protocol.

TLS prerequisites

In order to use TLS with Memorystore for Redis, you need:

  1. A Redis client that supports TLS or a third-party TLS sidecar
  2. A Certificate Authority installed on the client machine accessing your Redis instance

Native TLS was not supported prior to open source Redis version 6.0. As a result, not every Redis client library supports TLS. If you are using a client that does not support TLS, we recommend using the Stunnel third-party plugin that enables TLS for your client. See Securely connecting to a Redis instance using Stunnel and telnet for an example of how to connect to a Redis instance with Stunnel.

Certificate Authority

Redis instances that use TLS have one or more unique Certificate Authorities (CA) that are used to verify the identity of the server. A CA is a string that you must download and install on the client accessing your Redis instance. A CA is valid for ten years from the date it is created. In order to ensure service continuity, the new CA must be installed on clients of the Redis instance before the previous CA expires.

Certificate Authority rotation

A CA is valid for 10 years upon instance creation. In addition, a new CA becomes available five years after instance creation.

The old CA is valid until its expiration date. This gives you a five year window in which to download and install the new CA to clients connecting to the Redis instance. After the old CA expires you can uninstall it from clients.

For instructions on rotating the CA, see Managing Certificate Authority rotation.

Server certificate rotation

Server-side certificate rotation occurs every 90 days causing a transient connection drop of a few seconds. You should have retry logic with exponential backoff in place in order to reestablish the connection. Certificate rotation does not cause a failover for Standard Tier instances.

Connection limits for TLS

Enabling TLS on your Redis instance introduces limits on the maximum number of client connections your instance can have. The limit is dependent on your instance size. You should consider increasing the size of your Redis instance if you need more connections than what is supported by your current capacity tier.

Capacity tier Maximum number of connections
M1 (1-4GB) 1,000
M2 (5-10GB) 2,500
M3 (11-35GB) 15,000
M4 (36-100GB) 30,000
M5 (101+GB) 65,000

Monitoring connections

Since Redis instances with TLS enabled have specific connection limits, you should monitor the redis.googleapis.com/clients/connected metric to make sure you don't exceed the connection limit. If the limit is surpassed, the Redis instance rejects newly attempted connections. In this circumstance we recommend scaling up your instance to the size that accommodates the required number of connections.

Performance impact of enabling TLS

The TLS feature encrypts and decrypts data, which comes with processing overhead. As a result, enabling TLS can reduce performance. Also, when using TLS, each additional connection comes with as associated resource cost. To determine the latency associated with using TLS, compare application performance by benchmarking application performance with both a Redis instance that has TLS enabled and a Redis instance that has it disabled.

Guidelines for improving performance

  • Decrease the number of client connections when possible. Establish and reuse long-running connections rather than creating on-demand short-lived connections.
  • Increase the size of your Memorystore instance (M4 or larger is recommended).
  • Increase the CPU resources of the Memorystore client host machine. Client machines with a higher CPU count yields better performance. If using a Compute Engine VM, we recommend compute optimized instances.
  • Decrease the payload size associated with application traffic because larger payloads require more round trips.

TLS impact on memory usage

Enabling TLS reserves some of your Redis instance memory for the feature. All other things being equal, with TLS enabled, the value for the System Memory Usage Ratio metric is higher because of the additional overhead memory used by TLS.

What's next