This is a reminder for howto setup a ssh tunnel, and connect to a redis server when the tcp port of redis (6379) is not publicly open/accessible.
Let's assume: Host is public ec2 (or bastion) private ip = 10.0.0.236 public ip = 15.236.222.111 (random public ip address, choosen by aws and assigned the the ec2 instance)
C:> ssh ec2-user@15.236.222.111 -i C:\xxxx\aws-ec2-demo.pem
/!\ don't do this: it's very bad for security it's just a reminder for me about how to copy file with scp command
scp -i C:\xxxx\aws-ec2-demo.pem C:\xxxx\aws-ec2-demo.pem ec2-user@15.236.222.111:aws-ec2-demo.pem
depuis le bastion (je suis connecté en ssh) (attention y a un 1 de différent dans les 2 ip)
[ec2-user@ip-10-0-0-236 ~]$ chmod 400 aws-ec2-demo.pem
[ec2-user@ip-10-0-0-236 ~]$ ssh ec2-user@10.0.1.236 -i aws-ec2-demo.pem
- verify security group
- verify nacl (check for deny rules for subnet)
example: add inboud nacl rule to allow public & private subnets to communicate with each others 104 Tout le trafic Tous Tous 10.0.0.0/8 Allow
on the ec2 host:
[ec2-user@ip-10-0-0-236 ~]$ sudo amazon-linux-extras install redis4.0
listen on all interfaces (0.0.0.0)
[ec2-user@ip-10-0-0-236 ~]$ sudo vi /etc/redis.conf
#bind 127.0.0.1
bind 0.0.0.0
$ sudo systemctl start redis.service
[ec2-user@ip-10-0-0-236 ~]$ sudo systemctl status redis.service
● redis.service - Redis persistent key-value database
Loaded: loaded (/usr/lib/systemd/system/redis.service; disabled; vendor preset: disabled)
Drop-In: /etc/systemd/system/redis.service.d
└─limit.conf
Active: active (running) since Fri 2021-05-14 09:28:31 UTC; 11s ago
Main PID: 3693 (redis-server)
CGroup: /system.slice/redis.service
└─3693 /usr/bin/redis-server 0.0.0.0:6379
May 14 09:28:31 ip-10-0-0-236.eu-west-3.compute.internal systemd[1]: Starting Redis persistent key-value database...
May 14 09:28:31 ip-10-0-0-236.eu-west-3.compute.internal systemd[1]: Started Redis persistent key-value database.
[ec2-user@ip-10-0-0-236 ~]$ redis-cli
127.0.0.1:6379> set mykey 123
OK
127.0.0.1:6379> get mykey
"123"
127.0.0.1:6379> exit
[ec2-user@ip-10-0-0-236 ~]$ redis-cli get mykey
"123"
the most important part:
redis port forwarding
C:> ssh -i C:\xxxx\aws-ec2-demo.pem -N -L 6379:127.0.0.1:6379 ec2-user@15.236.222.111
(press ctrl+c when you have finish to use it in order to close the tunnel)
[ec2-user@ip-10-0-0-236 ~]$ ss
[ec2-user@ip-10-0-0-236 ~]$ netstat -ntlp
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:6379 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN -
tcp6 0 0 :::111 :::* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -