If you want to access an ApsaraDB for Redis instance from an Elastic Compute Service (ECS) instance over a virtual private cloud (VPC), the ECS instance must be in the same region and belong to the same VPC as the ApsaraDB for Redis instance. A whitelist and a valid account and password must also be configured for the ApsaraDB for Redis instance. This topic describes solutions to common issues that prevent an ECS instance from being connected to an ApsaraDB for Redis instance.
Troubleshooting process for ECS connection issues
Step 1: Check whether the error message is invalid password, WRONGPASS, or NOAUTH Authentication required
If the error message is connection timed out or no explicit error message is displayed, skip Step 1 and proceed to Step 2.
Error description
If the error message is invalid password, WRONGPASS invalid username-password pair, or NOAUTH Authentication required, the account and password are incorrect.
Solution
Use a password in the
<user>:<password>format to re-establish the connection. For example, if the username of the custom account istestaccountand the password isRp829dlwa, entertestaccount:Rp829dlwaas the password.If a password error is still reported when you use a password in the
<user>:<password>format to reconnect the ECS instance to the ApsaraDB for Redis instance, you may have entered the wrong password. In this case, reset the password and use the new password to establish the connection. For more information about how to reset the password, see Change or reset the password.
Step 2: Run the ping command to check whether the ECS instance is connected to the ApsaraDB for Redis instance
Procedure
Log on to the ECS instance and run the ping command.
ping <host>Example: ping r-bp1zx****.redis.rds.aliyuncs.com
Result description
If the ping operation is successful, the network is connected, as shown in the following result illustrations. You can proceed to Step 3 for further troubleshooting.
Linux
In Linux, the system continuously sends ping requests after the ping command is run. You can press Ctrl+C on the keyboard to stop the execution and collect statistics, as shown in the following figure.
Windows
In Windows, the system returns the test result after the ping command is run four times, as shown in the following figure.
If the ping operation fails, the network is not connected.
Common causes and solutions
The ECS instance and the ApsaraDB for Redis instance may belong to different VPCs.
Check whether the ECS instance and the ApsaraDB for Redis instance belong to the same VPC. For more information, see How do I check whether an ECS instance and an ApsaraDB for Redis instance are of the same network type?
If the ECS instance and the ApsaraDB for Redis instance belong to different VPCs, you can perform the following operations:
Change the VPC of the ECS instance. For more information, see Change the VPC of an ECS instance.
Connect the ECS instance to the ApsaraDB for Redis instance over the Internet. For information about how to apply for a public endpoint, see Apply for a public endpoint for an ApsaraDB for Redis instance.
ImportantCompared with the Internet, VPCs provide better security and performance. Therefore, we recommend that you use a VPC to connect to the ApsaraDB for Redis instance.
The outbound access rule of the security group of the ECS instance may block traffic to the vSwitch or VPC IP address of the ApsaraDB for Redis instance.
Check whether the ECS security group has an outbound rule whose protocol type is ICMP (IPv4) and whether the rule blocks traffic to the vSwitch or VPC IP address of the ApsaraDB for Redis instance.
If yes, allow access to the vSwitch or VPC IP address of the ApsaraDB for Redis instance. For more information, see Add a security group rule.
NoteTo view the vSwitch or VPC IP address, click the ID of the VSwitch or VPC on the Instance Information page in the ApsaraDB for Redis console. On the page that appears, view the IPv4 CIDR block.
If the connection still fails, see Run the PING command to check the connection between an ECS instance and an ApsaraDB for Redis instance.
Step 3: Run the telnet command to check whether the service port is available
Procedure
Log on to the ECS instance and run the telnet command.
telnet <host> <port>Example: telnet r-bp1zx****.redis.rds.aliyuncs.com 6379
Result description
If Connected to ... is returned or the telnet interface is displayed, as shown in the following result illustrations, the port is available.
Linux
The following output indicates that the connection is established by using telnet on a Linux system.
Windows
The following output indicates that the connection is established by using telnet on a Windows system.
If the "Connection timed out" or "Connect failed" message is displayed, the connection fails.
Common causes and solutions
The whitelist is incorrectly configured or no whitelist is configured. For more information, see Step 4: Check the whitelist.
The outbound access rule of the security group of the ECS instance may block traffic on the service port of ApsaraDB for Redis.
Check whether the ECS security group has an outbound rule whose protocol type is TCP and whether the rule blocks traffic to the service port of ApsaraDB for Redis. The default port is 6379. If yes, allow access to the ApsaraDB for Redis instance over the port. For more information, see Add a security group rule.
If the connection still fails, see Use the telnet command to check the connection to the service port of ApsaraDB for Redis.
Step 4: Check the whitelist
The common cause of connection failure is that the whitelist is incorrectly configured or no whitelist is configured. In the following two scenarios, we recommend that you check the whitelist.
The domain name can be pinged, but the telnet operation fails.
If you use redis-cli to connect to the VPC endpoint of the ApsaraDB for Redis instance from the ECS instance, the
(error) ERR illegal addressor(error) ERR client ip is not in whitelisterror is reported.
Common causes
An incorrect IP address is configured.
For example, you connect the ECS instance to the VPC endpoint of the ApsaraDB for Redis instance, but mistakenly add the public IP address of the ECS instance to the whitelist of the ApsaraDB for Redis instance. Alternatively, you connect the ECS instance to the public endpoint of the ApsaraDB for Redis instance, but mistakenly add the primary private IP address of the ECS instance to the whitelist of the ApsaraDB for Redis instance.
No whitelist is configured.
Solution 1
You can check whether the IP address of the ECS instance has been added to the whitelist of the ApsaraDB for Redis instance by performing connection diagnostics. You can also add the IP address of the ECS instance to the whitelist. For more information, see Perform diagnostics on connections.
When you select the IP address of the ECS instance, it is important to distinguish between private and public endpoints.
Solution 2
Check whether the endpoint that you use is a VPC endpoint or a public endpoint. For more information, see View endpoints.
If the endpoint is a VPC endpoint, add the primary private IP address of the ECS instance to the whitelist of the ApsaraDB for Redis instance. If the endpoint is a public endpoint, add the public IP address of the ECS instance to the whitelist of the ApsaraDB for Redis instance. For more information, see Configure whitelists.
NoteFor information about how to query the IP address of an ECS instance, see Network FAQ.
References
For information about the reasons why an on-premises device fails to connect to an ECS instance and the troubleshooting method, see How do I troubleshoot connection issues in ApsaraDB for Redis?
For information about how to connect an ECS instance to an ApsaraDB for Redis instance across Alibaba Cloud accounts, see How do I connect an ECS instance to an ApsaraDB for Redis instance across accounts?