If you want to access a Redis instance from an Elastic Compute Service (ECS) instance over a virtual private cloud (VPC), the ECS instance must be in the same region and belong to the same VPC as the Redis instance. A whitelist and a valid account and password must also be configured for the Redis instance. This topic describes solutions to common issues that prevent an ECS instance from being connected to a Redis instance.
Troubleshooting process for ECS connection issues
Step 1: Check whether the error message is invalid password
, WRONGPASS
, or NOAUTH Authentication required
If the error message is connection timed out
or no explicit error message is displayed, skip Step 1 and proceed to Step 2.
Error description
If the error message is invalid password
, WRONGPASS invalid username-password pair
, or NOAUTH Authentication required
, the account and password are incorrect.
Solution
Use a password in the <user>:<password>
format to re-establish the connection. For example, if the username of a custom account is testaccount
and the password is Rp829dlwa
, enter testaccount:Rp829dlwa
as the password.
If a password error is still reported when you use a password in the <user>:<password>
format to reconnect the ECS instance to the Redis instance, you may have entered an incorrect password. In this case, reset the password and use the new password to establish the connection. For more information about how to reset the password, see Change or reset the password.
Note
If you copy the password, it may cause formatting errors. Manually enter the password and try again.
Step 2: Run the ping command to check whether the ECS instance is connected to the Redis instance
Procedure
Log on to the ECS instance and run the ping command.
Example: ping r-bp1zx****.redis.rds.aliyuncs.com
Result description
If the ping operation is successful, the network is connected, as shown in the following figure. You can proceed to Step 3 for further troubleshooting.
Linux
In Linux, the system continuously sends ping requests after the ping command is run. You can press Ctrl+C on the keyboard to stop the execution and collect statistics, as shown in the following figure.
![image](https://help-static-aliyun-doc.aliyuncs.com/assets/img/en-US/8960989071/p759247.png)
Windows
In Windows, the system returns the test result after the ping command is run four times, as shown in the following figure.
![image](https://help-static-aliyun-doc.aliyuncs.com/assets/img/en-US/1672120171/p759246.png)
If the ping operation fails, the network is not connected.
Common causes and solutions
The ECS instance and the Redis instance may belong to different VPCs.
Check whether the ECS instance and the Redis instance belong to the same VPC. For more information, see How do I check whether an ECS instance and a Redis instance are of the same network type?
If the ECS instance and the Redis instance belong to different VPCs, you can perform the following operations:
Change the VPC of the ECS instance. For more information, see Change the VPC of an ECS instance.
Connect the ECS instance to the Redis instance over the Internet. For information about how to apply for a public endpoint, see Apply for a public endpoint for an instance.
Important
Compared with the Internet, VPCs provide better security and performance. Therefore, we recommend that you use a VPC to connect to the Redis instance.
The outbound access rule of the security group of the ECS instance may block traffic to the vSwitch or VPC IP address of the Redis instance.
Check whether the ECS security group has an outbound rule whose protocol type is ICMP (IPv4) and whether the rule blocks traffic to the vSwitch or VPC IP address of the Redis instance.
If yes, allow access to the vSwitch or VPC IP address of the Redis instance. For more information, see Add a security group rule.
Note
To view the vSwitch or VPC IP address, click the ID of the VSwitch or VPC on the Instance Information page in the Redis console. On the page that appears, view the IPv4 CIDR block.
If the connection still fails, see Run the PING command to check the connection between an ECS instance and a Tair instance.
Step 3: Run the telnet command to check whether the service port is available
Procedure
Log on to the ECS instance and run the telnet command.
Example: telnet r-bp1zx****.redis.rds.aliyuncs.com 6379
Result description
If Connected to ...
is returned or the telnet interface is displayed as shown in the following figure, the port is available.
Linux
The following output indicates that the connection is established by using telnet on a Linux system.
![image](https://help-static-aliyun-doc.aliyuncs.com/assets/img/en-US/9082120171/p759267.png)
Windows
The following output indicates that the connection is established by using telnet on a Windows system.
![image](https://help-static-aliyun-doc.aliyuncs.com/assets/img/en-US/8960989071/p759268.png)
If the "Connection timed out" or "Connect failed" message is displayed, the connection fails.
Common causes and solutions
The whitelist is incorrectly configured or no whitelist is configured. For more information, see Step 4: Check the whitelist.
The outbound access rule of the security group of the ECS instance may block traffic on the service port of Redis.
Check whether the ECS security group has an outbound rule whose protocol type is TCP and whether the rule blocks traffic to the service port of Redis. The default port number is 6379. If yes, allow access to the Redis instance over the port. For more information, see Add a security group rule.
If the connection still fails, see How do I use the telnet command to test connectivity to the port used by Tair?
Step 4: Check the whitelist
The common cause of connection failure is that the whitelist is incorrectly configured or no whitelist is configured. In the following two scenarios, we recommend that you check the whitelist.
The domain name can be pinged, but the telnet operation fails.
If you use redis-cli to connect to the VPC endpoint of the Redis instance from the ECS instance, the (error) ERR illegal address
or (error) ERR client ip is not in whitelist
error is reported.
Common causes
An incorrect IP address is configured.
For example, you connect the ECS instance to the VPC endpoint of the Redis instance, but mistakenly add the public IP address of the ECS instance to the whitelist of the Redis instance. Alternatively, you connect the ECS instance to the public endpoint of the Redis instance, but mistakenly add the primary private IP address of the ECS instance to the whitelist of the Redis instance.
No whitelist is configured.
Solution 1
You can check whether the IP address of the ECS instance is added to the whitelist of the Redis instance by performing connection diagnostics. You can also add the IP address of the ECS instance to the whitelist. For more information, see Perform diagnostics on connections.
Important
When you select the IP address of the ECS instance, it is important to distinguish between VPC and public endpoints.
![image](https://help-static-aliyun-doc.aliyuncs.com/assets/img/en-US/1672120171/p759581.png)
Solution 2
Check whether the endpoint that you use is a VPC endpoint or a public endpoint. For more information, see View endpoints.
If the endpoint is a VPC endpoint, add the primary private IP address of the ECS instance to the whitelist of the Redis instance. If the endpoint is a public endpoint, add the public IP address of the ECS instance to the whitelist of the Redis instance. For more information, see Configure whitelists.
Note
For information about how to query the IP address of an ECS instance, see Network FAQ.