This page describes the security provided for your cluster in Memorystore for Redis Cluster.
A cluster isn't publicly accessible. Access to the cluster is limited only to the clients that can access the Private Service Connect endpoint configured for the cluster. For instructions on setting up connectivity, see Networking setup guidance.
Management of clusters is secured using Identity and Access Management (IAM) role-based access control. For more information, see Access Control with IAM.
Encryption
All network data to and from Memorystore for Redis Cluster is encrypted in transit at the network level according to Google Cloud's default protection for any VM to VM traffic.
Memorystore for Redis Cluster doesn't encrypt data in memory. Also, Memorystore for Redis Cluster supports diskless replication. Unless you enable persistence, Memorystore for Redis Cluster doesn't use disks during replication.
Security best practices
We recommend that you access your cluster in Memorystore for Redis Cluster by using trusted clients inside of the trusted environments. Don't expose the cluster to the internet directly, or, in general, to an environment where untrusted clients can access the cluster's TCP port or UNIX socket directly.
For example, if a web application uses a cluster as a database, cache, or messaging system, then the clients inside of the frontend (the web side) of the application query the cluster to generate pages or to perform operations that the user requests. In this case, the web application mediates access between the cluster and the untrusted clients. These clients are the user browsers that access the web application.
We recommend that you mediate untrusted access to the cluster by using a layer that does the following:
- Implements access control lists (ACLs)
- Validates user inputs
- Decides which operations to perform against the cluster
For more information about security from Redis' point of view, see Redis security.