This page describes the security provided for your Memorystore for Valkey instance.
A Memorystore for Valkey instance isn't publicly accessible. Access to the instance is limited only to the clients that can access the Private Service Connect endpoint configured for the instance. For instructions on setting up connectivity, see Networking setup guidance.
Management of Memorystore for Valkey instances is secured using Identity and Access Management (IAM) role-based access control. For more information, see Access control.
Encryption
All network data to and from Memorystore for Valkey is encrypted in transit at the network level according to Google Cloud's default protection for any VM to VM traffic.
Memorystore for Valkey doesn't encrypt data in memory. Also, Memorystore for Valkey supports diskless replication. Unless you enable persistence, Memorystore for Valkey doesn't use disks during replication.
Security best practices
We recommend that you access your Memorystore for Valkey instance by using trusted clients inside of the trusted environments. Don't expose the instance to the internet directly, or, in general, to an environment where untrusted clients can access the instance's TCP port or UNIX socket directly.
For example, if a web application uses an instance as a database, cache, or messaging system, then the clients inside of the frontend (the web side) of the application query the instance to generate pages or to perform operations that the user requests. In this case, the web application mediates access between the instance and the untrusted clients. These clients are the user browsers that access the web application.
We recommend that you mediate untrusted access to the instance by using a layer that does the following:
- Implements access control lists (ACLs)
- Validates user inputs
- Decides which operations to perform against the instance
For more information about security from Valkey's point of view, see Valkey security.