# Amazon VPCs and ElastiCache security


Because data security is important, ElastiCache provides means for you to control who has access to your data. How you control access to your data is dependent upon whether or not you launched your clusters in an Amazon Virtual Private Cloud (Amazon VPC) or Amazon EC2-Classic.

**Important**  
We have deprecated the use of Amazon EC2-Classic for launching ElastiCache clusters. All current generation nodes are launched in Amazon Virtual Private Cloud only.

The Amazon Virtual Private Cloud (Amazon VPC) service defines a virtual network that closely resembles a traditional data center. When you configure your Amazon VPC you can select its IP address range, create subnets, and configure route tables, network gateways, and security settings. You can also add a cluster to the virtual network, and control access to the cluster by using Amazon VPC security groups. 

This section explains how to manually configure an ElastiCache cluster in an Amazon VPC. This information is intended for users who want a deeper understanding of how ElastiCache and Amazon VPC work together.

**Topics**
+ [

# Understanding ElastiCache and Amazon VPCs
](VPCs.EC.md)
+ [

# Access Patterns for Accessing an ElastiCache Cache in an Amazon VPC
](elasticache-vpc-accessing.md)
+ [

# Creating a Virtual Private Cloud (VPC)
](VPCs.CreatingVPC.md)
+ [

# Connecting to a cache running in an Amazon VPC
](VPCs.Connecting.md)

# Understanding ElastiCache and Amazon VPCs


ElastiCache is fully integrated with the Amazon Virtual Private Cloud (Amazon VPC). For ElastiCache users, this means the following:
+ If your AWS account supports only the EC2-VPC platform, ElastiCache always launches your cluster in an Amazon VPC.
+ If you're new to AWS, your clusters will be deployed into an Amazon VPC. A default VPC will be created for you automatically.
+ If you have a default VPC and don't specify a subnet when you launch a cluster, the cluster launches into your default Amazon VPC.

For more information, see [Detecting Your Supported Platforms and Whether You Have a Default VPC](https://docs.aws.amazon.com/vpc/latest/userguide/default-vpc.html#detecting-platform).

With Amazon Virtual Private Cloud, you can create a virtual network in the AWS cloud that closely resembles a traditional data center. You can configure your Amazon VPC, including selecting its IP address range, creating subnets, and configuring route tables, network gateways, and security settings.

The basic functionality of ElastiCache is the same in a virtual private cloud; ElastiCache manages software upgrades, patching, failure detection and recovery whether your clusters are deployed inside or outside an Amazon VPC.

ElastiCache cache nodes deployed outside an Amazon VPC are assigned an IP address to which the endpoint/DNS name resolves. This provides connectivity from Amazon Elastic Compute Cloud (Amazon EC2) instances. When you launch an ElastiCache cluster into an Amazon VPC private subnet, every cache node is assigned a private IP address within that subnet.

## Overview of ElastiCache in an Amazon VPC


The following diagram and table describe the Amazon VPC environment, along with ElastiCache clusters and Amazon EC2 instances that are launched in the Amazon VPC.

![\[Diagram showing the Amazon VPC environment with ElastiCache clusters and Amazon EC2 instances.\]](http://docs.aws.amazon.com/AmazonElastiCache/latest/dg/images/vpc-overview-diagram.png)



|  |  | 
| --- |--- |
|  ![\[Numbered bullet point 1.\]](http://docs.aws.amazon.com/AmazonElastiCache/latest/dg/images/callouts/1.png)  |  The Amazon VPC is an isolated portion of the AWS Cloud that is assigned its own block of IP addresses.  | 
|  ![\[Numbered bullet point 2.\]](http://docs.aws.amazon.com/AmazonElastiCache/latest/dg/images/callouts/2.png)  |  An Internet gateway connects your Amazon VPC directly to the Internet and provides access to other AWS resources such as Amazon Simple Storage Service (Amazon S3) that are running outside your Amazon VPC.  | 
|  ![\[Numbered bullet point 3.\]](http://docs.aws.amazon.com/AmazonElastiCache/latest/dg/images/callouts/3.png)  |  An Amazon VPC subnet is a segment of the IP address range of an Amazon VPC where you can isolate AWS resources according to your security and operational needs.  | 
|  ![\[Numbered bullet point 4.\]](http://docs.aws.amazon.com/AmazonElastiCache/latest/dg/images/callouts/4.png)  |  A routing table in the Amazon VPC directs network traffic between the subnet and the Internet. The Amazon VPC has an implied router, which is symbolized in this diagram by the circle with the R.  | 
|  ![\[Numbered bullet point 5.\]](http://docs.aws.amazon.com/AmazonElastiCache/latest/dg/images/callouts/5.png)  |  An Amazon VPC security group controls inbound and outbound traffic for your ElastiCache clusters and Amazon EC2 instances.  | 
|  ![\[Numbered bullet point 6.\]](http://docs.aws.amazon.com/AmazonElastiCache/latest/dg/images/callouts/6.png)  |  You can launch an ElastiCache cluster in the subnet. The cache nodes have private IP addresses from the subnet's range of addresses.  | 
|  ![\[Numbered bullet point 7.\]](http://docs.aws.amazon.com/AmazonElastiCache/latest/dg/images/callouts/7.png)  |  You can also launch Amazon EC2 instances in the subnet. Each Amazon EC2 instance has a private IP address from the subnet's range of addresses. The Amazon EC2 instance can connect to any cache node in the same subnet.  | 
|  ![\[Numbered bullet point 8.\]](http://docs.aws.amazon.com/AmazonElastiCache/latest/dg/images/callouts/8.png)  |  For an Amazon EC2 instance in your Amazon VPC to be reachable from the Internet, you need to assign a static, public address called an Elastic IP address to the instance.  | 

## Prerequisites


To create an ElastiCache cluster within an Amazon VPC, your Amazon VPC must meet the following requirements:
+ The Amazon VPC must allow nondedicated Amazon EC2 instances. You cannot use ElastiCache in an Amazon VPC that is configured for dedicated instance tenancy.
+ A cache subnet group must be defined for your Amazon VPC. ElastiCache uses that cache subnet group to select a subnet and IP addresses within that subnet to associate with your VPC endpoints or cache nodes.
+ CIDR blocks for each subnet must be large enough to provide spare IP addresses for ElastiCache to use during maintenance activities.

## Routing and security


You can configure routing in your Amazon VPC to control where traffic flows (for example, to the Internet gateway or virtual private gateway). With an Internet gateway, your Amazon VPC has direct access to other AWS resources that are not running in your Amazon VPC. If you choose to have only a virtual private gateway with a connection to your organization's local network, you can route your Internet-bound traffic over the VPN and use local security policies and firewall to control egress. In that case, you incur additional bandwidth charges when you access AWS resources over the Internet.

You can use Amazon VPC security groups to help secure the ElastiCache clusters and Amazon EC2 instances in your Amazon VPC. Security groups act like a firewall at the instance level, not the subnet level.

**Note**  
We strongly recommend that you use DNS names to connect to your cache nodes, as the underlying IP address can change.

## Amazon VPC documentation


Amazon VPC has its own set of documentation to describe how to create and use your Amazon VPC. The following table gives links to the Amazon VPC guides.


| Description | Documentation | 
| --- | --- | 
| How to get started using Amazon VPC | [Getting started with Amazon VPC](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-getting-started.html) | 
| How to use Amazon VPC through the AWS Management Console | [Amazon VPC User Guide](https://docs.aws.amazon.com/vpc/latest/userguide/) | 
| Complete descriptions of all the Amazon VPC commands | [Amazon EC2 Command Line Reference](https://docs.aws.amazon.com/cli/latest/reference/ec2/) (the Amazon VPC commands are found in the Amazon EC2 reference) | 
| Complete descriptions of the Amazon VPC API operations, data types, and errors | [Amazon EC2 Command Line Reference](https://docs.aws.amazon.com/cli/latest/reference/ec2/) (the Amazon VPC API operations are found in the Amazon EC2 reference) | 
| Information for the network administrator who needs to configure the gateway at your end of an optional IPsec VPN connection | [What is AWS Site-to-Site VPN?](https://docs.aws.amazon.com/vpn/latest/s2svpn/VPC_VPN.html) | 

For more detailed information about Amazon Virtual Private Cloud, see [Amazon Virtual Private Cloud](https://aws.amazon.com/vpc/).

# Access Patterns for Accessing an ElastiCache Cache in an Amazon VPC
Amazon VPC Access Patterns

Amazon ElastiCache supports the following scenarios for accessing a cache in an Amazon VPC:

**Contents**
+ [

## Accessing an ElastiCache Cache when it and the Amazon EC2 Instance are in the Same Amazon VPC
](#elasticache-vpc-accessing-same-vpc)
+ [

## Accessing an ElastiCache Cache when it and the Amazon EC2 Instance are in Different Amazon VPCs
](#elasticache-vpc-accessing-different-vpc)
  + [In Different Amazon VPCs in the Same Region](#elasticache-vpc-accessing-different-vpc-same-region)
    + [Using Transit Gateway](#elasticache-vpc-accessing-using-transit-gateway)
  + [In Different Amazon VPCs in Different Regions](#elasticache-vpc-accessing-different-vpc-different-region)
    + [Using Transit VPC](#elasticache-vpc-accessing-different-vpc-different-region-using-transit-vpc)
+ [

## Accessing an ElastiCache Cache from an Application Running in a Customer's Data Center
](#elasticache-vpc-accessing-data-center)
  + [Using VPN Connectivity](#elasticache-vpc-accessing-data-center-vpn)
  + [Using Direct Connect](#elasticache-vpc-accessing-data-center-direct-connect)

## Accessing an ElastiCache Cache when it and the Amazon EC2 Instance are in the Same Amazon VPC


The most common use case is when an application deployed on an EC2 instance needs to connect to a cache in the same VPC.

The following diagram illustrates this scenario.

![\[\]](http://docs.aws.amazon.com/AmazonElastiCache/latest/dg/images/ElastiCache-inVPC-AccessedByEC2-SameVPC.png)


The simplest way to manage access between EC2 instances and caches in the same VPC is to do the following:

1. Create a VPC security group for your cache. This security group can be used to restrict access to the cache. For example, you can create a custom rule for this security group that allows TCP access using the port you assigned to the cache when you created it and an IP address you will use to access the cache. 

   The default port for Memcached caches is `11211`.

   The default port for Valkey and Redis OSS caches is `6379`.

1. Create a VPC security group for your EC2 instances (web and application servers). This security group can, if needed, allow access to the EC2 instance from the Internet via the VPC's routing table. For example, you can set rules on this security group to allow TCP access to the EC2 instance over port 22.

1. Create custom rules in the security group for your cache that allow connections from the security group you created for your EC2 instances. This would allow any member of the security group to access the caches.

**Note**  
If you are planning to use [Local Zones](Local_zones.md), ensure that you have enabled them. When you create a subnet group in that local zone, your VPC is extended to that Local Zone and your VPC will treat the subnet as any subnet in any other Availability Zone. All relevant gateways and route tables will be automatically adjusted.

**To create a rule in a VPC security group that allows connections from another security group**

1. Sign in to the AWS Management Console and open the Amazon VPC console at [https://console.aws.amazon.com/vpc](https://console.aws.amazon.com/vpc).

1. In the navigation pane, choose **Security Groups**.

1. Select or create a security group that you will use for your cache. Under **Inbound Rules**, select **Edit Inbound Rules** and then select **Add Rule**. This security group will allow access to members of another security group.

1. From **Type** choose **Custom TCP Rule**.

   1. For **Port Range**, specify the port you used when you created your cache.

      The default port for Memcached caches is `11211`.

      The default port for Valkey and Redis OSS caches and replication groups is `6379`.

   1. In the **Source** box, start typing the ID of the security group. From the list select the security group you will use for your Amazon EC2 instances.

1. Choose **Save** when you finish.  
![\[\]](http://docs.aws.amazon.com/AmazonElastiCache/latest/dg/images/VPC-Rules.png)

## Accessing an ElastiCache Cache when it and the Amazon EC2 Instance are in Different Amazon VPCs


When your cache is in a different VPC from the EC2 instance you are using to access it, there are several ways to access the cache. If the cache and EC2 instance are in different VPCs but in the same region, you can use VPC peering. If the cache and the EC2 instance are in different regions, you can create VPN connectivity between regions.

**Topics**
+ [In Different Amazon VPCs in the Same Region](#elasticache-vpc-accessing-different-vpc-same-region)
+ [In Different Amazon VPCs in Different Regions](#elasticache-vpc-accessing-different-vpc-different-region)

 

### Accessing an ElastiCache Cache when it and the Amazon EC2 Instance are in Different Amazon VPCs in the Same Region
In Different Amazon VPCs in the Same Region

The following diagram illustrates accessing a cache by an Amazon EC2 instance in a different Amazon VPC in the same region using an Amazon VPC peering connection.

![\[\]](http://docs.aws.amazon.com/AmazonElastiCache/latest/dg/images/ElastiCache-inVPC-AccessedByEC2-DifferentVPC.png)


*Cache accessed by an Amazon EC2 instance in a different Amazon VPC within the same Region - VPC Peering Connection*

A VPC peering connection is a networking connection between two VPCs that enables you to route traffic between them using private IP addresses. Instances in either VPC can communicate with each other as if they are within the same network. You can create a VPC peering connection between your own Amazon VPCs, or with an Amazon VPC in another AWS account within a single region. To learn more about Amazon VPC peering, see the [VPC documentation](http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-peering.html).

**Note**  
DNS name resolution may fail for peered VPCs, depending on the configurations applied to the ElastiCache VPC. To resolve this, both VPCs must be enabled for DNS hostnames and DNS resolution. For more information, see [Enable DNS resolution for a VPC peering connection](https://docs.aws.amazon.com/vpc/latest/peering/modify-peering-connections.html).

**To access a cache in a different Amazon VPC over peering**

1. Make sure that the two VPCs do not have an overlapping IP range or you will not be able to peer them.

1. Peer the two VPCs. For more information, see [Creating and Accepting an Amazon VPC Peering Connection](https://docs.aws.amazon.com/AmazonVPC/latest/PeeringGuide/create-vpc-peering-connection.html).

1. Update your routing table. For more information, see [Updating Your Route Tables for a VPC Peering Connection](https://docs.aws.amazon.com/AmazonVPC/latest/PeeringGuide/vpc-peering-routing.html)

   Following is what the route tables look like for the example in the preceeding diagram. Note that **pcx-a894f1c1** is the peering connection.  
![\[\]](http://docs.aws.amazon.com/AmazonElastiCache/latest/dg/images/VPC-RoutingTable.png)

   *VPC Routing Table*

1. Modify the Security Group of your ElastiCache cache to allow inbound connection from the Application security group in the peered VPC. For more information, see [Reference Peer VPC Security Groups](https://docs.aws.amazon.com/AmazonVPC/latest/PeeringGuide/vpc-peering-security-groups.html).

Accessing a cache over a peering connection will incur additional data transfer costs.

#### Using Transit Gateway
Using Transit Gateway

A transit gateway enables you to attach VPCs and VPN connections in the same AWS Region and route traffic between them. A transit gateway works across AWS accounts, and you can use AWS Resource Access Manager to share your transit gateway with other accounts. After you share a transit gateway with another AWS account, the account owner can attach their VPCs to your transit gateway. A user from either account can delete the attachment at any time.

You can enable multicast on a transit gateway, and then create a transit gateway multicast domain that allows multicast traffic to be sent from your multicast source to multicast group members over VPC attachments that you associate with the domain.

You can also create a peering connection attachment between transit gateways in different AWS Regions. This enables you to route traffic between the transit gateways' attachments across different Regions.

For more information, see [Transit gateways](https://docs.aws.amazon.com/vpc/latest/tgw/tgw-transit-gateways.html).

### Accessing an ElastiCache Cache when it and the Amazon EC2 Instance are in Different Amazon VPCs in Different Regions
In Different Amazon VPCs in Different Regions

#### Using Transit VPC
Using Transit VPC

An alternative to using VPC peering, another common strategy for connecting multiple, geographically disperse VPCs and remote networks is to create a transit VPC that serves as a global network transit center. A transit VPC simplifies network management and minimizes the number of connections required to connect multiple VPCs and remote networks. This design can save time and effort and also reduce costs, as it is implemented virtually without the traditional expense of establishing a physical presence in a colocation transit hub or deploying physical network gear.

![\[\]](http://docs.aws.amazon.com/AmazonElastiCache/latest/dg/images/ElastiCache-inVPC-AccessedByEC2-DifferentVPC-DifferentRegion-VPN.png)


*Connecting across different VPCs in different regions*

Once the Transit Amazon VPC is established, an application deployed in a “spoke” VPC in one region can connect to an ElastiCache cache in a “spoke” VPC within another region. 

**To access a cache in a different VPC within a different AWS Region**

1. Deploy a Transit VPC Solution. For more information, see, [AWS Transit Gateway](https://aws.amazon.com/transit-gateway/).

1. Update the VPC routing tables in the App and Cache VPCs to route traffic through the VGW (Virtual Private Gateway) and the VPN Appliance. In case of Dynamic Routing with Border Gateway Protocol (BGP) your routes may be automatically propagated.

1. Modify the Security Group of your ElastiCache cache to allow inbound connection from the Application instances IP range. Note that you will not be able to reference the application server Security Group in this scenario.

Accessing a cache across regions will introduce networking latencies and additional cross-region data transfer costs.

## Accessing an ElastiCache Cache from an Application Running in a Customer's Data Center


Another possible scenario is a Hybrid architecture where clients or applications in the customer’s data center may need to access an ElastiCache cache in the VPC. This scenario is also supported providing there is connectivity between the customers’ VPC and the data center either through VPN or Direct Connect.

**Topics**
+ [Using VPN Connectivity](#elasticache-vpc-accessing-data-center-vpn)
+ [Using Direct Connect](#elasticache-vpc-accessing-data-center-direct-connect)

 

### Accessing an ElastiCache Cache from an Application Running in a Customer's Data Center Using VPN Connectivity
Using VPN Connectivity

The following diagram illustrates accessing an ElastiCache cache from an application running in your corporate network using VPN connections.

![\[\]](http://docs.aws.amazon.com/AmazonElastiCache/latest/dg/images/ElastiCache-inVPC-AccessedByAppInCustDataCenter-VPN.png)


*Connecting to ElastiCache from your data center via a VPN*

**To access a cache in a VPC from on-prem application over VPN connection**

1. Establish VPN Connectivity by adding a hardware Virtual Private Gateway to your VPC. For more information, see [Adding a Hardware Virtual Private Gateway to Your VPC](http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_VPN.html).

1. Update the VPC routing table for the subnet where your ElastiCache cache is deployed to allow traffic from your on-premises application server. In case of Dynamic Routing with BGP your routes may be automatically propagated.

1. Modify the Security Group of your ElastiCache cache to allow inbound connection from the on-premises application servers.

Accessing a cache over a VPN connection will introduce networking latencies and additional data transfer costs.

 

### Accessing an ElastiCache Cache from an Application Running in a Customer's Data Center Using Direct Connect
Using Direct Connect

The following diagram illustrates accessing an ElastiCache cache from an application running on your corporate network using Direct Connect.

![\[\]](http://docs.aws.amazon.com/AmazonElastiCache/latest/dg/images/ElastiCache-inVPC-AccessedByAppInCustDataCenter-DirectConnect.png)


*Connecting to ElastiCache from your data center via Direct Connect*

**To access an ElastiCache cache from an application running in your network using Direct Connect**

1. Establish Direct Connect connectivity. For more information, see, [Getting Started with AWS Direct Connect](http://docs.aws.amazon.com/directconnect/latest/UserGuide/getting_started.html).

1. Modify the Security Group of your ElastiCache cache to allow inbound connection from the on-premises application servers.

Accessing a cache over DX connection may introduce networking latencies and additional data transfer charges.

# Creating a Virtual Private Cloud (VPC)


In this example, you create an Amazon VPC with a private subnet for each Availability Zone.

## Creating an Amazon VPC (Console)


1. Sign in to the AWS Management Console, and open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).

1. In the VPC dashboard, choose **Create VPC**.

1. Under **Resources** to create, choose **VPC and more**.

1. Under **Number of Availability Zones (AZs)**, choose the number of Availability Zones you want to launch your subnets in.

1. Under **Number of public subnets**, choose the number of public subnets you want to add to your VPC.

1. Under **Number of private subnets**, choose the number of private subnets you want to add to your VPC.
**Tip**  
Make a note of your subnet identifiers, and which are public and private. You will need this information later when you launch your clusters and add an Amazon EC2 instance to your Amazon VPC.

1. Create an Amazon VPC security group. You will use this group for your cluster and your Amazon EC2 instance.

   1. In the navigation pane of the Amazon VPC Management console, choose **Security Groups**.

   1. Choose **Create Security Group**.

   1. Type a name and a description for your security group in the corresponding boxes. In the **VPC** box, choose the identifier for your Amazon VPC.  
![\[Image: Create Security Group screen\]](http://docs.aws.amazon.com/AmazonElastiCache/latest/dg/images/vpc-02.png)

   1. When the settings are as you want them, choose **Yes, Create**.

1. Define a network ingress rule for your security group. This rule will allow you to connect to your Amazon EC2 instance using Secure Shell (SSH).

   1. In the navigation list, choose **Security Groups**.

   1. Find your security group in the list, and then choose it. 

   1. Under **Security Group**, choose the **Inbound** tab. In the **Create a new rule** box, choose **SSH**, and then choose **Add Rule**.

   1. Set the following values for your new inbound rule to allow HTTP access: 
      + Type: HTTP
      + Source: 0.0.0.0/0

      Choose **Apply Rule Changes**.

Now you are ready to create a cache subnet group and launch a cluster in your Amazon VPC. 
+ [Creating a subnet group](SubnetGroups.Creating.md)
+ [Creating a Memcached cluster (console)](Clusters.Create-mc.md#Clusters.Create.CON.Memcached). 
+ [Creating a Valkey (cluster mode disabled) cluster (Console)](SubnetGroups.designing-cluster-pre.valkey.md#Clusters.Create.CON.valkey-gs). 

# Connecting to a cache running in an Amazon VPC


This example shows how to launch an Amazon EC2 instance in your Amazon VPC. You can then log in to this instance and access the ElastiCache cache that is running in the Amazon VPC.

## Connecting to a cache running in an Amazon VPC (Console)


In this example, you create an Amazon EC2 instance in your Amazon VPC. You can use this Amazon EC2 instance to connect to cache nodes running in the Amazon VPC.

**Note**  
For information about using Amazon EC2, see the [Amazon EC2 Getting Started Guide](https://docs.aws.amazon.com/AWSEC2/latest/GettingStartedGuide/) in the [Amazon EC2 documentation](https://aws.amazon.com/documentation/ec2/).

**To create an Amazon EC2 instance in your Amazon VPC using the Amazon EC2 console**

1. Sign in to the AWS Management Console and open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/).

1. In the console, choose **Launch Instance** and follow these steps:

1. On the **Choose an Amazon Machine Image (AMI)** page, choose the 64-bit Amazon Linux AMI, and then choose **Select**.

1. On the **Choose an Instance Type** page, choose **3. Configure Instance**.

1. On the **Configure Instance Details** page, make the following selections:

   1. In the **Network** list, choose your Amazon VPC.

   1. In the **Subnet** list, choose your public subnet.  
![\[Interface screenshot for choosing your public subnet.\]](http://docs.aws.amazon.com/AmazonElastiCache/latest/dg/images/vpc-05.png)

   When the settings are as you want them, choose **4. Add Storage**.

1. On the **Add Storage** page, choose **5. Tag Instance**.

1. On the **Tag Instance** page, type a name for your Amazon EC2 instance, and then choose **6. Configure Security Group**.

1. On the **Configure Security Group** page, choose **Select an existing security group**. For more information on security groups, see [Amazon EC2 security groups for Linux instances](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html).   
![\[Interface screenshot of selecting an existing security group.\]](http://docs.aws.amazon.com/AmazonElastiCache/latest/dg/images/vpc-06.png)

   Choose the name of your Amazon VPC security group, and then choose **Review and Launch**.

1. On the **Review Instance and Launch** page, choose **Launch**.

1. In the **Select an existing key pair or create a new key pair** window, specify a key pair that you want to use with this instance.
**Note**  
For information about managing key pairs, see the [Amazon EC2 Getting Started Guide](https://docs.aws.amazon.com/AWSEC2/latest/GettingStartedGuide/).

1. When you are ready to launch your Amazon EC2 instance, choose **Launch**.

You can now assign an Elastic IP address to the Amazon EC2 instance that you just created. You need to use this IP address to connect to the Amazon EC2 instance.

**To assign an elastic IP address (Console)**

1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).

1. In the navigation list, choose **Elastic IPs**.

1. Choose **Allocate Elastic IP address**.

1. In the **Allocate Elastic IP address** dialog box, accept the default **Network Border Group** and choose **Allocate** .

1. Choose the Elastic IP address that you just allocated from the list and choose ** Associate Address**.

1. In the **Associate Address** dialog box, in the **Instance** box, choose the ID of the Amazon EC2 instance that you launched.

   In the **Private IP address** box, select the box to obtain the private IP address and then choose **Associate**.

   You can now use SSH to connect to the Amazon EC2 instance using the Elastic IP address that you created.

### To connect to your Amazon EC2 instance


****
+ Open a command window. At the command prompt, issue the following command, replacing *mykeypair.pem* with the name of your key pair file and *54.207.55.251* with your Elastic IP address.

  ```
  ssh -i mykeypair.pem ec2-user@54.207.55.251 
  ```
**Important**  
Do not log out of your Amazon EC2 instance yet.

You are now ready to interact with your ElastiCache cluster. Before you can do that, if you haven't already done so, you need to install the *telnet* utility.

**To install *telnet* and interact with your cluster (AWS CLI)**
+ Open a command window. At the command prompt, issue the following command. At the confirmation prompt, type *y*.

  ```
  sudo yum install telnet
  Loaded plugins: priorities, security, update-motd, upgrade-helper
  Setting up Install Process
  Resolving Dependencies
  --> Running transaction check
  
  ...(output omitted)...
  
  Total download size: 63 k
  Installed size: 109 k
  Is this ok [y/N]: y
  Downloading Packages:
  telnet-0.17-47.7.amzn1.x86_64.rpm                        |  63 kB     00:00  
  
  ...(output omitted)...
  
  Complete!
  ```

You can now connect to a VPC with either Memcached or Redis.

### Connecting to a VPC with Memcached


1. Go to the ElastiCache console at [https://console.aws.amazon.com/elasticache/](https://console.aws.amazon.com/elasticache/) and obtain the endpoint for one of the nodes in your cluster. For more information, see [Finding connection endpoints](Endpoints.md).

1. Use *telnet* to connect to your cache node endpoint over port 11211. Replace the hostname shown below with the hostname of your cache node.

   ```
   telnet my-cache-cluster.7wufxa.0001.use1.cache.amazonaws.com 11211
   ```

   You are now connected to the cache engine and can issue commands. In this example, you add a data item to the cache and then get it immediately afterward. Finally, you'll disconnect from the cache node.

   To store a key and a value, type the following two lines: 

   ```
   add mykey 0 3600 28
   This is the value for mykey
   ```

   The cache engine responds with the following:

   ```
   OK
   ```

   To retrieve the value for `mykey`, type the following:

   ```
   get mykey
   ```

   The cache engine responds with the following:

   ```
   VALUE mykey 0 28
   This is the value for my key
   END
   ```

   To disconnect from the cache engine, type the following:

   ```
   quit
   ```

### Connecting to a VPC with Redis


1. Go to the ElastiCache console at [https://console.aws.amazon.com/elasticache/](https://console.aws.amazon.com/elasticache/) and obtain the endpoint for one of the nodes in your cluster. For more information, see [Finding connection endpoints](Endpoints.md) for Redis.

1. Use *telnet* to connect to your cache node endpoint over port 6379. Replace the hostname shown below with the hostname of your cache node.

   ```
   telnet my-cache-cluster.7wufxa.0001.use1.cache.amazonaws.com 6379
   ```

   You are now connected to the cache engine and can issue commands. In this example, you add a data item to the cache and then get it immediately afterward. Finally, you'll disconnect from the cache node.

   To store a key and a value, type the following two lines: 

   ```
   set mykey myvalue
   ```

   The cache engine responds with the following:

   ```
   OK
   ```

   To retrieve the value for `mykey`, type the following:

   ```
   get mykey
   ```

   To disconnect from the cache engine, type the following:

   ```
   quit
   ```

1. Go to the ElastiCache console at [https://console.aws.amazon.com/elasticache/](https://console.aws.amazon.com/elasticache/) and obtain the endpoint for one of the nodes in your cluster. For more information, [Finding connection endpoints](Endpoints.md) for Redis OSS.

1. Use *telnet* to connect to your cache node endpoint over port 6379. Replace the hostname shown below with the hostname of your cache node.

   ```
   telnet my-cache-cluster.7wufxa.0001.use1.cache.amazonaws.com 6379
   ```

   You are now connected to the cache engine and can issue commands. In this example, you add a data item to the cache and then get it immediately afterward. Finally, you'll disconnect from the cache node.

   To store a key and a value, type the following: 

   ```
   set mykey myvalue
   ```

   The cache engine responds with the following:

   ```
   OK
   ```

   To retrieve the value for `mykey`, type the following:

   ```
   get mykey
   ```

   The cache engine responds with the following:

   ```
   get mykey
   myvalue
   ```

   To disconnect from the cache engine, type the following:

   ```
   quit
   ```

**Important**  
To avoid incurring additional charges on your AWS account, be sure to delete any AWS resources you no longer want after trying these examples.