Skip to main content
Support Requests Chat with us

Secure Your Redis Cloud Database: TLS, ACLs, and IP Access Setup

Natalie Patterson

0 comments

Redis Cloud provides multiple layers of security for database access: TLS encryption in transit, role-based access control (RBAC) backed by Redis ACLs, and IP allow lists. Proper configuration ensures encrypted client connections, least-privilege user access, and network-level restrictions that reduce exposure. This guide walks through enabling TLS, configuring RBAC and ACLs, and restricting network access using CIDR rules, with notes specific to Redis 8.x behavior changes.

Breaking Change (Redis 8.x ACL Categories Expanded)

In Redis 8.x on Redis Cloud, built-in ACL categories such as @read and @write now include Redis Search (FT.*), JSON, TimeSeries, and probabilistic data structure commands.

Redis 8.x also introduces module-specific ACL categories including:

@search, @json, @timeseries, @bloom, @cuckoo, @cms, @topk, and @tdigest.

This can change the effective permissions of existing roles after an upgrade.

For example:

  • A role using +@read in 7.x may gain Redis Search read access in 8.x.
  • A policy like +@all -@write in 8.x will also block JSON writes and similar module writes.

Re-test all custom roles before or immediately after upgrading.
See the official ACL reference: Redis ACL documentation.

Quick Fix

Goal Recommended Action
Encrypt client traffic Enable TLS and connect using rediss:// (see Step 1).
Prevent writes / enforce least privilege Create custom Data ACLs, roles, and named users (see Step 2).
Restrict which networks can connect Enable a database-level CIDR allow list (see Step 3).
Remove public exposure (Pro / BYOC) Use private connectivity (VPC Peering, Private Link, or Transit Gateway), then disable public endpoints.

Version Compatibility

Primary path: The instructions below assume Redis 8.x on Redis Cloud.

Redis 7.x: See Legacy Differences (Redis 7.x) below for ACL behavior requiring explicit module command allowances.

Plan Availability

  • Paid plans (Flex, Essentials, Pro)
    Include RBAC, TLS encryption in transit, and advanced security controls.
  • Free (Essentials Free)
    Security capabilities are limited.
  • Subscription-level CIDR allow lists
    Available for BYOC subscriptions only. Use database-level allow lists otherwise.

Step 1: Enable TLS Encryption

  1. Open your database in the Redis Cloud Console.
  2. Navigate to Security (or Configuration → Security).
  3. Click Edit, enable TLS, then click Save.
  4. Wait for the configuration update to complete and refresh the page.

Connect Using TLS

  • Use the rediss:// scheme.
  • Use the hostname (FQDN) shown in the console.
  • Do not connect via raw IP address (TLS certificates validate hostnames, not IPs).
  • Ensure your client or SDK supports TLS.
  • If required, download and trust the Redis Cloud root CA certificate: Redis Cloud TLS documentation

If using redis-cli, it must be built with TLS support (for example, BUILD_TLS=yes).
See: redis-cli TLS build instructions

Troubleshooting TLS

Symptom What to Check / Do
TLS toggle shows On but reverts to Off Ensure you clicked Edit before toggling and then clicked Save. Refresh after the update completes.
TLS handshake fails Confirm you are using rediss://, the correct FQDN, and a TLS-capable client.
Cannot find TLS option Confirm your plan supports TLS.

Step 2: Configure Access Control with RBAC and ACLs

Manage users, roles, and ACLs from Data Access Control in the Redis Cloud Console: Redis Cloud RBAC documentation

Built-in ACLs (Read-Only, Read-Write, Full-Access) cannot be edited. Create custom ACLs for least-privilege access.

Redis 8.x Behavior Notes

In Redis 8.x:

  • @read and @write include module data type commands.
  • Existing roles may behave differently after upgrade.

Safer Example: Read-Only Search Access (Redis 8.x)

Because @read includes Redis Search reads in 8.x, you typically do not need to allow FT.SEARCH individually.

Scope access using key patterns:

+@read ~index:*

Test before rollout.

Validate Before Rollout: ACL DRYRUN

Use ACL DRYRUN to simulate how permissions evaluate without affecting the database.
See full command reference: ACL DRYRUN documentation

Syntax

ACL DRYRUN <username> <command> [arg [arg ...]]

Example

ACL DRYRUN analytics FT.SEARCH products *

Include ACL DRYRUN in every ACL or role change checklist.

Important Workflow Note

Manage ACLs through the Redis Cloud UI or API.
Running ACL SETUSER or ACL DELUSER directly against a Redis Cloud database is not the supported workflow.

Step 3: Configure IP Allow Lists (CIDR)

Database-Level Allow List

  1. Open the database.
  2. Navigate to Security.
  3. Enable CIDR allow list.
  4. Add trusted IP addresses or CIDR ranges.
  5. Click Save.

The database-level allow list is evaluated for both public and private endpoints, in addition to any cloud-provider network restrictions.

See: Redis Cloud CIDR allow list documentation

Subscription-Level Allow List (BYOC Only)

For BYOC subscriptions:

  • Configure a subscription-wide allow list.
  • Applies to all databases under the subscription.

If this option is not visible, your subscription is not BYOC.

Private Connectivity (Recommended for Pro and BYOC)

Use private connectivity to isolate traffic, reduce latency, and control exposure:

After establishing private connectivity:

  • Disable public endpoints.
  • Maintain CIDR allow lists for defense in-depth.

Common Mistakes and Quick Fixes

Issue Resolution
Role unexpectedly gained Search read access after upgrade On Redis 8.x, @read includes Query Engine reads. Restrict with key patterns or split roles.
7.x role cannot run FT.SEARCH Explicitly allow +FT.SEARCH and related commands; apply restrictive key patterns.
TLS client fails to connect Use FQDN, confirm TLS support, and trust Redis Cloud CA if required.
Cannot find subscription-level allow list This feature is BYOC-only; use database-level allow lists otherwise.
TLS toggle appears stuck Ensure you entered Edit mode and clicked Save before refreshing.

Legacy Differences (Redis 7.x)

In Redis 7.x:

  • @read and @write do not include Redis Search, JSON, or TimeSeries commands.
  • You must explicitly allow module commands.

Example for read-only search access in 7.x:

+@read +FT.SEARCH +FT.INFO ~index:*

Upgrade Caution

When migrating from 7.x to 8.x:

  • Re-test all roles.
  • Roles that previously omitted FT.* may gain access via @read.

RBAC management remains through Data Access Control (UI/API) across both versions.
 

Onboarding Progress

Previous: Managing Team Members and Roles
Next: Monitoring Setup in Redis Cloud

You can return to the Redis Cloud Onboarding Overview at any time to track your progress or revisit earlier steps.

Related to

Was this article helpful?

0 out of 0 found this helpful

Related articles

0 comments

Please sign in to leave a comment.