ErrorNotes

Fixing AWS ElastiCache Redis Error 111: Connection Refused on Port 6379

intermediate☁️ AWS2026-06-18| Amazon Linux 2 / Ubuntu 22.04, Redis 6.x/7.x, AWS ElastiCache

Error Message

Error 111 connecting to cluster.xxxxx.cache.amazonaws.com:6379. Connection refused.
#elasticache#redis#security-group#vpc#aws-networking

When Your Application Can't Reach Redis

You’ve just rolled out a critical update, but instead of a smooth launch, your logs are drowning in connection errors. Your application can't talk to Redis. You verify the endpoint, check the AWS Console to see an 'Available' status, and yet your client keeps throwing this error:

Error 111 connecting to cluster.xxxxx.cache.amazonaws.com:6379. Connection refused.

On AWS, a 'Connection Refused' message usually signals that the networking layer is actively rejecting your packets. Unlike a 'Timeout' which often suggests a silent drop, a 'Refused' error typically means the request reached the destination but was turned away. This points toward a mismatched Security Group, a local firewall, or a TLS mismatch.

The Quick Fix

  • Open the Amazon ElastiCache Console and select your cluster.

  • Under the Network & Security tab, identify the VPC Security Groups attached to the cluster.

  • Navigate to the EC2 Console -> Security Groups.

  • Locate the Security Group used by your Redis cluster (e.g., sg-redis-01234567).

  • Add an Inbound Rule:

    Type: Custom TCP

    • Port Range: 6379
    • Source: The Security Group ID of your application server (e.g., sg-web-8899aabb) or your specific VPC CIDR (e.g., 10.0.0.0/16).

  • Save the rule and test the connection immediately.

Why Connections Fail

Redis nodes in ElastiCache live strictly inside your VPC. They do not have public IP addresses. AWS implements a 'deny-all' firewall strategy by default. Your Redis cluster will ignore all traffic on port 6379 unless you explicitly permit your application's Security Group to enter.

Common triggers for this error include:

  • Default Group Oversight: Using the 'default' Security Group which lacks a rule for port 6379.
  • Isolation: Deploying the application in a new subnet that hasn't been authorized yet.
  • Public Access Attempts: Trying to connect from a local laptop. ElastiCache is not reachable over the public internet without a VPN or an SSH tunnel.

Detailed Fix Approaches

1. Security Group Chaining

Hardcoding IP addresses like 10.0.1.55/32 is a recipe for future outages. Instead, use Security Group referencing. This allows any instance carrying the 'Web' security group to connect, even as your Auto Scaling Group adds or removes servers.

# Best Practice Configuration:
# App Security Group: sg-webapp-01234
# Redis Security Group: sg-redis-56789

# Action:
# In the Redis SG, add an inbound rule:
# Protocol: TCP | Port: 6379 | Source: sg-webapp-01234

2. Navigating Cross-VPC Issues

If your app sits in VPC-A and Redis resides in VPC-B, a simple SG rule won't cut it. You need a bridge. First, ensure a VPC Peering connection is 'Active'. Second, update your Route Tables so both VPCs know how to find each other via the pcx-xxxx gateway. Finally, ensure the Redis SG allows traffic from the remote CIDR block.

3. Handling Transit Encryption (TLS)

If you enabled 'Encryption in Transit' during setup, a standard redis-cli command will fail. The server expects a secure handshake and will refuse a plain text connection. You must include the --tls flag.

# This will fail if TLS is active:
redis-cli -h cluster.xxxxx.cache.amazonaws.com -p 6379

# This is required for encrypted clusters:
redis-cli -h cluster.xxxxx.cache.amazonaws.com -p 6379 --tls

Note that older versions of redis-cli (pre-version 6) may not support this flag. You might need to install stunnel or upgrade your utilities.

How to Verify the Path is Open

Stop restarting your application service. Use these commands from your EC2 instance to isolate the problem.

Method A: Netcat

nc -zv cluster.xxxxx.cache.amazonaws.com 6379

A 'succeeded!' message means the door is open. If it hangs, you have a networking block.

Method B: Telnet

telnet cluster.xxxxx.cache.amazonaws.com 6379
# Trying 10.0.x.x...
# Connected to cluster.xxxxx.cache.amazonaws.com.

Method C: Redis Ping

redis-cli -h cluster.xxxxx.cache.amazonaws.com -p 6379 ping
# Expected: PONG

Final Troubleshooting Checklist

  • VPC Match: Are the client and cluster in the same VPC? If not, check your Peering or Transit Gateway settings.
  • Port Accuracy: Did you accidentally whitelist port 6380 instead of 6379?
  • Source ID: Is the Inbound Rule set to the Client's Security Group ID specifically?
  • Endpoints: If Cluster Mode is on, are you hitting the Configuration Endpoint?
  • NACLs: Check your Network Access Control Lists. These are stateless and can block outbound return traffic even if the inbound port is open.

Related Error Notes

Fix AccessDeniedException: User s3.amazonaws.com is Not Authorized to Perform lambda:InvokeFunction

An error occurred (AccessDeniedException) when calling the Invoke operation: User: s3.amazonaws.com is not authorized to perform: lambda:InvokeFunction on resource

Fix API Gateway: Execution failed due to configuration error: Invalid permissions on Lambda function

Execution failed due to configuration error: Invalid permissions on Lambda function

Fixing AWS KMS AccessDeniedException: Why Your IAM Permissions Aren't Enough

AccessDeniedException: User: arn:aws:iam::123456789012:role/MyRole is not authorized to perform: kms:Decrypt on resource: arn:aws:kms:ap-northeast-1:123456789012:key/abc-123