Azure Cache for Redis network isolation options

In this article, you learn how to determine the best network isolation solution for your needs. We discuss the basics of Azure Private Link (recommended), Azure Virtual Network (VNet) injection, and Firewall Rules. We discuss their advantages and limitations.

Azure Private Link provides private connectivity from a virtual network to Azure PaaS services. Private Link simplifies the network architecture and secures the connection between endpoints in Azure. Private Link also secures the connection by eliminating data exposure to the public internet.

  • Private link supported on all tiers - Basic, Standard, Premium tiers - of Azure Cache for Redis instances.

  • By using Azure Private Link, you can connect to an Azure Cache instance from your virtual network through a private endpoint. The endpoint is assigned a private IP address in a subnet within the virtual network. With this private link, cache instances are available from both within the VNet and publicly.

  • Once a private endpoint is created on Basic/Standard/Premium tier caches, access to the public network can be restricted through the publicNetworkAccess flag. This flag is set to Disabled by default, which only allows private link access. You can set the value to Enabled or Disabled with a PATCH request. For more information, see Azure Cache for Redis with Azure Private Link.

  • Any external cache dependencies don't affect the VNet's NSG rules.

  • Persisting to any storage accounts protected with firewall rules is supported on the Premium tier when using managed identity to connect to Storage account, see more Import and Export data in Azure Cache for Redis

  • Private link offers less privilege by reducing the amount of access your cache has to other network resources. Private link prevents a bad actor from initiating traffic to the rest of your network.

  • Currently, portal console isn't supported for caches with private link.

Note

When adding a private endpoint to a cache instance, all Redis traffic is moved to the private endpoint because of the DNS. Ensure previous firewall rules are adjusted before.

Azure Virtual Network injection

Caution

Virtual Network injection is not recommended. For more information, see Limitations of VNet injection.

Virtual Network (VNet) enables many Azure resources to securely communicate with each other, the internet, and on-premises networks. VNet is like a traditional network you would operate in your own data center.

Limitations of VNet injection

  • Creating and maintaining virtual network configurations is error prone. Troubleshooting network configuration issues is challenging. Incorrect virtual network configurations can lead to various issues:
    • loss of metrics for your cache instances
    • unplanned loss of availability, which can cause data loss (loss of availability caused by customer network configuration might not be covered by SLA)
    • failure to replicate data, which can cause data loss
    • failure of management operations like scaling
  • When using a VNet injected cache, you must keep your VNet updated to allow access to cache dependencies, such as Certificate Revocation Lists, Public Key Infrastructure, Azure Key Vault, Azure Storage, Azure Monitor, and more.
  • VNet injected caches are only available for Premium-tier Azure Cache for Redis instances.
  • You can't inject an existing Azure Cache for Redis instance into a Virtual Network. You can only select this option when you create the cache.

Firewall rules

Azure Cache for Redis allows configuring Firewall rules for specifying IP address that you want to allow to connect to your Azure Cache for Redis instance.

Advantages of firewall rules

  • When firewall rules are configured, only client connections from the specified IP address ranges can connect to the cache. Connections from Azure Cache for Redis monitoring systems are always permitted, even if firewall rules are configured. NSG rules that you define are also permitted.

Limitations of firewall rules

  • Firewall rules can be applied to a private endpoint cache only if the public network access is enabled. If public network access is enabled on the private endpoint cache with no firewall rules are configured, the cache accepts all public network traffic.
  • Firewall rules configuration is available for all Basic, Standard, and Premium tiers.

Next steps