Skip Navigation
Show nav
Heroku Dev Center
  • Get Started
  • Documentation
  • Changelog
  • Search
  • Get Started
    • Node.js
    • Ruby on Rails
    • Ruby
    • Python
    • Java
    • PHP
    • Go
    • Scala
    • Clojure
  • Documentation
  • Changelog
  • More
    Additional Resources
    • Home
    • Elements
    • Products
    • Pricing
    • Careers
    • Help
    • Status
    • Events
    • Podcasts
    • Compliance Center
    Heroku Blog

    Heroku Blog

    Find out what's new with Heroku on our blog.

    Visit Blog
  • Log inorSign up
View categories

Categories

  • Heroku Architecture
    • Dynos (app containers)
    • Stacks (operating system images)
    • Networking & DNS
    • Platform Policies
    • Platform Principles
  • Command Line
  • Deployment
    • Deploying with Git
    • Deploying with Docker
    • Deployment Integrations
  • Continuous Delivery
    • Continuous Integration
  • Language Support
    • Node.js
    • Ruby
      • Working with Bundler
      • Rails Support
    • Python
      • Background Jobs in Python
      • Working with Django
    • Java
      • Working with Maven
      • Java Database Operations
      • Working with the Play Framework
      • Working with Spring Boot
      • Java Advanced Topics
    • PHP
    • Go
      • Go Dependency Management
    • Scala
    • Clojure
  • Databases & Data Management
    • Heroku Postgres
      • Postgres Basics
      • Postgres Getting Started
      • Postgres Performance
      • Postgres Data Transfer & Preservation
      • Postgres Availability
      • Postgres Special Topics
    • Heroku Data For Redis
    • Apache Kafka on Heroku
    • Other Data Stores
  • Monitoring & Metrics
    • Logging
  • App Performance
  • Add-ons
    • All Add-ons
  • Collaboration
  • Security
    • App Security
    • Identities & Authentication
    • Compliance
  • Heroku Enterprise
    • Private Spaces
      • Infrastructure Networking
    • Enterprise Accounts
    • Enterprise Teams
    • Heroku Connect (Salesforce sync)
      • Heroku Connect Administration
      • Heroku Connect Reference
      • Heroku Connect Troubleshooting
    • Single Sign-on (SSO)
  • Patterns & Best Practices
  • Extending Heroku
    • Platform API
    • App Webhooks
    • Heroku Labs
    • Building Add-ons
      • Add-on Development Tasks
      • Add-on APIs
      • Add-on Guidelines & Requirements
    • Building CLI Plugins
    • Developing Buildpacks
    • Dev Center
  • Accounts & Billing
  • Troubleshooting & Support
  • Integrating with Salesforce
  • Databases & Data Management
  • Heroku Data For Redis
  • Connecting to Heroku Data for Redis in a Private or Shield Space via PrivateLink

Connecting to Heroku Data for Redis in a Private or Shield Space via PrivateLink

English — 日本語に切り替える

Last updated November 22, 2022

Table of Contents

  • Heroku Prerequisites
  • Provisioning the Heroku Endpoint
  • Provisioning the Amazon VPC Endpoint
  • Connecting the Heroku and Amazon VPC Endpoints
  • Connecting to Heroku Data for Redis from EC2 via VPC Endpoints
  • Limitations

This article describes how to use AWS PrivateLink to create a secure connection between an AWS VPC and a Heroku Data for Redis add-on running in a Private Space or a Shield Private Space. This process involves three high-level steps:

  1. Creating an Endpoint Service on your private or shield Heroku Data for Redis add-on
  2. Creating an Endpoint Network Interface in your AWS VPC
  3. Establishing the secure connection between the two endpoints

As part of setting up the connection, you can specify a list of approved accounts to limit access to your private addon from the VPC.

To use this feature, the Amazon VPC Endpoint you create must be provisioned in a subnet that is in the same region as your Heroku Data for Redis add-on.

Heroku Prerequisites

The following Heroku resources are required to set up a PrivateLink endpoint:

  • A Private Space or Shield Private Space. Create a Private Space or a Shield Private Space using either the Heroku Dashboard or the Heroku CLI.

  • A Heroku app running in the Private Space or Shield Private Space with an attached Heroku Data for Redis add-on. All Heroku Data for Redis instances running in a Private Space use one of the private plan types. All Heroku Shield for Redis instances running in a Shield Private Space use one of the shield plan types.

Provisioning the Heroku Endpoint

Step 1: Install the Heroku Data via PrivateLink CLI plugin

$ heroku plugins:install data-privatelink

Step 2: Obtain your AWS Account ID

You can obtain your AWS account ID with the AWS CLI:

$ aws sts get-caller-identity --output text --query 'Account'

123456789101

The example command above returns an account ID of 123456789101.

You can also obtain your account ID from the My Account page of your AWS account. The Account ID is shown in the Account Settings section:

A screen capture of the My Account window of a sample AWS account

Step 3: Create a PrivateLink Endpoint

Create a PrivateLink endpoint using the following Heroku CLI command (note the values to substitute below):

$ heroku data:privatelink:create REDIS_ADDON_NAME --aws-account-id ACCOUNT_ID --app APP_NAME
  • Replace REDIS_ADDON_NAME with the name of your Redis addon (for example, redis-sushi-12345).
  • Replace APP_NAME with your app’s name.
  • Replace ACCOUNT_ID with the AWS account that should receive access to your Redis addon. This ID can match any of the following patterns:
    • account-id
    • account-id:user/username
    • account-id:role/rolename

You can specify the --aws-account-id flag multiple times to include multiple accounts.

Here’s an example command with accompanying output:

$ heroku data:privatelink:create redis-sushi-12345 --aws-account-id 123456789101:user/abc.xyz --app privatelink-vpc-endpoint-demo
Creating privatelink... done

Service Name: Provisioning
Status:       Provisioning

The PrivateLink is now being provisioned for redis-sushi-12345.
Run heroku data:privatelink:wait REDIS_URL -a APP to check the creation process.

New PrivateLink endpoints typically take 5–10 minutes to become available. You can track your progress with heroku data:privatelink:wait REDIS_URL --app APP_NAME.

Step 4: Obtain Your Endpoint’s Service Name

When the PrivateLink endpoint finishes provisioning, use the following command to view its details:

$ heroku data:privatelink REDIS_ADDON_NAME --app APP_NAME

Replace REDIS_ADDON_NAME with the name of your private Redis addon, and replace APP_NAME with your app’s name.

Here’s an example command with accompanying output:

$ heroku data:privatelink redis-sushi-12345 --app privatelink-vpc-endpoint-demo
=== privatelinks for redis-sushi-12345
Service Name:         com.amazonaws.vpce.us-east-1.vpce-svc-0410a2e25933fe8ec
Status:               Operational

=== Allowed Accounts
ARN                                    Status
arn:aws:iam::123456789101:user/abc.xyz Active

Your privatelink is now operational.
You must now copy the Service Name and follow the rest of the steps listed in https://devcenter.heroku.com/articles/heroku-redis-via-privatelink.

Copy the value of the Service Name field from the command’s output (in the example above, the value is com.amazonaws.vpce.us-east-1.vpce-svc-0410a2e25933fe8ec). You need this value to provision the Amazon VPC endpoint.

Provisioning the Amazon VPC Endpoint

You perform the steps in this section from your Amazon VPC dashboard.

Step 1: Create and Configure a Security Group

Your endpoint requires a security group with appropriate ingress security rules. Click Create security group in the Security Groups tab of your VPC dashboard:

A screen capture showing the Create security group window on the AWS Console

Specify an appropriate security group name and description and select your desired VPC before clicking Create:

A screen capture showing the security group name and description being edited on the AWS Console

Select your newly created security group from the list and click Actions > Edit inbound rules:

A screen capture showing the security group being selected

Enable TCP access to ports 6379 from any valid IP address and click Save rules.

Step 2: Create the Endpoint

Navigate to the Endpoints tab of your VPC dashboard and click Create Endpoint:

A screen capture showing the Create Endpoint window on the AWS Console

In the Create Endpoint form that appears, select the Find service by name option and paste the Service Name value you obtained earlier.

Then click Verify to display the list of available subnets:

A screen capture showing the endpoint being created

Attach the security group you created earlier to the VPC Endpoint and click Create endpoint:

Security group being attached

The endpoint is created with an initial status of pending acceptance, which transitions to available after 5-10 minutes:

VPC Endpoint in the available state

Connecting the Heroku and Amazon VPC Endpoints

After the Amazon VPC endpoint becomes available, you can obtain the URL that allows your VPC to communicate with your Heroku Data for Redis addon.

First, obtain your PrivateLink endpoint’s Endpoint ID and extract the 17-character string that appears at the end of it. Convert that string to upper case and use it in the command below.

For example, if the Endpoint ID is vpce-01c87ae3c05563935, the Endpoint ID is 01C87AE3C05563935.

Run the following command, substituting the obtained string where indicated:

$ heroku config --app your_app_name | grep ENDPOINT_ID_HERE

This command displays the AWS VPC Endpoint connection URL and the corresponding connection string for your Redis Addon. The connection string has the following format:

redis://user:password@vpc-endpoint-dns-name:6379

You can now use this connection string to connect the applications in your AWS VPC to your private Heroku Data for Redis addon. Here’s an example command with accompanying output:

$ heroku config --app privatelink-vpc-endpoint-demo | grep 01C87AE3C05563935

REDIS_ENDPOINT_01C87AE3C05563935_URL:           redis://user:password@vpc-endpoint-dns-name:6379

For any issues or concerns with using this feature, open a support ticket.

Connecting to Heroku Data for Redis from EC2 via VPC Endpoints

After you configure your VPC endpoints, you can create an EC2 instance in your AWS VPC to connect to Heroku Data for Redis.

Click Launch Instance in your EC2 dashboard and select your AMI and Instance Type. In this example, an Ubuntu t2.micro instance is created:

AMI window of the EC2 Dashboard

Instance Type window of the EC2 Dashboard

When configuring the instance’s details, select the VPC network with the security group you created earlier and pick an appropriate subnet. Click Review and Launch and launch the EC2 instance.

Launching an EC2 Instance

After the instance’s status transitions to running and all status checks have passed, connect to the instance using the SSH key pair you specified during instance creation.

After connecting to the instance, use the connection string to connect to Redis securely but note that the port number will be 6379 not 6380 as it is when connecting via stunnel.

The following output shows the connection string being used to connect to a Heroku Data for Redis addon from within a sample EC2 instance with Ruby:

ᐅ ssh ubuntu@ec2-1-2-3-4.compute-1.amazonaws.com
Welcome to Ubuntu 18.04.1 LTS (GNU/Linux 4.15.0-1021-aws x86_64)
...<snip>...
ubuntu@ip:~$ sudo apt install ruby && sudo gem install redis
...<snip>...
ubuntu@ip:~$ irb
irb(main)> require "redis"
=> true
irb(main)> url = URI.parse("redis://password@vpce-id-secret.vpce-svc-id.us-east-1.vpce.amazonaws.com:6379")
irb(main)> url.scheme = "rediss"
irb(main)> $redis = Redis.new(url: url, driver: :ruby, ssl_params: { verify_mode: OpenSSL::SSL::VERIFY_NONE })
irb(main)> $redis.ping
=> "PONG"

Limitations

  • The Amazon VPC Endpoint you create must be provisioned in a subnet that is in the same region as your Heroku Data for Redis addon.
  • You can only connect to your private Redis addon in Availability Zones that are common between your own VPC and the Heroku Data VPC.
  • It is your responsibility to verify the security of your VPC to ensure fully secure access to your Heroku Data for Redis addon.

Keep reading

  • Heroku Data For Redis

Feedback

Log in to submit feedback.

Upgrading a Heroku Data for Redis Version Encrypting Heroku Data for Redis with Your Encryption Key

Information & Support

  • Getting Started
  • Documentation
  • Changelog
  • Compliance Center
  • Training & Education
  • Blog
  • Podcasts
  • Support Channels
  • Status

Language Reference

  • Node.js
  • Ruby
  • Java
  • PHP
  • Python
  • Go
  • Scala
  • Clojure

Other Resources

  • Careers
  • Elements
  • Products
  • Pricing

Subscribe to our monthly newsletter

Your email address:

  • RSS
    • Dev Center Articles
    • Dev Center Changelog
    • Heroku Blog
    • Heroku News Blog
    • Heroku Engineering Blog
  • Heroku Podcasts
  • Twitter
    • Dev Center Articles
    • Dev Center Changelog
    • Heroku
    • Heroku Status
  • Facebook
  • Instagram
  • Github
  • LinkedIn
  • YouTube
Heroku is acompany

 © Salesforce.com

  • heroku.com
  • Terms of Service
  • Privacy
  • Cookies
  • Cookie Preferences