I have a VPC with private subnets in each AZ for my EC2s. In the VPC, there are also private subnets for my ElastiCache (Redis) instances. The set up is like this.
I also have security groups and NACLs to control access to the resources in the subnets.
When I want to access the ElastiCache cluster from a program running on one of the EC2 instances, I have to specify the cluster endpoints - e.g.:
Primary Endpoint: CLUSTER_NAME.uepak9.ng.0001.euw1.cache.amazonaws.com:6379
Reader Endpoint: CLUSTER_NAME-ro.uepak9.ng.0001.euw1.cache.amazonaws.com:6379
I understand that using the Reader endpoint allows for load balancing between the reader instances, but since all of the resources are in the same VPC (and ElastiCache instances are EC2-based), it's theoretically possible (but not best practice) to access the ElastiCache instances directly through their private IP.
From what I've seen of the documentation, there isn't a more detailed explanation of how the ElastiCache endpoints work.
I assume that AWS points a DNS record at a Network Load Balancer (since Redis uses TCP connections) for the primary endpoint, and a record at another network load balancer for the reader endpoint. I assume that these load balancers then point at the ElastiCache instances. But all of this is just a set of assumptions.
How does this connection through the reader endpoint work?
Are the DNS records for the Primary/Reader endpoints stored in a central AWS DNS server outside of the VPC?
If a VPC contains an ElastiCache cluster, does the DNS for the VPC (at *.*.*.2) then have a record pointing directly at the private IPs - so that the traffic between EC2 and ElastiCache can stay inside of the VPC?
Does traffic from EC2 to ElastiCache ever go over the public internet, or does it always stay within AWS's infrastructure?
