Tair (Redis OSS-compatible) is a database service compatible with the open-source Redis protocol and provides hybrid memory and disk storage. It supports standard (master-replica), cluster, and read/write splitting architectures. Tair (Redis OSS-compatible) provides comprehensive security hardening features across networking, storage, backup, and disaster recovery to protect your data.
These features include:
-
Networking: whitelist, Virtual Private Cloud (VPC), and TLS encryption.
-
Storage: transparent data encryption (TDE) and automatic or manual backups.
-
Disaster recovery: automatic master-replica switchover, zone-disaster recovery (dual-zone instances), and Global Distributed Cache.
Attack protection
When you access a Tair instance over the internet, it may be exposed to Distributed Denial-of-Service (DDoS) attacks. Alibaba Cloud provides free basic DDoS protection for Tair instances, which monitors and mitigates high-volume attacks in real time.
We recommend that you access Tair instances over an internal network because this can protect the Tair instances from DDoS attacks.
Access control
Tair (Redis OSS-compatible) provides multiple access control features to ensure data security.
RAM permission control
Alibaba Cloud provides Resource Access Management (RAM) to help you manage the operation permissions of different RAM users on Tair resources.
Whitelist
By default, Tair (Redis OSS-compatible) does not allow access from any private or public IP addresses. You must add the IP address or IP address range of a client to the whitelist of the Tair instance to access the Tair instance and implement risk control based on the access source. A single instance supports the configuration of more than 1,000 IP whitelist addresses. For more information, see Configure a whitelist.
Database accounts and passwords
You use database accounts and passwords to access a Tair instance. You can use the Tair console or APIs to create and manage the read and write permissions of database accounts to ensure secure and reliable access.
Network isolation
Tair (Redis OSS-compatible) supports access through a Virtual Private Cloud (VPC) or the internet. We recommend using a VPC for higher security.
Virtual Private Cloud (VPC)
A Virtual Private Cloud (VPC) is a private network environment that is isolated at Layer 2 of the network. It is secure, reliable, flexible, and easy to use, and offers strong scalability.
Internet
You can also apply for a public endpoint for a Tair instance to access it over the Tair (not recommended). Before you connect, you must add the client's IP address to the Tair instance's whitelist to enhance access security.
Data encryption
TLS
Tair (Redis OSS-compatible) supports the Transport Layer Security (TLS) encryption protocol. The TLS protocol uses more advanced encryption technology and provides a higher level of security than the Secure Sockets Layer (SSL) protocol, further securing data in transit. For more information, see Enable TLS encryption.
TDE
Tair (Redis OSS-compatible) supports transparent data encryption (TDE), which uses your key to encrypt and decrypt RDB data files. TDE encrypts data before writing it to disk and decrypts it when reading it into memory. This ensures that RDB files are encrypted in all scenarios where they are generated, such as backups and full master-replica data synchronization, thereby improving data security. The TDE feature does not consume additional storage space and requires no changes to your client applications.
Backup and recovery
Tair (Redis OSS-compatible) provides multiple backup methods to ensure data durability and recoverability.
Data backup
Tair (Redis OSS-compatible) supports the following persistence policies (backup methods):
-
RDB (Redis Database) persistence: Tair periodically creates snapshots of the data in the engine, generates RDB files, and saves them to disk. RDB files are compact and easy to move, which makes them ideal for backing up or migrating Tair data from a specific point in time. The default RDB persistence policy for Tair (Redis OSS-compatible) is to automatically generate an RDB snapshot every day and retain it for seven days. For more information, see Perform an automatic or manual backup.
NoteIf you need to archive backups for a longer period, for example, for regulatory compliance or information security, you can download the backup files and store them on a local device.
-
AOF (Append-only file) persistence: Tair records all write operations, such as SET, as a log. After a service restart, Tair can replay the operations in the AOF file to restore data. Tair (Redis OSS-compatible) enables AOF by default with the
AOF_FSYNC_EVERYSECpolicy. With this policy, the system records write commands to the AOF on disk every second. This policy has minimal impact on the performance of the Tair service while significantly reducing the risk of data loss in unexpected situations. To adjust this parameter, see Disable AOF.
Data recovery
-
Restore from a backup set: You can create a new instance from a specified RDB backup file. The new instance will contain the same data as the backup file. This method can be used for data recovery, rapid service deployment, and data validation.
-
Point-in-time recovery: In addition to backups and recovery from RDB snapshots, Tair (Enterprise Edition) optimizes the AOF (Append-only file) persistence mechanism to support incremental AOF archiving. This approach avoids the performance impact of AOF rewriting and retains every write operation with its timestamp. You can restore an entire instance or specific keys to a specific point in time, accurate to the second. After you enable this feature, you can restore Tair data to a specific point in time (accurate to the second) within the backup retention period. This minimizes data loss from accidental operations and allows for quick data switching in scenarios that require frequent rollbacks.
Instance disaster recovery
Zone-disaster recovery (dual-zone)
Tair (Redis OSS-compatible) Standard and Cluster editions provide a zone-disaster recovery architecture across two zones. If your service is deployed in a single region and has high disaster recovery requirements, you can select the Dual-zone option when you create a Tair (Redis OSS-compatible) instance. For more information, see Create an instance.
During configuration, you must specify a primary zone (where the master node resides) and a secondary zone (where the replica node resides).
After the instance is created, a replica instance with the same specifications is created in the secondary zone. Data is synchronized between the instances in the primary and secondary zones through a dedicated replication channel.
If the primary data center experiences a power failure or network issue, the replica instance is promoted to master. The system then calls the Config Server API to update routing information for the proxies. Additionally, Tair (Redis OSS-compatible) optimizes the Redis synchronization mechanism. Inspired by the Global Transaction ID (GTID) of MySQL for synchronization offsets, it implements a global operation ID (Opid). Opid lookups are performed by a background thread without locks, and the AOF binlog is sent through an asynchronous replication process that supports rate limiting. This ensures the performance of the Tair service.
Global Distributed Cache
The Global Distributed Cache feature of Tair (Redis OSS-compatible) is an active-active database system developed based on Redis. It supports business scenarios where multiple sites in different locations serve traffic at the same time and helps enterprises replicate Alibaba’s geo-redundant active-active architecture. This feature provides the following benefits:
-
This eliminates the need to implement redundancy in your application (you can directly create or specify the child instances to synchronize), which simplifies design and lets you focus on development.
-
Its geo-replication capability enables quick implementation of cross-region disaster recovery and active-active deployments.
For more information, see Global Distributed Cache.
Security audit
Tair (Redis OSS-compatible) provides an audit log feature based on Log Service (SLS). Each audit log entry includes the log type, execution duration, database index, client IP address, account name, command details, and extended information. You can use this feature to query and analyze operation logs (including sensitive operations such as FLUSHALL, FLUSHDB, and DEL), slow logs, and runtime logs online. This helps you monitor the security and performance of your instance. For more information, see Audit logs.