All Products
Search

This Product

    :Security whitepaper

    Document Center

    :Security whitepaper

    Last Updated:Jun 23, 2025

    Tair (Redis OSS-compatible) is a database service that is compatible with the open source Redis protocol and supports a hybrid of memory and disks for storage. Tair (Redis OSS-compatible) supports the standard (master-replica), cluster, and read/write splitting architectures. Tair (Redis OSS-compatible) provides comprehensive security hardening for network, storage, backup, and disaster recovery solutions to ensure data security.

    For more information about security features, see the following topics:

    Attack mitigation

    When you access a Tair instance over the Internet, you may be susceptible to distributed denial-of-service (DDoS) attacks. Alibaba Cloud provides Tair instances with free attack mitigation services in the form of Anti-DDoS Origin Basic to monitor and guard against DDoS attacks in real time.

    Note

    We recommend that you access Tair instances over an internal network to protect your Tair instances from DDoS attacks.

    Access control

    Tair (Redis OSS-compatible) implements multi-dimensional access control to ensure data security.

    RAM

    Alibaba Cloud provides Resource Access Management (RAM) to help you manage the permissions of RAM users on Tair instances that can be configured for RAM users. For more information, see What is RAM?

    Whitelists

    By default, Tair (Redis OSS-compatible) does not allow access from any IP addresses. To allow a client to access your Tair instance, you must add the IP address or CIDR block of the client to a whitelist of your Tair instance. This ensures service security. You can add up to 1,000 IP addresses or CIDR blocks to each whitelist of a Tair instance. For more information, see Step 2: Configure whitelists.

    Database accounts and passwords

    Database accounts and passwords are credentials used to access Tair instances. You can use the Tair console or the Tair API to create database accounts and manage read and write permissions of these accounts to implement access control. For more information, see Create and manage database accounts.

    Network isolation

    Tair (Redis OSS-compatible) supports access over the Internet and virtual private clouds (VPCs). We recommend that you use VPCs for enhanced security.

    VPC

    A VPC is a private network that is isolated from other networks at the network layer on top of physical-layer protocols. VPCs provide high security, reliability, flexibility, scalability, and ease of use. For more information, see What is a VPC?

    Internet

    You can also apply for a public endpoint for your Tair instance to access the Tair instance over the Internet. However, we recommend that you do not access instances over the Internet. For more information, see Apply for a public endpoint for an instance. To improve security, you must add the IP address of a client to a whitelist of your Tair instance before the client can access the instance.

    Data encryption

    TLS

    Tair (Redis OSS-compatible) supports the Transport Layer Security (TLS) protocol to provide higher data security. Compared with the SSL protocol, the TLS protocol comes with better encryption technologies and enhanced security. For more information, see Enable TLS encryption.

    TDE

    Tair (Redis OSS-compatible) provides transparent data encryption (TDE) to encrypt and decrypt Redis Database (RDB) files based on customer master keys (CMKs). TDE encrypts RDB files before they are written to disks and decrypts RDB files when they are read from disks to the memory. This ensures that RDB files are encrypted in all required scenarios such as backup and full synchronization of data between master and replica nodes, and thus improves data security. TDE does not increase the sizes of RDB files. When you use TDE, you do not need to modify your client. For more information, see Enable TDE.

    Backup and restoration

    Tair (Redis OSS-compatible) provides multiple backup methods to persist and restore data.

    Data backup

    Tair (Redis OSS-compatible) supports the following persistence policies (backup methods):

    • RDB persistence: Tair creates snapshots on a regular basis for the data stored in the engine, generates RDB files, and then saves the files to disks. RDB files are small in size and easy to migrate. You can use RDB files to back up or migrate Tair data of a specific point in time. By default, Tair (Redis OSS-compatible) generates RDB snapshots on a daily basis and retains the snapshots for seven days. For more information, see Automatic or manual backup.

      Note

      If you want to retain RDB files for more time for the sake of regulatory compliance or data security, download the files to your computer. For more information, see Download backup files.

    • Append-only file (AOF) persistence: Tair records all write commands such as SET in logs. When you restart a Tair instance, the system reruns the commands in the AOFs to restore data. By default, the AOF_FSYNC_EVERYSEC policy is specified for Tair (Redis OSS-compatible) instances. This policy enables AOF persistence for the instances. After this policy is specified, the system records received write commands in an AOF every second and saves the AOF to disks. The policy has a minimal impact on the performance of Tair and can minimize data loss caused by accidental operations. For information about how to disable AOF persistence, see Disable AOF.

    Data restoration

    • Restore data from a backup set to a new instance: Tair (Redis OSS-compatible) allows you to create an instance from a specified backup set. The data in the new instance is the same as that in the backup set. This feature is suitable for scenarios such as data restoration, quick workload deployment, and data verification.

    • Use data flashback to restore data by point in time: Tair (Enterprise Edition) provides the data flashback feature in addition to the data backup and restoration features based on RDB snapshots. Tair (Enterprise Edition) optimizes the persistence mechanism based on AOFs and incrementally archives AOFs. This prevents AOF rewrite from degrading service performance and retains every write operation and its timestamp. This way, all or specific keys of an instance can be restored to a point in time accurate to the second. After the data flashback feature is enabled for a Tair instance, you can restore data of the instance to a specific point in time accurate to the second to prevent data loss caused by accidental operations to the greatest extent. This feature is suitable for scenarios in which data is frequently restored.

    Disaster recovery

    Zone-disaster recovery solution

    Tair (Redis OSS-compatible) standard instances and cluster instances support zone-disaster recovery across two data centers. If your workloads are deployed in a single region and have high requirements for disaster recovery, you can select the zones that support zone-disaster recovery when you create a Tair (Redis OSS-compatible) instance. For more information, see Step 1: Create an instance.

    Figure 1. Create a zone-disaster recovery instance创建同城容灾实例

    After you create a zone-disaster recovery instance, a replica node that has the same specifications as the master node is deployed in a different zone than the master node. The master node synchronizes data to the replica node over a dedicated channel.

    If a power failure or a network error occurs on the master node, the replica node takes over the role of the master node. The system calls an API operation on the configuration server to update routing information for proxy nodes. In addition, Tair (Redis OSS-compatible) provides an optimized Redis synchronization mechanism. Similar to global transaction identifiers (GTIDs) of MySQL, Tair (Redis OSS-compatible) uses global operation identifiers (OpIDs) to indicate synchronization offsets and runs lock-free threads in the background to search for OpIDs. The system asynchronously synchronizes AOF binary logs (binlogs) from the master node to the replica node. You can throttle synchronization to ensure the performance of Tair.

    Global Distributed Cache

    Global Distributed Cache for Tair (Redis OSS-compatible) is an active geo-redundancy database system that is developed in-house by Alibaba Cloud based on Redis. Global Distributed Cache supports business scenarios in which multiple sites in different regions simultaneously provide services. It helps enterprises replicate the active geo-redundancy architecture of Alibaba. This feature provides the following benefits:

    • Allows you to directly create child instances or specify the child instances that need to be synchronized without having to build redundancy into your application. This greatly reduces the complexity of application design and allows you to focus on application development.

    • Provides the geo-replication capability to implement geo-disaster recovery or active geo-redundancy.

    For more information, see Overview.

    Security audit

    Tair (Redis OSS-compatible) provides audit logs based on Simple Log Service. Audit logs include statistics such as log types, execution durations, database numbers, client IP addresses, account names, command details, and extension information. This feature allows you to query and analyze online operation logs (including logs of sensitive operations such as FLUSHALL, FLUSHDB, and DEL), slow query logs, and operational logs. This helps you gain insights into the security and performance of your instances. For more information, see Enable the audit log feature.