I want to create a security group for AWS Elasticache (Redis).
As far as i see, i have 2 options:
Either open a Custom TCP connection on port 6379, and define the IP addresses what can reach Redis as a source.
Or, what currently works: I Open the 6379 port to anywhere (so that my EC2 instance can connect to it), and secure the components before the EC2.
What is the best approach here?
In your instance it sounds like you should have a single inbound rule for the security group assigned to your ElastiCache Redis cluster. This rule for port 6379 should specify the security group assigned to your EC2 instance(s) in the "source" field.
By specifying the security group ID in the source field, instead of an IP address or IP range, you can easily scale-out your EC2 server cluster, or make modifications to your EC2 instance that might result in an IP address change, without needing to change the security group rules for your ElastiCache cluster.
Note that if you do continue using IP addresses in your security group, you need to use the Private IP of the EC2 server, not the Public IP.