Azure Cache for Redis PowerShell properties and parameters
| Product family | Azure |
|---|---|
| Document source | Azure Cache for Redis |
| Guide type | Hands-on Reference |
| Skill level | Intermediate to advanced |
| Time | 20 - 75 minutes depending on tenant scale |
The Azure Cache for Redis PowerShell module is the choice when you're scripting cache deployments inside an existing PowerShell-based DevOps workflow. The cmdlets accept dozens of parameters. Most of them you'll never touch. A handful you'll touch on every deployment.
I keep a one-page cheat sheet of the parameters I use 90% of the time. This page is that cheat sheet with the verifiable ones documented.
Reference content and what it actually means
The Microsoft Learn page for Azure Cache for Redis PowerShell properties and parameters reads like a config option inventory. Useful, but it doesn't tell you which knobs matter when you have a customer on the phone asking why their cache p99 jumped from 2ms to 14ms. Let me reframe it.
Three variables drive Azure Cache for Redis behaviour in practice: the tier (Basic, Standard, Premium, Enterprise, Enterprise Flash), the auth mode (access keys vs Entra ID), and the network config (public vs VNet vs Private Endpoint). Get those three right and most of the surprises disappear.
Tiers and what each one buys you
Basic is single-node, no SLA, dev/test only. Standard is two-node master-replica, 99.9% SLA. Premium adds VNet integration, persistence, geo-replication, and clustering. Enterprise is built on Redis Enterprise software with multi-AZ HA and Redis modules. Enterprise Flash uses NVMe for sub-millisecond reads on multi-TB datasets.
For a typical Indian SaaS customer, Standard C2 (2.5 GB) at around ₹4,200/month is enough for session cache. Premium P3 (26 GB) at around ₹62,000/month is the production sweet spot for heavy workloads. Enterprise tier starts around ₹1.1 lakh/month and goes up. Confirm against the pricing calculator on the day — Microsoft adjusts these quarterly.
Authentication that scales
Three options. Access keys (a primary and secondary, rotate periodically). Entra ID via managed identity (no secrets, role-based). Custom data access policies (Entra plus command-level scope). For production, use Entra. Access keys end up in logs, config files committed by accident, screenshots in Teams.
# Enable Entra auth on an existing Premium cache
az redis update --name my-cache --resource-group rg-cache \
--set redisConfiguration.aad-enabled=true
# Assign Entra access policy
az redis access-policy-assignment create \
--resource-group rg-cache \
--name my-cache \
--access-policy-name "Data Owner" \
--object-id $(az ad sp show --id my-app --query id -o tsv) \
--object-id-alias my-app
The migration from keys to Entra is non-disruptive — both can coexist while you cut clients over one by one. I run a four-week migration on every customer cache. Week 1: enable Entra alongside keys. Weeks 2-3: cut clients over. Week 4: disable keys, confirm nothing broke.
Network configuration choices
Public endpoint with firewall rules. VNet injection on Premium tier (legacy, deprecating). Private Endpoint on Standard/Premium/Enterprise (modern, preferred). For any new deployment, use Private Endpoint. The VNet injection model is in long maintenance: Microsoft has stated Private Endpoint is the forward path.
How to apply this in practice
Here's the deploy pattern I use for a new Redis customer.
- Pick the tier based on workload. Session cache → Standard. Pub/Sub at scale or geo-rep → Premium. Multi-AZ HA or Redis modules → Enterprise.
- Provision in the region matching data residency.
az redis create --name my-cache --resource-group rg-cache --location centralindia --sku Premium --vm-size P1 --enable-non-ssl-port false --minimum-tls-version 1.2. - Create a Private Endpoint into your app VNet.
az network private-endpoint create --name pe-redis --resource-group rg-cache --vnet-name vnet-app --subnet snet-pe --private-connection-resource-id $(az redis show --name my-cache --resource-group rg-cache --query id -o tsv) --group-ids redisCache --connection-name redis-conn. - Enable Entra auth and assign access policies to your app's managed identity. Two minutes to wire it up. Saves rotating access keys forever.
- Set up diagnostic settings, send Redis logs to a Log Analytics workspace. Build an alert on the connectedclients metric and one on the usedmemorypercentage metric.
I've seen this fail when teams skip the Private Endpoint step and rely on firewall rules. Firewall rules drift. Private Endpoint is the resource the network team can't accidentally remove.
Caveats and what to double-check
- The maxmemory-reserved setting defaults to 10% on small caches and gets it wrong on caches above 13 GB. Tune it to 30% for high-write workloads on Premium tier.
- Persistence (RDB or AOF) is only available on Premium and Enterprise. Standard tier has master-replica replication but no disk persistence. A region-wide failure on Standard loses recent writes.
- Clustering on Premium splits keys across shards but breaks multi-key operations that span shards. Test your client carefully. Lua scripts and MULTI/EXEC across shards fail.
- Geo-replication on Premium tier replicates async with seconds-of-lag. Don't treat the secondary as strongly consistent.
- The portal-shown "Used memory" metric includes the maxmemory-reserved overhead. Your visible cache space is smaller than the SKU number suggests.
Related work in your environment
- Document every cache in your team wiki with the tier, region, auth mode, and the apps that consume it. Future you will thank present you.
- Add an Azure Policy that audits any new Redis cache for TLS 1.2 enforcement and non-SSL port disabled. Catches drift on day one.
- Run a monthly cost review.
az resource list --resource-type Microsoft.Cache/redis -o tableshows them all. Kill any cache nobody uses, Premium tier leaks budget fast. - Mirror your cache config in Bicep or Terraform. Resource drift is the silent killer of multi-region Redis fleets.
- For India customers under MeitY guidance, Central India and South India both keep cache data in-country.
Troubleshooting the failures I keep seeing
Four failure modes account for 90% of Azure Cache for Redis support tickets I've worked.
Connection timeouts under load
Almost always client-side connection pool exhaustion. Check StackExchange.Redis or Jedis or Redisson pool size. Default is usually too small. For a high-throughput app, I set pool size to 100 minimum. Watch the connectedclients metric: if it's hitting the SKU ceiling, you need a bigger tier.
p99 latency creeps up over a day
Memory fragmentation on heavy-write workloads. Check the usedmemoryrss versus usedmemory ratio. If the ratio is over 1.5, fragmentation is the cause. Restart the cache during a maintenance window (Standard tier loses recent writes; Premium with persistence does not).
"NOAUTH Authentication required" errors
Either the access key rotated and the client didn't pick up the new one, or the client is connecting before Entra token refresh completes. Cache the Entra token with a 5-minute buffer before its expiry.
Master failover takes longer than expected
On Standard tier, master failover is 60-120 seconds. On Premium with clustering, it's 30-60 seconds per shard. Build your client to retry with exponential backoff and survive a 90-second outage. Most clients don't by default.
Cost notes for Azure Cache for Redis
Pricing has three levers. Tier (Basic to Enterprise Flash, 10x cost range). Size within tier (C0 to C6 on Standard, P1 to P5 on Premium). Add-ons (geo-replication, persistence, modules on Enterprise).
For an Indian SaaS customer running a typical Premium P3 cache (26 GB) in Central India with geo-replication to South India, monthly cost runs around ₹1.05 lakh ($1,260). The same cache as Standard C5 (26 GB) is around ₹50,000 ($600). The Premium adds VNet, persistence, geo-rep, clustering.
Reservations on Standard and Premium tiers give 35-55% off depending on commitment length. For a stable production workload, the 3-year reservation is almost free money. I buy reservations after the cache has been running production traffic for at least 90 days to avoid committing to the wrong tier.
Rollback plan if a Redis change breaks production
If a Redis config change is causing issues, you have three rollback levels.
- Revert the config change.
az redis update --set redisConfiguration.<key>=<old-value>. Most non-tier changes apply within 60 seconds. - Failover the master to the replica.
az redis force-reboot --reboot-type SecondaryNode. Useful when the master is in a bad state but the replica is clean. - Restore from RDB backup (Premium with persistence enabled). Worst case, you lose minutes of writes. Restoring takes 5-15 minutes depending on backup size.
I keep daily RDB exports running to a separate storage account for every production cache. Daily costs around ₹15-30 for the storage. Saved me twice this year. Cheap insurance.
FAQ
References
- Microsoft Learn: official documentation for Azure
- Microsoft tech community forums and Q&A
- Azure Service Health and Microsoft 365 service health dashboards
- Azure pricing calculator (azure.microsoft.com/pricing/calculator)
Related fixes
Related guides worth a look while you sort this one out: