There must be a new security group that allows connections at port 6379 from the correct EBS security group.
Since each EBS has a new autogenerated security group, the SG of redis needs to be newly created, its rule has the source traffic of the new EBS’s SG.
I got bitten by this again. The key point is that each cloned EBS has its own security group. A pair of SGs, 1 for the load balancer and one for the EC2. Since Redis connections are from the EC2, we need a new security group that accepts traffic from the newly cloned EBS SG, and this new group applied to the Redis instance.