Re: Oracle on AWS/ec2 - multiple listener

You certainly can restrict network traffic to the database listener based on AWS Security groups and Network ACLs. https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_ACLs.html & https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_SecurityGroups.html . I still really, really don't like it :)

On Thu, Mar 22, 2018 at 11:33 AM, Stefan Knecht <knecht.stefan_at_gmail.com> wrote:

> I'm with Niall on this one. This sounds like a terrible idea. You should
> channel your application through something that's equipped to be facing the
> public internet. A reverse proxy, a web server, an application server. You
> almost certainly don't want your database listener to be directly
> accessible to the public internet. Not if there's any data in that database
> that you value.
>
> Alternatively, and at the very least, if you can restrict incoming IP
> addresses to known sources, that could work out. But if your application
> directly connects to the database, and it can be installed / ran by anyone
> anywhere on the internet, I'd see that as a huge security issue.
>
> That's my THB 0.02 :)
>
> Stefan
>
>
>
>
>
> On Thu, Mar 22, 2018 at 6:26 PM, Sam K <dbinsight_at_gmail.com> wrote:
>
>> Maris, Niall -
>>
>> It is a vendor app, the vendor directly connects to the DB over ODBC to
>> send information , no API calls available.
>> I am leaning towards setting up a remote listener config for this
>> external connection (having something in the middle)
>> instead of adding a second NIC and with external address on the same ec2
>> instance.
>> Kindly weigh in
>>
>> Thank you
>>
>> On 22 March 2018 at 07:17, Niall Litchfield <niall.litchfield_at_gmail.com>
>> wrote:
>>
>>> Maris is technically right, but allowing connections from the public
>>> internet is almost certainly a terrible idea. What is the business case
>>> here (if you can share of course)? You might wish to have 2 listeners on
>>> different ports so that you can do maintenance via the corporate listener,
>>> but its hard to see this as a good enough justification for me.
>>>
>>> On Thu, Mar 22, 2018 at 10:15 AM, Maris Elsins <elmaris_at_gmail.com>
>>> wrote:
>>>
>>>> Hi,
>>>>
>>>> I don't really understand why you need to have 2 listeners.
>>>> I would set up one listener for that, similar to this:
>>>>
>>>> LISTENER=
>>>> (DESCRIPTION=
>>>> (ADDRESS_LIST=
>>>> (ADDRESS=(PROTOCOL=tcp)(HOST=internal_ip_address)(PORT=1521))
>>>> (ADDRESS=(PROTOCOL=tcp)(HOST=external_ip_address)(PORT=1521))))
>>>>
>>>>
>>>> ---
>>>> Maris Elsins
>>>> _at_MarisElsins <https://twitter.com/MarisElsins>
>>>> www.facebook.com/maris.elsins
>>>>
>>>>
>>>>
>>>> On Thu, Mar 22, 2018 at 12:09 PM, Sam K <dbinsight_at_gmail.com> wrote:
>>>>
>>>>> Hi All,
>>>>>
>>>>> We have an oracle database in AWS EC2( no rac) running with a single
>>>>> listener configured
>>>>> we want to attach a second NIC card to the instance and configure a
>>>>> second listener to accept requests from the pubic internet only
>>>>> so we will essentially have two listeners for the same DB (11g) - one
>>>>> for internal private use (corporate network) configured
>>>>> the other listener we want to configure it to allow public access ,
>>>>> allow it to accept incoming connection from the internet only
>>>>> This listener configured on the new NIC will be configured thru
>>>>> firewall and accept traffic from public internet.
>>>>> Is it possible to have such a configuration
>>>>> Or is it better to have a remote listener configuration for the
>>>>> external access only and local listener for the internal traffic
>>>>> Looking for tips/ guidance from the group
>>>>>
>>>>> --
>>>>> Regards
>>>>> Sam K
>>>>>
>>>>
>>>>
>>>
>>>
>>> --
>>> Niall Litchfield
>>> Oracle DBA
>>> http://www.orawin.info
>>>
>>
>>
>>
>> --
>> Regards
>> Sam K
>>
>
>
>
> --
> //
> zztat - The Next-Gen Oracle Performance Monitoring and Reaction Framework!
> Visit us at zztat.net | _at_zztat_oracle | fb.me/zztat | zztat.net/blog/
>

-- 
Niall Litchfield
Oracle DBA
http://www.orawin.info

--
http://www.freelists.org/webpage/oracle-l