Re: Oracle on AWS/ec2 - multiple listener

From: Mark J. Bobak <mark_at_bobak.net>
Date: Thu, 22 Mar 2018 14:15:08 -0400
Message-ID: <CAFQ5ACJKQcTWA=u25q9QqBvzN_oEafE6Zp10p=YWLqLLmad03A_at_mail.gmail.com>

Something that no one else has mentioned, that I saw.

Since you're running on AWS/EC2, you should be aware that when it comes to public IPs, they don't actually exist on the host. The listerner will *not* be able to bind to the public IP, because it's not visible from the O/S. Public IPs are handled by AWS in their network layer.

For example, on one of my hosts with a public IP: [oracle_at_secure-web-server ~]$ ifconfig -a eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 9001

        inet 172.16.1.171  netmask 255.255.255.0  broadcast 172.16.1.255
        inet6 fe80::490:19ff:fe4c:6f72  prefixlen 64  scopeid 0x20<link>
        ether 06:90:19:4c:6f:72  txqueuelen 1000  (Ethernet)
        RX packets 14484986  bytes 25665879760 (23.9 GiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 14260260  bytes 14540658529 (13.5 GiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 0  (Local Loopback)
        RX packets 5837788  bytes 5601669908 (5.2 GiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 5837788  bytes 5601669908 (5.2 GiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

There is only the private IP and the local loopback. That's it. There is a public IP, but it's not visible in the O/S. AWS does networking magic to route the public IP traffic to the host.

So, your premise of running a second listener and binding to public IP is false. It can't be done.

This caused no small amount of confusion on my part the first time I ran into it.

Hope that helps,

-Mark

On Thu, Mar 22, 2018 at 2:02 PM, Sam K <dbinsight_at_gmail.com> wrote:

> Thanks once again for all the valuable insights shared.
> Reviewing this further... we are going to stand up a separate server have
> oracle connection manager run on this routing the connection back to the DB
> server
> the server with OCM will have a public ip and allow connection from few
> IP's from the vendor..
>
> On 22 March 2018 at 13:47, Niall Litchfield <niall.litchfield_at_gmail.com>
> wrote:
>
>> You certainly can restrict network traffic to the database listener based
>> on AWS Security groups and Network ACLs. https://docs.aws.amazon.
>> com/AmazonVPC/latest/UserGuide/VPC_ACLs.html &
>> https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC
>> _SecurityGroups.html . I still really, really don't like it :)
>>
>> On Thu, Mar 22, 2018 at 11:33 AM, Stefan Knecht <knecht.stefan_at_gmail.com>
>> wrote:
>>
>>> I'm with Niall on this one. This sounds like a terrible idea. You should
>>> channel your application through something that's equipped to be facing the
>>> public internet. A reverse proxy, a web server, an application server. You
>>> almost certainly don't want your database listener to be directly
>>> accessible to the public internet. Not if there's any data in that database
>>> that you value.
>>>
>>> Alternatively, and at the very least, if you can restrict incoming IP
>>> addresses to known sources, that could work out. But if your application
>>> directly connects to the database, and it can be installed / ran by anyone
>>> anywhere on the internet, I'd see that as a huge security issue.
>>>
>>> That's my THB 0.02 :)
>>>
>>> Stefan
>>>
>>>
>>>
>>>
>>>
>>> On Thu, Mar 22, 2018 at 6:26 PM, Sam K <dbinsight_at_gmail.com> wrote:
>>>
>>>> Maris, Niall -
>>>>
>>>> It is a vendor app, the vendor directly connects to the DB over ODBC
>>>> to send information , no API calls available.
>>>> I am leaning towards setting up a remote listener config for this
>>>> external connection (having something in the middle)
>>>> instead of adding a second NIC and with external address on the same
>>>> ec2 instance.
>>>> Kindly weigh in
>>>>
>>>> Thank you
>>>>
>>>> On 22 March 2018 at 07:17, Niall Litchfield <niall.litchfield_at_gmail.com
>>>> > wrote:
>>>>
>>>>> Maris is technically right, but allowing connections from the public
>>>>> internet is almost certainly a terrible idea. What is the business case
>>>>> here (if you can share of course)? You might wish to have 2 listeners on
>>>>> different ports so that you can do maintenance via the corporate listener,
>>>>> but its hard to see this as a good enough justification for me.
>>>>>
>>>>> On Thu, Mar 22, 2018 at 10:15 AM, Maris Elsins <elmaris_at_gmail.com>
>>>>> wrote:
>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> I don't really understand why you need to have 2 listeners.
>>>>>> I would set up one listener for that, similar to this:
>>>>>>
>>>>>> LISTENER=
>>>>>> (DESCRIPTION=
>>>>>> (ADDRESS_LIST=
>>>>>> (ADDRESS=(PROTOCOL=tcp)(HOST=internal_ip_address)(PORT=1521))
>>>>>> (ADDRESS=(PROTOCOL=tcp)(HOST=external_ip_address)(PORT=1521))))
>>>>>>
>>>>>>
>>>>>> ---
>>>>>> Maris Elsins
>>>>>> _at_MarisElsins <https://twitter.com/MarisElsins>
>>>>>> www.facebook.com/maris.elsins
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Thu, Mar 22, 2018 at 12:09 PM, Sam K <dbinsight_at_gmail.com> wrote:
>>>>>>
>>>>>>> Hi All,
>>>>>>>
>>>>>>> We have an oracle database in AWS EC2( no rac) running with a
>>>>>>> single listener configured
>>>>>>> we want to attach a second NIC card to the instance and configure a
>>>>>>> second listener to accept requests from the pubic internet only
>>>>>>> so we will essentially have two listeners for the same DB (11g) -
>>>>>>> one for internal private use (corporate network) configured
>>>>>>> the other listener we want to configure it to allow public access ,
>>>>>>> allow it to accept incoming connection from the internet only
>>>>>>> This listener configured on the new NIC will be configured thru
>>>>>>> firewall and accept traffic from public internet.
>>>>>>> Is it possible to have such a configuration
>>>>>>> Or is it better to have a remote listener configuration for the
>>>>>>> external access only and local listener for the internal traffic
>>>>>>> Looking for tips/ guidance from the group
>>>>>>>
>>>>>>> --
>>>>>>> Regards
>>>>>>> Sam K
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Niall Litchfield
>>>>> Oracle DBA
>>>>> http://www.orawin.info
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Regards
>>>> Sam K
>>>>
>>>
>>>
>>>
>>> --
>>> //
>>> zztat - The Next-Gen Oracle Performance Monitoring and Reaction
>>> Framework!
>>> Visit us at zztat.net | _at_zztat_oracle | fb.me/zztat | zztat.net/blog/
>>>
>>
>>
>>
>> --
>> Niall Litchfield
>> Oracle DBA
>> http://www.orawin.info
>>
>
>
>
> --
> Regards
> Sam K
>

--
http://www.freelists.org/webpage/oracle-l

Received on Thu Mar 22 2018 - 19:15:08 CET

This message: [ Message body ]
Next message: Rich J: "Re: Database migration options"
In reply to Sam K: "Re: Oracle on AWS/ec2 - multiple listener"
Next in thread: Niall Litchfield: "Re: Oracle on AWS/ec2 - multiple listener"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message