Re: Oracle on AWS/ec2 - multiple listener
Date: Thu, 22 Mar 2018 18:33:39 +0700
Message-ID: <CAP50yQ_XLmXjMr=yU++mm-+vJ3BAUbeUnh=LHZK5rswU=1=Ksg_at_mail.gmail.com>
I'm with Niall on this one. This sounds like a terrible idea. You should
channel your application through something that's equipped to be facing the
public internet. A reverse proxy, a web server, an application server. You
almost certainly don't want your database listener to be directly
accessible to the public internet. Not if there's any data in that database
that you value.
Alternatively, and at the very least, if you can restrict incoming IP
addresses to known sources, that could work out. But if your application
directly connects to the database, and it can be installed / ran by anyone
anywhere on the internet, I'd see that as a huge security issue.
That's my THB 0.02 :)
Stefan
On Thu, Mar 22, 2018 at 6:26 PM, Sam K <dbinsight_at_gmail.com> wrote:
> Maris, Niall -
>
> It is a vendor app, the vendor directly connects to the DB over ODBC to
> send information , no API calls available.
> I am leaning towards setting up a remote listener config for this external
> connection (having something in the middle)
> instead of adding a second NIC and with external address on the same ec2
> instance.
> Kindly weigh in
>
> Thank you
>
> On 22 March 2018 at 07:17, Niall Litchfield <niall.litchfield_at_gmail.com>
> wrote:
>
>> Maris is technically right, but allowing connections from the public
>> internet is almost certainly a terrible idea. What is the business case
>> here (if you can share of course)? You might wish to have 2 listeners on
>> different ports so that you can do maintenance via the corporate listener,
>> but its hard to see this as a good enough justification for me.
>>
>> On Thu, Mar 22, 2018 at 10:15 AM, Maris Elsins <elmaris_at_gmail.com> wrote:
>>
>>> Hi,
>>>
>>> I don't really understand why you need to have 2 listeners.
>>> I would set up one listener for that, similar to this:
>>>
>>> LISTENER=
>>> (DESCRIPTION=
>>> (ADDRESS_LIST=
>>> (ADDRESS=(PROTOCOL=tcp)(HOST=internal_ip_address)(PORT=1521))
>>> (ADDRESS=(PROTOCOL=tcp)(HOST=external_ip_address)(PORT=1521))))
>>>
>>>
>>> ---
>>> Maris Elsins
>>> _at_MarisElsins <https://twitter.com/MarisElsins>
>>> www.facebook.com/maris.elsins
>>>
>>>
>>>
>>> On Thu, Mar 22, 2018 at 12:09 PM, Sam K <dbinsight_at_gmail.com> wrote:
>>>
>>>> Hi All,
>>>>
>>>> We have an oracle database in AWS EC2( no rac) running with a single
>>>> listener configured
>>>> we want to attach a second NIC card to the instance and configure a
>>>> second listener to accept requests from the pubic internet only
>>>> so we will essentially have two listeners for the same DB (11g) - one
>>>> for internal private use (corporate network) configured
>>>> the other listener we want to configure it to allow public access ,
>>>> allow it to accept incoming connection from the internet only
>>>> This listener configured on the new NIC will be configured thru
>>>> firewall and accept traffic from public internet.
>>>> Is it possible to have such a configuration
>>>> Or is it better to have a remote listener configuration for the
>>>> external access only and local listener for the internal traffic
>>>> Looking for tips/ guidance from the group
>>>>
>>>> --
>>>> Regards
>>>> Sam K
>>>>
>>>
>>>
>>
>>
>> --
>> Niall Litchfield
>> Oracle DBA
>> http://www.orawin.info
>>
>
>
>
> --
> Regards
> Sam K
>
--
//
zztat - The Next-Gen Oracle Performance Monitoring and Reaction Framework!
Visit us at zztat.net | _at_zztat_oracle | fb.me/zztat | zztat.net/blog/
--
http://www.freelists.org/webpage/oracle-l
Received on Thu Mar 22 2018 - 12:33:39 CET