Re: Oracle on AWS/ec2 - multiple listener

From: Stefan Knecht <knecht.stefan_at_gmail.com>
Date: Thu, 22 Mar 2018 18:33:39 +0700
Message-ID: <CAP50yQ_XLmXjMr=yU++mm-+vJ3BAUbeUnh=LHZK5rswU=1=Ksg_at_mail.gmail.com>



I'm with Niall on this one. This sounds like a terrible idea. You should channel your application through something that's equipped to be facing the public internet. A reverse proxy, a web server, an application server. You almost certainly don't want your database listener to be directly accessible to the public internet. Not if there's any data in that database that you value.

Alternatively, and at the very least, if you can restrict incoming IP addresses to known sources, that could work out. But if your application directly connects to the database, and it can be installed / ran by anyone anywhere on the internet, I'd see that as a huge security issue.

That's my THB 0.02 :)

Stefan

On Thu, Mar 22, 2018 at 6:26 PM, Sam K <dbinsight_at_gmail.com> wrote:

> Maris, Niall -
>
> It is a vendor app, the vendor directly connects to the DB over ODBC to
> send information , no API calls available.
> I am leaning towards setting up a remote listener config for this external
> connection (having something in the middle)
> instead of adding a second NIC and with external address on the same ec2
> instance.
> Kindly weigh in
>
> Thank you
>
> On 22 March 2018 at 07:17, Niall Litchfield <niall.litchfield_at_gmail.com>
> wrote:
>
>> Maris is technically right, but allowing connections from the public
>> internet is almost certainly a terrible idea. What is the business case
>> here (if you can share of course)? You might wish to have 2 listeners on
>> different ports so that you can do maintenance via the corporate listener,
>> but its hard to see this as a good enough justification for me.
>>
>> On Thu, Mar 22, 2018 at 10:15 AM, Maris Elsins <elmaris_at_gmail.com> wrote:
>>
>>> Hi,
>>>
>>> I don't really understand why you need to have 2 listeners.
>>> I would set up one listener for that, similar to this:
>>>
>>> LISTENER=
>>> (DESCRIPTION=
>>> (ADDRESS_LIST=
>>> (ADDRESS=(PROTOCOL=tcp)(HOST=internal_ip_address)(PORT=1521))
>>> (ADDRESS=(PROTOCOL=tcp)(HOST=external_ip_address)(PORT=1521))))
>>>
>>>
>>> ---
>>> Maris Elsins
>>> _at_MarisElsins <https://twitter.com/MarisElsins>
>>> www.facebook.com/maris.elsins
>>>
>>>
>>>
>>> On Thu, Mar 22, 2018 at 12:09 PM, Sam K <dbinsight_at_gmail.com> wrote:
>>>
>>>> Hi All,
>>>>
>>>> We have an oracle database in AWS EC2( no rac) running with a single
>>>> listener configured
>>>> we want to attach a second NIC card to the instance and configure a
>>>> second listener to accept requests from the pubic internet only
>>>> so we will essentially have two listeners for the same DB (11g) - one
>>>> for internal private use (corporate network) configured
>>>> the other listener we want to configure it to allow public access ,
>>>> allow it to accept incoming connection from the internet only
>>>> This listener configured on the new NIC will be configured thru
>>>> firewall and accept traffic from public internet.
>>>> Is it possible to have such a configuration
>>>> Or is it better to have a remote listener configuration for the
>>>> external access only and local listener for the internal traffic
>>>> Looking for tips/ guidance from the group
>>>>
>>>> --
>>>> Regards
>>>> Sam K
>>>>
>>>
>>>
>>
>>
>> --
>> Niall Litchfield
>> Oracle DBA
>> http://www.orawin.info
>>
>
>
>
> --
> Regards
> Sam K
>

-- 
//
zztat - The Next-Gen Oracle Performance Monitoring and Reaction Framework!
Visit us at zztat.net | _at_zztat_oracle | fb.me/zztat | zztat.net/blog/

--
http://www.freelists.org/webpage/oracle-l
Received on Thu Mar 22 2018 - 12:33:39 CET

Original text of this message