Re: Oracle on AWS/ec2 - multiple listener
Date: Thu, 22 Mar 2018 17:44:48 +0000
Message-ID: <CABe10sbQ0UsQdJ2StiBAFKPVS80nN-mEgJ5n_G=SdivQ4aT3kw_at_mail.gmail.com>
ouch!
I guess my next question is what sorrt of authentication methods does the vendor support? You might minimize the threat of unauthorized external access by requiring - for example - SSL authenticated connections (which I *think* is supported for ODBC). The trouble I'm having is that I can't imagine that a vendor that thinks sticking databases on the public internet is a good idea would have thought through what was required to secure it - because if they had they wouldn't be doing it.
I'm not sure I have much more to offer here, other than to suggest that your organisation considers alternatives. :(
On Thu, Mar 22, 2018 at 11:26 AM, Sam K <dbinsight_at_gmail.com> wrote:
> Maris, Niall -
>
> It is a vendor app, the vendor directly connects to the DB over ODBC to
> send information , no API calls available.
> I am leaning towards setting up a remote listener config for this external
> connection (having something in the middle)
> instead of adding a second NIC and with external address on the same ec2
> instance.
> Kindly weigh in
>
> Thank you
>
> On 22 March 2018 at 07:17, Niall Litchfield <niall.litchfield_at_gmail.com>
> wrote:
>
>> Maris is technically right, but allowing connections from the public
>> internet is almost certainly a terrible idea. What is the business case
>> here (if you can share of course)? You might wish to have 2 listeners on
>> different ports so that you can do maintenance via the corporate listener,
>> but its hard to see this as a good enough justification for me.
>>
>> On Thu, Mar 22, 2018 at 10:15 AM, Maris Elsins <elmaris_at_gmail.com> wrote:
>>
>>> Hi,
>>>
>>> I don't really understand why you need to have 2 listeners.
>>> I would set up one listener for that, similar to this:
>>>
>>> LISTENER=
>>> (DESCRIPTION=
>>> (ADDRESS_LIST=
>>> (ADDRESS=(PROTOCOL=tcp)(HOST=internal_ip_address)(PORT=1521))
>>> (ADDRESS=(PROTOCOL=tcp)(HOST=external_ip_address)(PORT=1521))))
>>>
>>>
>>> ---
>>> Maris Elsins
>>> _at_MarisElsins <https://twitter.com/MarisElsins>
>>> www.facebook.com/maris.elsins
>>>
>>>
>>>
>>> On Thu, Mar 22, 2018 at 12:09 PM, Sam K <dbinsight_at_gmail.com> wrote:
>>>
>>>> Hi All,
>>>>
>>>> We have an oracle database in AWS EC2( no rac) running with a single
>>>> listener configured
>>>> we want to attach a second NIC card to the instance and configure a
>>>> second listener to accept requests from the pubic internet only
>>>> so we will essentially have two listeners for the same DB (11g) - one
>>>> for internal private use (corporate network) configured
>>>> the other listener we want to configure it to allow public access ,
>>>> allow it to accept incoming connection from the internet only
>>>> This listener configured on the new NIC will be configured thru
>>>> firewall and accept traffic from public internet.
>>>> Is it possible to have such a configuration
>>>> Or is it better to have a remote listener configuration for the
>>>> external access only and local listener for the internal traffic
>>>> Looking for tips/ guidance from the group
>>>>
>>>> --
>>>> Regards
>>>> Sam K
>>>>
>>>
>>>
>>
>>
>> --
>> Niall Litchfield
>> Oracle DBA
>> http://www.orawin.info
>>
>
>
>
> --
> Regards
> Sam K
>
-- Niall Litchfield Oracle DBA http://www.orawin.info -- http://www.freelists.org/webpage/oracle-lReceived on Thu Mar 22 2018 - 18:44:48 CET