Re: Oracle on AWS/ec2 - multiple listener
Date: Thu, 22 Mar 2018 14:02:59 -0400
Message-ID: <CAGg9F4x+2iTB_iG_3WKKMZfmjLeVccoDSGc=RbK9hNAUqgbKSA_at_mail.gmail.com>
Thanks once again for all the valuable insights shared.
Reviewing this further... we are going to stand up a separate server have
oracle connection manager run on this routing the connection back to the DB
server
On 22 March 2018 at 13:47, Niall Litchfield <niall.litchfield_at_gmail.com>
wrote:
> You certainly can restrict network traffic to the database listener based
the server with OCM will have a public ip and allow connection from few
IP's from the vendor..
> on AWS Security groups and Network ACLs. https://docs.aws.amazon.
> com/AmazonVPC/latest/UserGuide/VPC_ACLs.html &
> https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/
> VPC_SecurityGroups.html . I still really, really don't like it :)
>
> On Thu, Mar 22, 2018 at 11:33 AM, Stefan Knecht <knecht.stefan_at_gmail.com>
> wrote:
>
>> I'm with Niall on this one. This sounds like a terrible idea. You should
>> channel your application through something that's equipped to be facing the
>> public internet. A reverse proxy, a web server, an application server. You
>> almost certainly don't want your database listener to be directly
>> accessible to the public internet. Not if there's any data in that database
>> that you value.
>>
>> Alternatively, and at the very least, if you can restrict incoming IP
>> addresses to known sources, that could work out. But if your application
>> directly connects to the database, and it can be installed / ran by anyone
>> anywhere on the internet, I'd see that as a huge security issue.
>>
>> That's my THB 0.02 :)
>>
>> Stefan
>>
>>
>>
>>
>>
>> On Thu, Mar 22, 2018 at 6:26 PM, Sam K <dbinsight_at_gmail.com> wrote:
>>
>>> Maris, Niall -
>>>
>>> It is a vendor app, the vendor directly connects to the DB over ODBC
>>> to send information , no API calls available.
>>> I am leaning towards setting up a remote listener config for this
>>> external connection (having something in the middle)
>>> instead of adding a second NIC and with external address on the same ec2
>>> instance.
>>> Kindly weigh in
>>>
>>> Thank you
>>>
>>> On 22 March 2018 at 07:17, Niall Litchfield <niall.litchfield_at_gmail.com>
>>> wrote:
>>>
>>>> Maris is technically right, but allowing connections from the public
>>>> internet is almost certainly a terrible idea. What is the business case
>>>> here (if you can share of course)? You might wish to have 2 listeners on
>>>> different ports so that you can do maintenance via the corporate listener,
>>>> but its hard to see this as a good enough justification for me.
>>>>
>>>> On Thu, Mar 22, 2018 at 10:15 AM, Maris Elsins <elmaris_at_gmail.com>
>>>> wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> I don't really understand why you need to have 2 listeners.
>>>>> I would set up one listener for that, similar to this:
>>>>>
>>>>> LISTENER=
>>>>> (DESCRIPTION=
>>>>> (ADDRESS_LIST=
>>>>> (ADDRESS=(PROTOCOL=tcp)(HOST=internal_ip_address)(PORT=1521))
>>>>> (ADDRESS=(PROTOCOL=tcp)(HOST=external_ip_address)(PORT=1521))))
>>>>>
>>>>>
>>>>> ---
>>>>> Maris Elsins
>>>>> _at_MarisElsins <https://twitter.com/MarisElsins>
>>>>> www.facebook.com/maris.elsins
>>>>>
>>>>>
>>>>>
>>>>> On Thu, Mar 22, 2018 at 12:09 PM, Sam K <dbinsight_at_gmail.com> wrote:
>>>>>
>>>>>> Hi All,
>>>>>>
>>>>>> We have an oracle database in AWS EC2( no rac) running with a single
>>>>>> listener configured
>>>>>> we want to attach a second NIC card to the instance and configure a
>>>>>> second listener to accept requests from the pubic internet only
>>>>>> so we will essentially have two listeners for the same DB (11g) -
>>>>>> one for internal private use (corporate network) configured
>>>>>> the other listener we want to configure it to allow public access ,
>>>>>> allow it to accept incoming connection from the internet only
>>>>>> This listener configured on the new NIC will be configured thru
>>>>>> firewall and accept traffic from public internet.
>>>>>> Is it possible to have such a configuration
>>>>>> Or is it better to have a remote listener configuration for the
>>>>>> external access only and local listener for the internal traffic
>>>>>> Looking for tips/ guidance from the group
>>>>>>
>>>>>> --
>>>>>> Regards
>>>>>> Sam K
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> Niall Litchfield
>>>> Oracle DBA
>>>> http://www.orawin.info
>>>>
>>>
>>>
>>>
>>> --
>>> Regards
>>> Sam K
>>>
>>
>>
>>
>> --
>> //
>> zztat - The Next-Gen Oracle Performance Monitoring and Reaction Framework!
>> Visit us at zztat.net | _at_zztat_oracle | fb.me/zztat | zztat.net/blog/
>>
>
>
>
> --
> Niall Litchfield
> Oracle DBA
> http://www.orawin.info
>
-- Regards Sam K -- http://www.freelists.org/webpage/oracle-lReceived on Thu Mar 22 2018 - 19:02:59 CET