Something that no one else has mentioned, that I saw.
Since you're running on AWS/EC2, you should be aware that when it comes to
public IPs, they don't actually exist on the host. The listerner will
*not* be able to bind to the public IP, because it's not visible from the
O/S. Public IPs are handled by AWS in their network layer.
For example, on one of my hosts with a public IP:
[oracle@secure-web-server ~]$ ifconfig -a
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 9001
inet 172.16.1.171 netmask 255.255.255.0 broadcast 172.16.1.255
inet6 fe80::490:19ff:fe4c:6f72 prefixlen 64 scopeid 0x20<link>
ether 06:90:19:4c:6f:72 txqueuelen 1000 (Ethernet)
RX packets 14484986 bytes 25665879760 (23.9 GiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 14260260 bytes 14540658529 (13.5 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 0 (Local Loopback)
RX packets 5837788 bytes 5601669908 (5.2 GiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 5837788 bytes 5601669908 (5.2 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
There is only the private IP and the local loopback. That's it. There is
a public IP, but it's not visible in the O/S. AWS does networking magic to
route the public IP traffic to the host.
So, your premise of running a second listener and binding to public IP is
false. It can't be done.
This caused no small amount of confusion on my part the first time I ran
into it.
Hope that helps,
-Mark
On Thu, Mar 22, 2018 at 2:02 PM, Sam K <dbinsight@xxxxxxxxx> wrote:
Thanks once again for all the valuable insights shared.
Reviewing this further... we are going to stand up a separate server have
oracle connection manager run on this routing the connection back to the DB
server
the server with OCM will have a public ip and allow connection from few
IP's from the vendor..
On 22 March 2018 at 13:47, Niall Litchfield <niall.litchfield@xxxxxxxxx>
wrote:
You certainly can restrict network traffic to the database listener based
on AWS Security groups and Network ACLs. https://docs.aws.amazon.
com/AmazonVPC/latest/UserGuide/VPC_ACLs.html &
https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC
_SecurityGroups.html . I still really, really don't like it :)
On Thu, Mar 22, 2018 at 11:33 AM, Stefan Knecht <knecht.stefan@xxxxxxxxx>
wrote:
I'm with Niall on this one. This sounds like a terrible idea. You should
channel your application through something that's equipped to be facing the
public internet. A reverse proxy, a web server, an application server. You
almost certainly don't want your database listener to be directly
accessible to the public internet. Not if there's any data in that database
that you value.
Alternatively, and at the very least, if you can restrict incoming IP
addresses to known sources, that could work out. But if your application
directly connects to the database, and it can be installed / ran by anyone
anywhere on the internet, I'd see that as a huge security issue.
That's my THB 0.02 :)
Stefan
On Thu, Mar 22, 2018 at 6:26 PM, Sam K <dbinsight@xxxxxxxxx> wrote:
Maris, Niall -
It is a vendor app, the vendor directly connects to the DB over ODBC
to send information , no API calls available.
I am leaning towards setting up a remote listener config for this
external connection (having something in the middle)
instead of adding a second NIC and with external address on the same
ec2 instance.
Kindly weigh in
Thank you
On 22 March 2018 at 07:17, Niall Litchfield <niall.litchfield@xxxxxxxxx
wrote:
Maris is technically right, but allowing connections from the public
internet is almost certainly a terrible idea. What is the business case
here (if you can share of course)? You might wish to have 2 listeners on
different ports so that you can do maintenance via the corporate listener,
but its hard to see this as a good enough justification for me.
On Thu, Mar 22, 2018 at 10:15 AM, Maris Elsins <elmaris@xxxxxxxxx>
wrote:
Hi,
I don't really understand why you need to have 2 listeners.
I would set up one listener for that, similar to this:
LISTENER=
(DESCRIPTION=
(ADDRESS_LIST=
(ADDRESS=(PROTOCOL=tcp)(HOST=internal_ip_address)(PORT=1521))
(ADDRESS=(PROTOCOL=tcp)(HOST=external_ip_address)(PORT=1521))))
---
Maris Elsins
@MarisElsins <https://twitter.com/MarisElsins>
www.facebook.com/maris.elsins
On Thu, Mar 22, 2018 at 12:09 PM, Sam K <dbinsight@xxxxxxxxx> wrote:
Hi All,
We have an oracle database in AWS EC2( no rac) running with a
single listener configured
we want to attach a second NIC card to the instance and configure a
second listener to accept requests from the pubic internet only
so we will essentially have two listeners for the same DB (11g) -
one for internal private use (corporate network) configured
the other listener we want to configure it to allow public access ,
allow it to accept incoming connection from the internet only
This listener configured on the new NIC will be configured thru
firewall and accept traffic from public internet.
Is it possible to have such a configuration
Or is it better to have a remote listener configuration for the
external access only and local listener for the internal traffic
Looking for tips/ guidance from the group
--
Regards
Sam K
--
Niall Litchfield
Oracle DBA
http://www.orawin.info
--
Regards
Sam K
--
//
zztat - The Next-Gen Oracle Performance Monitoring and Reaction
Framework!
Visit us at zztat.net | @zztat_oracle | fb.me/zztat | zztat.net/blog/
--
Niall Litchfield
Oracle DBA
http://www.orawin.info
--
Regards
Sam K
