I have a few instances running on the Amazon cloud. Some are DB-servers, some are blogs and one has my webapp. The DB-servers don't have apache or any other web-servers installed. So will it be safe to allot an IP to the DB-Servers?
Asked
Active
Viewed 285 times
0
-
...why wouldn't it be? – Bart Silverstrim Jan 22 '11 at 12:39
-
What does "allot" mean? – pauska Jan 22 '11 at 14:04
-
4@pauska, by default, Amazon EC2 instances only have a private IP address, and you can attach an "elastic" public IP to it as an add-on. I assume that is what is meant. – mattdm Jan 22 '11 at 14:25
-
Also there are some limits to how many public IPs you can have IIRC. Generally database servers should not need public IPs. – mfarver Jan 22 '11 at 15:04
-
Thanks for the responses, @mfarver As it is, each server has a public DNS, So its easier to remember the IP, than the public DNS. The DBserver runs mongoDB. – theTuxRacer Jan 24 '11 at 06:11
3 Answers
2
Sure. TCP/IP can be used for anything, including connecting to databases. For instance, you might be interested in the MySQL wire protocol.
Of course, your database server must be properly secured. You should be especially careful if it is accessible from the outside Internet.
See this article for how to secure MySQL. Similar (but distinct) advice applies to other database systems.
Matthew Flaschen
- 868
- 2
- 7
- 11
1
Best practice as I've known it is to stick a firewall between any server & the Internet, NAT the public IPs to private, and open the necessary ports ONLY. Absolutely lock that server down as described, but at the least, this will save your DB server from having to process all the random port scanning & scripted attacks.
Kara Marfia
- 7,892
- 5
- 33
- 57
-
-
@halp: No. DMZ is the common name for translating ALL ports on a particular public IP to a private IP, while Kara is suggesting only forwarding the few ports that are vital, and thus blocking public access to other services which might be vulnerable. – Ben Voigt Jan 22 '11 at 20:17
-
Figured I'd leave DMZ out of it, there's a sick amount of information if you pull up that tag. (there I go with the subtle hints) – Kara Marfia Jan 24 '11 at 19:39
1
If I understand mattdm's clarification to your question, then you are currently running DB servers in Amazon EC2 on instances that do not have public IP addresses. Not having any experience with any of Amazon's "cloud" offerings, am I correct to assume, then, that you access your DB servers from your other servers via some kind of Amazon-provisioned private network?
Anyway, keeping my (possibly way off-base) assumptions in mind, if your current setup works for you without assigning public IPs to your DB servers, then why change it? Giving your DB servers public IP addresses will make them (potentially) accessible from the internet at large, which will introduce security concerns that you will need to address. Since it is very easy to get security wrong, my answer to your question is No, unless you've already got a well-thought-out security infrastructure built up around your servers.
Steven Monday
- 13,599
- 4
- 36
- 45
-
yea, your answer makes sense. I am a greenhorn in security matters. There is a public DNS for each server, granted by amazon itself. We can control whether the server gets a public facing IP address, ie elastic IP. And then we can also create security groups with firewall rules, and make servers part of those groups. atm I only have ssh and http ports open. – theTuxRacer Jan 24 '11 at 06:22