Skip to Main Content
  • Questions
  • Exposing APEX app on the Internet running on internal on-premise ORDS for supplier data from EBS

Breadcrumb

Question and Answer

Connor McDonald

Thanks for the question, David.

Asked: August 23, 2024 - 4:44 pm UTC

Last updated: August 29, 2024 - 2:15 am UTC

Version: 20.2

Viewed 1000+ times

You Asked

**Use Case:**

We have built a supplier portal app in APEX and now would like to give access to it to our suppliers.

**Best Practices for Exposing APEX Apps on the Internet:**

When exposing APEX apps on the WWW/Internet that use an on-premises EBS instance/Oracle database as a source database, it is essential to follow best practices to ensure security and performance. Below are some key considerations are accounted for:

1. **New Domain Name and DNS Record:**
- We have registered a new domain name and created a DNS record to access the app, e.g., supplier.XXXXXX.com.

2. **SSL and Domain Protection:**
- We have added SSL and full domain protection with the domain hosting service to ensure secure communication.

3. **Firewall and NAT Configuration:**
- We have configured firewall rules and NAT records to route traffic through internal reverse proxy servers.

4. **APEX Authentication Schema:**
- We have implemented APEX authentication using Microsoft Active Directory (AD) and Azure for secure user authentication.

5. **User Authorization:**
- We have set up customer user authorization to control access to the APEX app.

**Additional Considerations:**

We are also considering implementing a valid external IP addresses list on our firewall to restrict access to the domain supplier.XXXXX.com based on known external IPs from our suppliers. Here are the pros and cons of this approach:

**Pros:**
- **Enhanced Security:** Restricting access to known IP addresses reduces the risk of unauthorized access.
- **Control:** Provides better control over who can access the application.

**Cons:**
- **Maintenance:** Managing and updating the list of valid IP addresses can be time-consuming.
- **Accessibility:** Legitimate users with dynamic IP addresses may face access issues.

Thank you in advance for any additional thoughts, guidelines, or best practices.

with LiveSQL Test Case:

and Connor said...

In terms of pure APEX, a couple of other things

1) Run your apps through APEX-SERT to probe for security issues

https://lschilde.blogspot.com/2023/03/apex-sert-for-apex-191-apex-192-apex.html

2) Only deploy a runtime APEX environment. Dont allow a developer instance to be accessible via the internet

The rest of it is not really APEX related but the general issue of protection web resources - which means appropriate fire wall measures, denial of service defences etc etc. This is one reason a lot of people like to host their tier on a cloud service to mitigate that responsibility. But if you are already satisfied with your current protections in that regard, than APEX wont add to the threat as long as your apps are secure (see 1)


Rating

  (1 rating)

Comments

Public facing APEX app

David, August 29, 2024 - 3:01 pm UTC

Thank you for your comments and response, Connor.

We will definitely take into consideration using APEX-SERT.

In discussing the how to architect our solution we have taken into possible consideration Oracle's Cloud Service to host our public facing APEX app(s).