Azure Service Fabric security checklist

This article provides an easy-to-use checklist that will help you secure your Azure Service Fabric environment.

Introduction

Azure Service Fabric is a distributed systems platform that makes it easy to package, deploy, and manage scalable and reliable microservices. Service Fabric also addresses the significant challenges in developing and managing cloud applications. Developers and administrators can avoid complex infrastructure problems and focus on implementing mission-critical, demanding workloads that are scalable, reliable, and manageable.

Checklist

Use the following checklist to help you make sure that you haven’t overlooked any important issues in management and configuration of a secure Azure Service Fabric solution.

Checklist Category Description
Role based access control (RBAC)
  • Access control allows the cluster administrator to limit access to certain cluster operations for different groups of users, making the cluster more secure.
  • Administrators have full access to management capabilities (including read/write capabilities).
  • Users, by default, have only read access to management capabilities (for example, query capabilities), and the ability to resolve applications and services.
X.509 certificates and Service Fabric
Cluster Security
Cluster authentication
Server authentication
Application security
  • Encryption and decryption of application configuration values.
  • Encryption of data across nodes during replication.
Cluster Certificate
  • This certificate is required to secure the communication between the nodes on a cluster.
  • Set the thumbprint of the primary certificate in the Thumbprint section and that of the secondary in the ThumbprintSecondary variables.
ServerCertificate
  • This certificate is presented to the client when it tries to connect to this cluster. You can use two different server certificates, a primary and a secondary for upgrade.
ClientCertificateThumbprints
  • This is a set of certificates that you want to install on the authenticated clients.
ClientCertificateCommonNames
  • Set the common name of the first client certificate for the CertificateCommonName. The CertificateIssuerThumbprint is the thumbprint for the issuer of this certificate.
ReverseProxyCertificate
  • This is an optional certificate that can be specified if you want to secure your Reverse Proxy.
Key Vault
  • Used to manage certificates for Service Fabric clusters in Azure.

Next steps