您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

使用 Azure 资源管理器创建 Service Fabric 群集Create a Service Fabric cluster by using Azure Resource Manager

本指南逐步介绍如何使用 Azure 资源管理器在 Azure 中设置安全的 Azure Service Fabric 群集。This step-by-step guide walks you through setting up a secure Azure Service Fabric cluster in Azure by using Azure Resource Manager. 本文篇幅较长。We acknowledge that the article is long. 然而,除非已完全熟悉内容,否则请确保仔细阅读每个步骤。Nevertheless, unless you are already thoroughly familiar with the content, be sure to follow each step carefully.

该指南包含下列步骤:The guide covers the following procedures:

  • 在部署 Service Fabric 群集之前需要了解的重要概念。Key Concepts that you need to be aware of before deploying a Service Fabric cluster.
  • 使用 Service Fabric 资源管理器模块在 Azure 中创建群集。Creating a cluster in Azure by using Service Fabric Resource Manager modules.
  • 设置 Azure Active Directory (Azure AD),以验证针对群集执行管理操作的用户的身份。Setting up Azure Active Directory (Azure AD) for authenticating users performing management operations on the cluster.
  • 为群集编写并部署自定义的 Azure 资源管理器模板。Authoring a custom Azure Resource Manager template for your cluster and deploying it.

要了解的重要概念Key concepts to be aware of

在 Azure 中,Service Fabric 强制要求使用 x509 证书来保护群集及其终结点。In Azure, Service Fabric mandates that you to use an x509 certificate to secure your cluster and its endpoints. 证书在 Service Fabric 中用于提供身份验证和加密,为群集及其应用程序提供全方位的保护。Certificates are used in Service Fabric to provide authentication and encryption to secure various aspects of a cluster and its applications. 要访问客户端/针对群集执行管理操作(包括部署、升级和删除应用程序、服务及其包含的数据),可以使用证书或 Azure Active Directory 凭据。For client access/performing management operations on the cluster, including deploying, upgrading, and deleting applications, services, and the data they contain, you can use certificates or Azure Active Directory credentials. 强烈建议使用 Azure Active Directory,因为它是防止在客户端上共享证书的唯一方法。The use of Azure Active Directory is highly encouraged, since that is the only way to prevent sharing of certificates on your clients. 有关如何在 Service Fabric 中使用证书的详细信息,请参阅 Service Fabric 群集安全方案For more information on how certificates are used in Service Fabric, see Service Fabric cluster security scenarios.

Service Fabric 使用 X.509 证书保护群集,提供应用程序安全功能。Service Fabric uses X.509 certificates to secure a cluster and provide application security features. 可以使用 Key Vault 管理 Azure 中 Service Fabric 群集的证书。You use Key Vault to manage certificates for Service Fabric clusters in Azure.

群集和服务器证书(必需)Cluster and server certificate (required)

必须使用这些证书(一个主要证书,以及一个可选的辅助证书)来保护群集,并防止未经授权的访问。These certificates (one primary and optionally a secondary) are required to secure a cluster and prevent unauthorized access to it. 此证书通过两种方式保护群集:It provides cluster security in two ways:

  • 群集身份验证: 在群集联合的情况下对节点间的通信进行身份验证。Cluster authentication: Authenticates node-to-node communication for cluster federation. 只有可以使用此证书自我证明身份的节点才能加入群集。Only nodes that can prove their identity with this certificate can join the cluster.
  • 服务器身份验证: 在管理客户端上对群集管理终结点进行身份验证,使管理客户端知道它正在与真正的群集而不是“中间人”通信。Server authentication: Authenticates the cluster management endpoints to a management client, so that the management client knows it is talking to the real cluster and not a 'man in the middle'. 此证书还通过 HTTPS 为 HTTPS 管理 API 和 Service Fabric Explorer 提供 SSL。This certificate also provides an SSL for the HTTPS management API and for Service Fabric Explorer over HTTPS.

为满足这些用途,该证书必须符合以下要求:To serve these purposes, the certificate must meet the following requirements:

  • 证书必须包含私钥。The certificate must contain a private key. 这些证书通常使用扩展名 .pfx 或 .pemThese certificates typically have extensions .pfx or .pem
  • 必须为密钥交换创建证书,并且该证书可导出到个人信息交换 (.pfx) 文件。The certificate must be created for key exchange, which is exportable to a Personal Information Exchange (.pfx) file.
  • 证书的使用者名称必须与用于访问 Service Fabric 群集的域匹配The certificate's subject name must match the domain that you use to access the Service Fabric cluster. 只有满足此匹配,才能为群集的 HTTPS 管理终结点和 Service Fabric Explorer 提供 SSL。This matching is required to provide an SSL for the cluster's HTTPS management endpoint and Service Fabric Explorer. 无法从证书颁发机构 (CA) 处获取针对 *.cloudapp.azure.com 域的 SSL 证书。You cannot obtain an SSL certificate from a certificate authority (CA) for the *.cloudapp.azure.com domain. 必须获取群集的自定义域名。You must obtain a custom domain name for your cluster. 从 CA 请求证书时,该证书的使用者名称必须与用于群集的自定义域名匹配。When you request a certificate from a CA, the certificate's subject name must match the custom domain name that you use for your cluster.

通过 Azure AD,组织(称为租户)可管理用户对应用程序的访问。Azure AD enables organizations (known as tenants) to manage user access to applications. 应用程序分为采用基于 Web 的登录 UI 的应用程序和采用本地客户端体验的应用程序。Applications are divided into those with a web-based sign-in UI and those with a native client experience. 本文假设已创建了一个租户。In this article, we assume that you have already created a tenant. 如果未创建,请先阅读如何获取 Azure Active Directory 租户If you have not, start by reading How to get an Azure Active Directory tenant.

Service Fabric 群集提供其管理功能的各种入口点,包括基于 Web 的 Service Fabric ExplorerVisual StudioA Service Fabric cluster offers several entry points to its management functionality, including the web-based Service Fabric Explorer and Visual Studio. 因此,需要创建两个 Azure AD 应用程序来控制对群集的访问:一个 Web 应用程序和一个本机应用程序。As a result, you create two Azure AD applications to control access to the cluster, one web application and one native application.

本文档稍后将更详细地介绍如何设置这种配置。More on how to set it up later in the document.

应用程序证书(可选)Application certificates (optional)

可以出于应用程序安全目的,在群集上安装任意数量的附加证书。Any number of additional certificates can be installed on a cluster for application security purposes. 在创建群集之前,请考虑需要在节点上安装证书的应用程序安全方案,例如:Before creating your cluster, consider the application security scenarios that require a certificate to be installed on the nodes, such as:

  • 加密和解密应用程序配置值。Encryption and decryption of application configuration values.
  • 在复制期间跨节点加密数据。Encryption of data across nodes during replication.

无论是 Linux 或 Windows 群集,创建安全群集的概念是相同的。The concept of creating secure clusters is the same, whether they are Linux or Windows clusters.

客户端身份验证证书(可选)Client authentication certificates (optional)

可以指定任意数量的其他证书用于管理操作或用户客户端操作。Any number of additional certificates can be specified for Admin or user client operations. 默认情况下,群集证书具有管理客户端的特权。By default the cluster certificate has admin client privileges. 不应将这些附加的客户端证书安装到群集中,只需指定在群集配置中允许这些证书;不过,在连接到群集和执行任何管理操作的客户端计算机上需要安装这些证书。These additional client certificates should not be installed into the cluster, it just needs to be specified as being allowed in the cluster configuration, however, they need to be installed on the client machines to connect to the cluster and perform any management operations.

先决条件Prerequisites

无论是 Linux 或 Windows 群集,创建安全群集的概念是相同的。The concept of creating secure clusters is the same, whether they are Linux or Windows clusters. 本指南将介绍如何使用 Azure PowerShell 或 Azure CLI 创建新群集。This guide covers the use of Azure PowerShell or Azure CLI to create new clusters. 先决条件为下列项之一:The prerequisites are either:

使用 Service Fabric 资源管理器模块部署群集Use Service Fabric RM module to deploy a cluster

在本文档中,我们将使用 Service Fabric 资源管理器 PowerShell 和 CLI 模块来部署群集。在多种方案中都可以使用 PowerShell 或 CLI 模块命令。In this document, we will use the Service Fabric RM powershell and CLI module to deploy a cluster, the PowerShell or the CLI module command allows for multiple scenarios. 让我们详细了解每种部署方法。Let us go through each of the them. 请选取最符合需要的方案。Pick the scenario that you feel best meets your needs.

  • 创建新群集Create a new cluster
    • 使用系统生成的自签名证书using a system generated self signed certificate
    • 使用你已拥有的证书using a certificate you already own

可以使用默认群集模板或你已有的模板You can use a default cluster template or a template that you already have

创建新群集 - 使用系统生成的自签名证书Create new cluster - using a system generated self signed certificate

如果希望系统生成自签名证书并使用它来保护群集,请使用以下命令创建群集。Use the following command to create cluster, if you want the system to generate a self-signed certificate and use it to secure your cluster. 此命令将设置一个主要群集证书,用于保证群集的安全性以及设置使用该证书执行管理操作时所需的管理访问权限。This command sets up a primary cluster certificate that is used for cluster security and to set up admin access to perform management operations using that certificate.

登录到 Azurelogin to Azure

Connect-AzureRmAccount
Set-AzureRmContext -SubscriptionId <guid>
azure login
az account set --subscription $subscriptionId

使用模块中附带的默认“5 Node 1”节点类型模板设置群集Use the default 5 Node 1 node type template that ships in the module to set up the cluster

使用以下命令并指定最少量的参数快速创建群集Use the following command to create a cluster quickly, by specifying minimal parameters

Azure Service Fabric 模板示例:Windows 模板Ubuntu 模板中提供了所用的模板The template that is used is available on the Azure Service Fabric template samples : windows template and Ubuntu template

以下命令用于创建 Windows 和 Linux 群集,你只需相应地指定 OS。The commands below works for creating Windows and Linux clusters, you just need to specify the OS accordingly. PowerShell/CLI 命令还会在指定的 CertificateOutputFolder 中输出证书,但要确保已创建该证书文件夹。The PowerShell/CLI commands also output the certificate in the specified CertificateOutputFolder; however, make sure certificate folder already created. 命令还采用类似于 VM SKU 的其他参数。The command takes in other parameters like VM SKU as well.

备注

以下 Powershell 命令仅适用于 Azure 资源管理器 PowerShell 6.1 以上版本。 若要检查 Azure 资源管理器 PowerShell 版的当前版本,请运行以下 PowerShell 命令“Get-Module AzureRM”。 单击此链接升级 Azure 资源管理器 PowerShell 版。 https://docs.microsoft.com/en-us/powershell/azure/install-azurerm-ps?view=azurermps-6.3.0

$resourceGroupLocation="westus"
$resourceGroupName="mycluster"
$vaultName="myvault"
$vaultResourceGroupName="myvaultrg"
$CertSubjectName="mycluster.westus.cloudapp.azure.com"
$certPassword="Password123!@#" | ConvertTo-SecureString -AsPlainText -Force 
$vmpassword="Password4321!@#" | ConvertTo-SecureString -AsPlainText -Force
$vmuser="myadmin"
$os="WindowsServer2016DatacenterwithContainers"
$certOutputFolder="c:\certificates"

New-AzureRmServiceFabricCluster -ResourceGroupName $resourceGroupName -Location $resourceGroupLocation -CertificateOutputFolder $certOutputFolder -CertificatePassword $certpassword -CertificateSubjectName $CertSubjectName -OS $os -VmPassword $vmpassword -VmUserName $vmuser


```CLI
declare resourceGroupLocation="westus"
declare resourceGroupName="mylinux"
declare vaultResourceGroupName="myvaultrg"
declare vaultName="myvault"
declare CertSubjectName="mylinux.westus.cloudapp.azure.com"
declare vmpassword="Password!1"
declare certpassword="Password!4321"
declare vmuser="myadmin"
declare vmOs="UbuntuServer1604"
declare certOutputFolder="c:\certificates"

az sf cluster create --resource-group $resourceGroupName --location $resourceGroupLocation  \
    --certificate-output-folder $certOutputFolder --certificate-password $certpassword  \
    --vault-name $vaultName --vault-resource-group $resourceGroupName  \
    --template-file $templateFilePath --parameter-file $parametersFilePath --vm-os $vmOs  \
    --vm-password $vmpassword --vm-user-name $vmuser

使用现有的自定义模板Use the custom template that you already have

如果需要根据需要编写自定义模板,我们强烈建议从 Azure Service Fabric 模板示例中提供的模板之一着手。If you need to author a custom template to suit your needs, it is highly recommended that you start with one of the templates that are available on the Azure Service Fabric template samples. 请遵照下面自定义群集模板部分中的指导和说明。Follow guidance and explanations to customize your cluster template section below.

如果已有一个自定义模板,请确保模板中的所有三个证书相关参数以及参数文件已按如下所示命名并使用 null 值。If you already have a custom template, then make sure to double check that all the three certificate related parameters in the template and the parameter file are named as follows and values are null as follows.

   "certificateThumbprint": {
      "value": ""
    },
    "sourceVaultValue": {
      "value": ""
    },
    "certificateUrlValue": {
      "value": ""
    },
$resourceGroupLocation="westus"
$resourceGroupName="mycluster"
$CertSubjectName="mycluster.westus.cloudapp.azure.com"
$certPassword="Password!1" | ConvertTo-SecureString -AsPlainText -Force 
$certOutputFolder="c:\certificates"

$parameterFilePath="c:\mytemplates\mytemplateparm.json"
$templateFilePath="c:\mytemplates\mytemplate.json"

New-AzureRmServiceFabricCluster -ResourceGroupName $resourceGroupName -CertificateOutputFolder $certOutputFolder -CertificatePassword $certpassword -CertificateSubjectName $CertSubjectName -TemplateFile $templateFilePath -ParameterFile $parameterFilePath 

下面是可实现相同目的的等效 CLI 命令。Here is the equivalent CLI command to do the same. 将声明语句中的值更改为适当的值。Change the values in the declare statements to appropriate values. CLI 支持上述 PowerShell 命令所支持的其他所有参数。CLI supports all the other parameters that the above PowerShell command supports.

declare certPassword=""
declare resourceGroupLocation="westus"
declare resourceGroupName="mylinux"
declare certSubjectName="mylinuxsecure.westus.cloudapp.azure.com"
declare parameterFilePath="c:\mytemplates\linuxtemplateparm.json"
declare templateFilePath="c:\mytemplates\linuxtemplate.json"
declare certOutputFolder="c:\certificates"

az sf cluster create --resource-group $resourceGroupName --location $resourceGroupLocation  \
    --certificate-output-folder $certOutputFolder --certificate-password $certPassword  \
    --certificate-subject-name $certSubjectName \
    --template-file $templateFilePath --parameter-file $parametersFilePath

创建新群集 - 使用从 CA 购买的或者现有的证书Create new cluster - using the certificate you bought from a CA or you already have

如果想要使用证书来保护群集,请使用以下命令创建群集。Use the following command to create cluster, if you have a certificate that you want to use to secure your cluster with.

如果这是一个同时用于其他目的的 CA 签名证书,则我们建议专门为 Key Vault 提供一个不同的资源组。If this is a CA signed certificate that you will end up using for other purposes as well, then it is recommended that you provide a distinct resource group specifically for your key vault. 建议将密钥保管库置于其资源组中。We recommend that you put the key vault into its own resource group. 这样可在不丢失密钥和机密的情况下删除计算和存储资源组,包括具有 Service Fabric 群集的资源组。This action lets you remove the compute and storage resource groups, including the resource group that contains your Service Fabric cluster, without losing your keys and secrets. 包含 Key Vault 的资源组必须与正在使用它的群集位于同一区域。The resource group that contains your key vault must be in the same region as the cluster that is using it.

使用模块中附带的默认“5 Node 1”节点类型模板Use the default 5 Node 1 node type template that ships in the module

Azure 示例:Windows 模板Ubuntu 模板中提供了所用的模板The template that is used is available on the Azure samples : Windows template and Ubuntu template

$resourceGroupLocation="westus"
$resourceGroupName="mylinux"
$vaultName="myvault"
$vaultResourceGroupName="myvaultrg"
$certPassword="Password!1" | ConvertTo-SecureString -AsPlainText -Force 
$vmpassword=("Password!4321" | ConvertTo-SecureString -AsPlainText -Force) 
$vmuser="myadmin"
$os="WindowsServer2016DatacenterwithContainers"

New-AzureRmServiceFabricCluster -ResourceGroupName $resourceGroupName -Location $resourceGroupLocation -KeyVaultResouceGroupName $vaultResourceGroupName -KeyVaultName $vaultName -CertificateFile C:\MyCertificates\chackocertificate3.pfx -CertificatePassword $certPassword -OS $os -VmPassword $vmpassword -VmUserName $vmuser 
declare vmPassword="Password!1"
declare certPassword="Password!1"
declare vmUser="myadmin"
declare resourceGroupLocation="westus"
declare resourceGroupName="mylinux"
declare vaultResourceGroupName="myvaultrg"
declare vaultName="myvault"
declare certificate-file="c:\certificates\mycert.pem"
declare vmOs="UbuntuServer1604"

az sf cluster create --resource-group $resourceGroupName --location $resourceGroupLocation  \
    --certificate-file $certificate-file --certificate-password $certPassword  \
    --vault-name $vaultName --vault-resource-group $vaultResourceGroupName  \
    --vm-os vmOs \
    --vm-password $vmPassword --vm-user-name $vmUser

使用现有的自定义模板Use the custom template that you have

如果需要根据需要编写自定义模板,我们强烈建议从 Azure Service Fabric 模板示例中提供的模板之一着手。If you need to author a custom template to suit your needs, it is highly recommended that you start with one of the templates that are available on the Azure Service Fabric template samples. 请遵照下面自定义群集模板部分中的指导和说明。Follow guidance and explanations to customize your cluster template section below.

如果已有一个自定义模板,请确保模板中的所有三个证书相关参数以及参数文件已按如下所示命名并使用 null 值。If you already have a custom template, then make sure to double check that all the three certificate related parameters in the template and the parameter file are named as follows and values are null as follows.

   "certificateThumbprint": {
      "value": ""
    },
    "sourceVaultValue": {
      "value": ""
    },
    "certificateUrlValue": {
      "value": ""
    },
$resourceGroupLocation="westus"
$resourceGroupName="mylinux"
$vaultName="myvault"
$vaultResourceGroupName="myvaultrg"
$certPassword="Password!1" | ConvertTo-SecureString -AsPlainText -Force 
$os="WindowsServer2016DatacenterwithContainers"
$parameterFilePath="c:\mytemplates\mytemplateparm.json"
$templateFilePath="c:\mytemplates\mytemplate.json"
$certificateFile="C:\MyCertificates\chackonewcertificate3.pem"

New-AzureRmServiceFabricCluster -ResourceGroupName $resourceGroupName -Location $resourceGroupLocation -TemplateFile $templateFilePath -ParameterFile $parameterFilePath -KeyVaultResouceGroupName $vaultResourceGroupName -KeyVaultName $vaultName -CertificateFile $certificateFile -CertificatePassword $certPassword

下面是可实现相同目的的等效 CLI 命令。Here is the equivalent CLI command to do the same. 将声明语句中的值更改为适当的值。Change the values in the declare statements to appropriate values.

declare certPassword="Password!1"
declare resourceGroupLocation="westus"
declare resourceGroupName="mylinux"
declare vaultResourceGroupName="myvaultrg"
declare vaultName="myvault"
declare parameterFilePath="c:\mytemplates\linuxtemplateparm.json"
declare templateFilePath="c:\mytemplates\linuxtemplate.json"

az sf cluster create --resource-group $resourceGroupName --location $resourceGroupLocation  \
    --certificate-file $certificate-file --certificate-password $password  \
    --vault-name $vaultName --vault-resource-group $vaultResourceGroupName  \
    --template-file $templateFilePath --parameter-file $parametersFilePath 

使用指向已上传到密钥保管库的机密的指针Use a pointer to the secret you already have uploaded into the key vault

要使用现有密钥保管库,则_必须针对部署启用_该密钥保管库,使计算资源提供程序能够从中获取证书并将其安装在群集节点上:To use an existing key vault, you must enable it for deployment to allow the compute resource provider to get certificates from it and install it on cluster nodes:

Set-AzureRmKeyVaultAccessPolicy -VaultName 'ContosoKeyVault' -EnabledForDeployment

$parameterFilePath="c:\mytemplates\mytemplate.json"
$templateFilePath="c:\mytemplates\mytemplateparm.json"
$secretID="https://test1.vault.azure.net:443/secrets/testcertificate4/55ec7c4dc61a462bbc645ffc9b4b225f"

New-AzureRmServiceFabricCluster -ResourceGroupName $resourceGroupName -SecretIdentifier $secretId -TemplateFile $templateFilePath -ParameterFile $parameterFilePath 

下面是可实现相同目的的等效 CLI 命令。Here is the equivalent CLI command to do the same. 将声明语句中的值更改为适当的值。Change the values in the declare statements to appropriate values.

declare $resourceGroupName = "testRG"
declare $parameterFilePath="c:\mytemplates\mytemplate.json"
declare $templateFilePath="c:\mytemplates\mytemplateparm.json"
declare $secertId="https://test1.vault.azure.net:443/secrets/testcertificate4/55ec7c4dc61a462bbc645ffc9b4b225f"

az sf cluster create --resource-group $resourceGroupName --location $resourceGroupLocation  \
    --secret-identifier az $secretID  \
    --template-file $templateFilePath --parameter-file $parametersFilePath 

为客户端身份验证设置 Azure Active DirectorySet up Azure Active Directory for client authentication

通过 Azure AD,组织(称为租户)可管理用户对应用程序的访问。Azure AD enables organizations (known as tenants) to manage user access to applications. 应用程序分为采用基于 Web 的登录 UI 的应用程序和采用本地客户端体验的应用程序。Applications are divided into those with a web-based sign-in UI and those with a native client experience. 本文假设已创建了一个租户。In this article, we assume that you have already created a tenant. 如果未创建,请先阅读如何获取 Azure Active Directory 租户If you have not, start by reading How to get an Azure Active Directory tenant.

Service Fabric 群集提供其管理功能的各种入口点,包括基于 Web 的 Service Fabric ExplorerVisual StudioA Service Fabric cluster offers several entry points to its management functionality, including the web-based Service Fabric Explorer and Visual Studio. 因此,需要创建两个 Azure AD 应用程序来控制对群集的访问:一个 Web 应用程序和一个本机应用程序。As a result, you create two Azure AD applications to control access to the cluster, one web application and one native application.

为了简化涉及到配置 Azure AD 与 Service Fabric 群集的一些步骤,我们创建了一组 Windows PowerShell 脚本。To simplify some of the steps involved in configuring Azure AD with a Service Fabric cluster, we have created a set of Windows PowerShell scripts.

备注

在创建群集之前,请完成以下步骤。 因为脚本需要群集名称和终结点,这些值应是规划的值,而不是已创建的值。

  1. 将脚本下载到计算机。Download the scripts to your computer.
  2. 右键单击 zip 文件,选择“属性”,“解除阻止”复选框,并单击“应用”。Right-click the zip file, select Properties, select the Unblock check box, and then click Apply.
  3. 解压缩 zip 文件。Extract the zip file.
  4. 运行 SetupApplications.ps1 并提供 TenantId、ClusterName 和 WebApplicationReplyUrl 作为参数。Run SetupApplications.ps1, and provide the TenantId, ClusterName, and WebApplicationReplyUrl as parameters. 例如:For example:
.\SetupApplications.ps1 -TenantId '690ec069-8200-4068-9d01-5aaf188e557a' -ClusterName 'mycluster' -WebApplicationReplyUrl 'https://mycluster.westus.cloudapp.azure.com:19080/Explorer/index.html'

执行 PowerShell 命令 Get-AzureSubscription,可找到租户 ID。You can find your TenantId by executing the PowerShell command Get-AzureSubscription. 执行此命令,为每个订阅显示 TenantId。Executing this command displays the TenantId for every subscription.

将 ClusterName 用作脚本创建的 Azure AD 应用程序的前缀。ClusterName is used to prefix the Azure AD applications that are created by the script. 它不需要完全匹配实际的群集名称。It does not need to match the actual cluster name exactly. 旨在更加轻松地将 Azure AD 项目映射到其配合使用的 Service Fabric 群集。It is intended only to make it easier to map Azure AD artifacts to the Service Fabric cluster that they're being used with.

WebApplicationReplyUrl 是 Azure AD 在完成登录过程之后返回给用户的默认终结点。WebApplicationReplyUrl is the default endpoint that Azure AD returns to your users after they finish signing in. 将此终结点设置为群集的 Service Fabric Explorer 的终结点,默认值为:Set this endpoint as the Service Fabric Explorer endpoint for your cluster, which by default is:

https://<cluster_domain>:19080/Explorerhttps://<cluster_domain>:19080/Explorer

系统会提示登录到具有 Azure AD 租户管理权限的帐户。You are prompted to sign in to an account that has administrative privileges for the Azure AD tenant. 完成此操作后,脚本会创建 Web 和本机应用程序来代表 Service Fabric 群集。After you sign in, the script creates the web and native applications to represent your Service Fabric cluster. Azure 门户中查看租户的应用程序时,应会看到两个新条目:If you look at the tenant's applications in the Azure portal, you should see two new entries:

  • ClusterName_ClusterClusterName_Cluster
  • ClusterName_ClientClusterName_Client

在下一部分创建群集时该脚本显示 Azure 资源管理器模板所需的 JSON,因此最好不要关闭 PowerShell 窗口。The script prints the JSON required by the Azure Resource Manager template when you create the cluster in the next section, so it's a good idea to keep the PowerShell window open.

"azureActiveDirectory": {
  "tenantId":"<guid>",
  "clusterApplication":"<guid>",
  "clientApplication":"<guid>"
},

创建 Service Fabric 群集资源管理器模板Create a Service Fabric cluster resource manager template

本部分面向想要编写自定义 Service Fabric 群集资源管理器模板的用户。This section is for users who want to custom author a Service Fabric cluster resource manager template. 创建模板后,仍可以回过头来使用 PowerShell 或 CLI 模块部署该模板。once you have a template, you can still go back and use the PowerShell or CLI modules to deploy it.

GitHub 上的 Azure 示例中提供了示例资源管理器模板。Sample Resource Manager templates are available in the Azure samples on GitHub. 这些模板可用作群集模板的起点。These templates can be used as a starting point for your cluster template.

创建 Resource Manager 模板Create the Resource Manager template

本指南使用 5 节点安全群集示例模板和模板参数。This guide uses the 5-node secure cluster example template and template parameters. azuredeploy.jsonazuredeploy.parameters.json 下载到计算机,在偏好的文本编辑器中打开这两个文件。Download azuredeploy.json and azuredeploy.parameters.json to your computer and open both files in your favorite text editor.

添加证书Add certificates

通过引用包含证书密钥的密钥保管库将证书添加到群集资源管理器模板。You add certificates to a cluster resource manager template by referencing the key vault that contains the certificate keys. 在资源管理器模板参数文件 (azuredeploy.parameters.json) 中添加这些 Key Vault 参数和值。Add those key-vault parameters and values in a Resource Manager template parameters file (azuredeploy.parameters.json).

将所有证书都添加到虚拟机规模集 osProfileAdd all certificates to the virtual machine scale set osProfile

必须在规模集资源 (Microsoft.Compute/virtualMachineScaleSets) 的 osProfile 节中配置在群集中安装的每个证书。Every certificate that's installed in the cluster must be configured in the osProfile section of the scale set resource (Microsoft.Compute/virtualMachineScaleSets). 该操作会指示资源提供程序在 VM 上安装证书。This action instructs the resource provider to install the certificate on the VMs. 此安装包括群集证书和打算用于应用程序的任何应用程序安全证书:This installation includes both the cluster certificate and any application security certificates that you plan to use for your applications:

{
  "apiVersion": "[variables('vmssApiVersion')]",
  "type": "Microsoft.Compute/virtualMachineScaleSets",
  ...
  "properties": {
    ...
    "osProfile": {
      ...
      "secrets": [
        {
          "sourceVault": {
            "id": "[parameters('sourceVaultValue')]"
          },
          "vaultCertificates": [
            {
              "certificateStore": "[parameters('clusterCertificateStorevalue')]",
              "certificateUrl": "[parameters('clusterCertificateUrlValue')]"
            },
            {
              "certificateStore": "[parameters('applicationCertificateStorevalue')",
              "certificateUrl": "[parameters('applicationCertificateUrlValue')]"
            },
            ...
          ]
        }
      ]
    }
  }
}

配置 Service Fabric 群集证书Configure the Service Fabric cluster certificate

必须在 Service Fabric 群集资源 (Microsoft.ServiceFabric/clusters) 和 Service Fabric 扩展为虚拟机规模集资源中的虚拟机规模集配置群集身份验证证书。The cluster authentication certificate must be configured in both the Service Fabric cluster resource (Microsoft.ServiceFabric/clusters) and the Service Fabric extension for virtual machine scale sets in the virtual machine scale set resource. 通过此安排,Service Fabric 资源提供程序便可以将该证书配置为用于群集身份验证及管理终结点的服务器身份验证。This arrangement allows the Service Fabric resource provider to configure it for use for cluster authentication and server authentication for management endpoints.

将证书信息添加到虚拟机规模集资源:Add the certificate information the Virtual machine scale set resource:
{
  "apiVersion": "[variables('vmssApiVersion')]",
  "type": "Microsoft.Compute/virtualMachineScaleSets",
  ...
  "properties": {
    ...
    "virtualMachineProfile": {
      "extensionProfile": {
        "extensions": [
          {
            "name": "[concat('ServiceFabricNodeVmExt','_vmNodeType0Name')]",
            "properties": {
              ...
              "settings": {
                ...
                "certificate": {
                  "commonNames": ["[parameters('certificateCommonName')]"],
                  "x509StoreName": "[parameters('clusterCertificateStoreValue')]"
                },
                ...
              }
            }
          }
        ]
      }
    }
  }
}
将证书信息添加到 Service Fabric 群集资源:Add the certificate information to the Service Fabric cluster resource:
{
  "apiVersion": "2018-02-01",
  "type": "Microsoft.ServiceFabric/clusters",
  "name": "[parameters('clusterName')]",
  "location": "[parameters('clusterLocation')]",
  "dependsOn": [
    "[concat('Microsoft.Storage/storageAccounts/', variables('supportLogStorageAccountName'))]"
  ],
  "properties": {
    "certificateCommonNames": {
        "commonNames": [
        {
            "certificateCommonName": "[parameters('certificateCommonName')]",
            "certificateIssuerThumbprint": ""
        }
        ],
        "x509StoreName": "[parameters('certificateStoreValue')]"
    },
    ...
  }
}

添加 Azure AD 配置以使用 Azure AD 访问客户端Add Azure AD configuration to use Azure AD for client access

通过引用包含证书密钥的密钥保管库,将 Azure AD 配置添加到群集资源管理器模板。You add the Azure AD configuration to a cluster Resource Manager template by referencing the key vault that contains the certificate keys. 在资源管理器模板参数文件 (azuredeploy.parameters.json) 中添加这些 Azure AD 参数和值。Add those Azure AD parameters and values in a Resource Manager template parameters file (azuredeploy.parameters.json).

{
  "apiVersion": "2018-02-01",
  "type": "Microsoft.ServiceFabric/clusters",
  "name": "[parameters('clusterName')]",
  ...
  "properties": {
    "certificateCommonNames": {
        "commonNames": [
        {
            "certificateCommonName": "[parameters('certificateCommonName')]",
            "certificateIssuerThumbprint": ""
        }
        ],
        "x509StoreName": "[parameters('certificateStoreValue')]"
    },
    ...
    "azureActiveDirectory": {
      "tenantId": "[parameters('aadTenantId')]",
      "clusterApplication": "[parameters('aadClusterApplicationId')]",
      "clientApplication": "[parameters('aadClientApplicationId')]"
    },
    ...
  }
}

在参数文件中填充值Populate the parameter file with the values

最后,使用 Key Vault 和 Azure AD PowerShell 命令的输出值填充参数文件。Finally, use the output values from the key vault and Azure AD PowerShell commands to populate the parameters file.

如果打算使用 Azure Service Fabric 资源管理器 PowerShell 模块,则不需要填充群集证书信息。If you plan to use the Azure service fabric RM PowerShell modules, then you do not need to populate the cluster certificate information. 如果希望让系统生成自签名证书来确保群集安全性,则只需将它们保留为空。If you want the system to generate the self signed certificate for cluster security you, just keep them as null.

备注

要让资源管理器模块拾取并填充这些空参数值,参数名称必须与以下名称匹配

"clusterCertificateThumbprint": {
    "value": ""
},
"certificateCommonName": {
    "value": ""
},
"clusterCertificateUrlValue": {
    "value": ""
},
"sourceVaultvalue": {
    "value": ""
},

如果使用的是应用程序证书或已上传到密钥保管库的现有群集,则需要获取并填充此信息。If you are using application certs or are using an existing cluster that you have uploaded to the key vault, you need to get this information and populate it.

资源管理器模块没有能力为你生成 Azure AD 配置,因此,如果计划将 Azure AD 用于客户端访问,你需要填充该配置。The RM modules do not have the ability to generate the Azure AD configuration for you, so if you plan to use the Azure AD for client access, you need to populate it.

{
    "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        ...
        "clusterCertificateStoreValue": {
            "value": "My"
        },
        "clusterCertificateThumbprint": {
            "value": "<thumbprint>"
        },
        "clusterCertificateUrlValue": {
            "value": "https://myvault.vault.azure.net:443/secrets/myclustercert/4d087088df974e869f1c0978cb100e47"
        },
        "applicationCertificateStorevalue": {
            "value": "My"
        },
        "applicationCertificateUrlValue": {
            "value": "https://myvault.vault.azure.net:443/secrets/myapplicationcert/2e035058ae274f869c4d0348ca100f08"
        },
        "sourceVaultvalue": {
            "value": "/subscriptions/<guid>/resourceGroups/mycluster-keyvault/providers/Microsoft.KeyVault/vaults/myvault"
        },
        "aadTenantId": {
            "value": "<guid>"
        },
        "aadClusterApplicationId": {
            "value": "<guid>"
        },
        "aadClientApplicationId": {
            "value": "<guid>"
        },
        ...
    }
}

测试模板Test your template

运行以下 PowerShell 命令,使用参数文件测试资源管理器模板:Use the following PowerShell command to test your Resource Manager template with a parameter file:

Test-AzureRmResourceGroupDeployment -ResourceGroupName "myresourcegroup" -TemplateFile .\azuredeploy.json -TemplateParameterFile .\azuredeploy.parameters.json

如果遇到问题并收到含义模糊的消息,请使用“-Debug”作为选项。In case you run into issues and get cryptic messages, then use "-Debug" as an option.

Test-AzureRmResourceGroupDeployment -ResourceGroupName "myresourcegroup" -TemplateFile .\azuredeploy.json -TemplateParameterFile .\azuredeploy.parameters.json -Debug

下图演示密钥保管库和 Azure AD 配置在 Resource Manager 模板中的作用。The following diagram illustrates where your key vault and Azure AD configuration fit into your Resource Manager template.

Resource Manager 依赖关系图

对附加到 Windows 群集节点/虚拟机实例的磁盘进行加密Encrypting the disks attached to your windows cluster node/virtual machine instances

对附加到节点的磁盘(OS 驱动器和其他托管磁盘)进行加密时,我们利用了 Azure 磁盘加密。For encrypting the disks (OS drive and other managed disks) attached to your nodes, we leverage the Azure Disk Encryption. Azure 磁盘加密是可帮助你加密 Windows 虚拟机磁盘的新功能。Azure Disk Encryption is a new capability that helps you encrypt your Windows virtual machine disks. Azure 磁盘加密利用 Windows 的行业标准 BitLocker 功能来为 OS 卷提供卷加密。Azure Disk Encryption leverages the industry standard BitLocker feature of Windows to provide volume encryption for the OS volume. 该解决方案与 Azure Key Vault 集成,帮助用户管理 Key Vault 订阅中的磁盘加密密钥和机密。The solution is integrated with Azure Key Vault to help you control and manage the disk-encryption keys and secrets in your key vault subscription. 此解决方案还可确保虚拟机磁盘上的所有数据在 Azure 存储中静态加密。The solution also ensures that all data on the virtual machine disks are encrypted at rest in your Azure storage.

对附加到 Linux 群集节点/虚拟机实例的磁盘进行加密Encrypting the disks attached to your Linux cluster node/virtual machine instances

对附加到节点的磁盘(数据驱动器和其他托管磁盘)进行加密时,我们利用了 Azure 磁盘加密。For encrypting the disks (Data drive and other managed disks) attached to your nodes, we leverage the Azure Disk Encryption. Azure 磁盘加密是可帮助你加密 Linux 虚拟机磁盘的新功能。Azure Disk Encryption is a new capability that helps you encrypt your Linux virtual machine disks. Azure 磁盘加密利用 Linux 的行业标准 DM-Crypt 功能来为数据磁盘提供卷加密。Azure Disk Encryption leverages the industry standard DM-Crypt feature of Linux to provide volume encryption for the data disks. 该解决方案与 Azure Key Vault 集成,帮助用户管理 Key Vault 订阅中的磁盘加密密钥和机密。The solution is integrated with Azure Key Vault to help you control and manage the disk-encryption keys and secrets in your key vault subscription. 此解决方案还可确保虚拟机磁盘上的所有数据在 Azure 存储中静态加密。The solution also ensures that all data on the virtual machine disks are encrypted at rest in your Azure storage.

使用 Azure 资源模板创建群集Create the cluster using Azure resource template

现在,可以使用本文档前面所述的步骤部署群集;如果已在参数文件中填充了值,则现在可以直接使用 Azure 资源模板部署创建群集。You can now deploy you cluster using the steps outlined earlier in the document, or if you have the values in the parameter file populated, then you are now ready to create the cluster by using Azure resource template deployment directly.

New-AzureRmResourceGroupDeployment -ResourceGroupName "myresourcegroup" -TemplateFile .\azuredeploy.json -TemplateParameterFile .\azuredeploy.parameters.json

如果遇到问题并收到含义模糊的消息,请使用“-Debug”作为选项。In case you run into issues and get cryptic messages, then use "-Debug" as an option.

将用户分配到角色Assign users to roles

创建用于表示群集的应用程序后,请将用户分配到 Service Fabric 支持的角色:只读和管理员。可使用 Azure 门户来分配这些角色。After you have created the applications to represent your cluster, assign your users to the roles supported by Service Fabric: read-only and admin. You can assign the roles by using the Azure portal.

  1. 在 Azure 门户中,选择右上角的租户。In the Azure portal, select your tenant on the top-right corner.

    “选择租户”按钮

  2. 在左侧选项卡中选择“Azure Active Directory”,然后选择“企业应用程序”。Select Azure Active Directory on the left tab and then select "Enterprise applications".
  3. 选择“所有应用程序”,然后找到并选择名称为 myTestCluster_Cluster 的 Web 应用程序。Select "All applications", and then find and select the web application, which has a name like myTestCluster_Cluster.
  4. 单击“用户和组”选项卡。Click the Users and groups tab.

    “用户和组”选项卡

  5. 单击新页面上的“添加用户”,选择要分配的用户和角色,然后单击页面底部的“选择”按钮。Click the Add user button on the new page, select a user and the role to assign, and then click the Select button at the bottom of the page.

    “将用户分配到角色”页面

  6. 单击页面底部的“分配”按钮。Click the Assign button at the bottom of the page.

    添加分配确认

备注

有关 Service Fabric 中角色的详细信息,请参阅适用于 Service Fabric 客户端的基于角色的访问控制

有关排查 Azure Active Directory 设置问题的帮助Troubleshooting help in setting up Azure Active Directory

Azure AD 的设置和使用可能有一定难度,可以参考下面的一些指导来调试问题。Setting up Azure AD and using it can be challenging, so here are some pointers on what you can do to debug the issue.

Service Fabric Explorer 提示选择证书Service Fabric Explorer prompts you to select a certificate

问题Problem

成功登录到 Service Fabric Explorer 中的 Azure AD 后,浏览器返回到主页,但会出现提示用户选择证书的消息。After you sign in successfully to Azure AD in Service Fabric Explorer, the browser returns to the home page but a message prompts you to select a certificate.

SFX 证书对话框

原因Reason

未在 Azure AD 群集应用程序中为用户分配角色。The user isn’t assigned a role in the Azure AD cluster application. 因此,Service Fabric 群集的 Azure AD 身份验证失败。Thus, Azure AD authentication fails on Service Fabric cluster. Service Fabric Explorer 将故障回复到证书身份验证。Service Fabric Explorer falls back to certificate authentication.

解决方案Solution

遵循有关设置 Azure AD 的说明操作,并为用户分配角色。Follow the instructions for setting up Azure AD, and assign user roles. 此外,我们建议打开“访问应用需要的用户分配”,如 SetupApplications.ps1 所示。Also, we recommend that you turn on “User assignment required to access app,” as SetupApplications.ps1 does.

使用 PowerShell 连接失败并出现错误:“指定的凭据无效”Connection with PowerShell fails with an error: "The specified credentials are invalid"

问题Problem

使用 PowerShell 以“AzureActiveDirectory”安全模式连接到群集时,成功登录到 Azure AD 后,连接失败并显示错误:“指定的凭据无效”。When you use PowerShell to connect to the cluster by using “AzureActiveDirectory” security mode, after you sign in successfully to Azure AD, the connection fails with an error: "The specified credentials are invalid."

解决方案Solution

解决方案同上。This solution is the same as the preceding one.

登录时,Service Fabric Explorer 返回失败信息:“AADSTS50011”Service Fabric Explorer returns a failure when you sign in: "AADSTS50011"

问题Problem

用户尝试登录到 Service Fabric Explorer 中的 Azure AD 时,页面返回故障:“AADSTS50011:回复地址 <url> 与针对应用程序 <guid> 配置的回复地址不匹配”。When you try to sign in to Azure AD in Service Fabric Explorer, the page returns a failure: "AADSTS50011: The reply address <url> does not match the reply addresses configured for the application: <guid>."

SFX 回复地址不匹配

原因Reason

代表 Service Fabric Explorer 的群集 (web) 应用程序尝试针对 Azure AD 进行身份验证,在执行请求的过程中提供了重定向返回 URL。The cluster (web) application that represents Service Fabric Explorer attempts to authenticate against Azure AD, and as part of the request it provides the redirect return URL. 但是,该 URL 并未列在 Azure AD 应用程序的“回复 URL”列表中。But the URL is not listed in the Azure AD application REPLY URL list.

解决方案Solution

在 AAD 页面中选择“应用注册”,选择你的群集应用程序,然后选择“回复 URL”按钮。Select "App registrations" in AAD page, select your cluster application, and then select the Reply URLs button. 在“回复 URL”页面上,将 Service Fabric Explorer 的 URL 添加到列表中或替换列表中的某一项。On "Reply URLs" page, add the URL of Service Fabric Explorer to the list or replace one of the items in the list. 完成后,保存所做的更改。When you have finished, save your change.

Web 应用程序回复 URL

使用 Azure AD 身份验证通过 PowerShell 连接群集Connect the cluster by using Azure AD authentication via PowerShell

若要连接 Service Fabric 群集,请使用以下 PowerShell 命令示例:To connect the Service Fabric cluster, use the following PowerShell command example:

Connect-ServiceFabricCluster -ConnectionEndpoint <endpoint> -KeepAliveIntervalInSec 10 -AzureActiveDirectory -ServerCertThumbprint <thumbprint>

若要了解有关 Connect-servicefabriccluster cmdlet 的信息,请参阅 Connect-ServiceFabricClusterTo learn about the Connect-ServiceFabricCluster cmdlet, see Connect-ServiceFabricCluster.

是否可将同一个 Azure AD 租户用于多个群集?Can I reuse the same Azure AD tenant in multiple clusters?

是的。Yes. 请记得将 Service Fabric Explorer 的 URL 添加到群集 (Web) 应用程序。But remember to add the URL of Service Fabric Explorer to your cluster (web) application. 否则 Service Fabric Explorer 无法正常工作。Otherwise, Service Fabric Explorer doesn’t work.

为何启用 Azure AD 时仍然需要服务器证书?Why do I still need a server certificate while Azure AD is enabled?

FabricClient 和 FabricGateway 执行相互身份验证。FabricClient and FabricGateway perform a mutual authentication. 使用 Azure AD 身份验证时,Azure AD 集成可将客户端标识提供给服务器,服务器证书用于验证服务器标识。During Azure AD authentication, Azure AD integration provides a client identity to the server, and the server certificate is used to verify the server identity. 有关 Service Fabric 证书的详细信息,请参阅 X.509 证书和 Service FabricFor more information about Service Fabric certificates, see X.509 certificates and Service Fabric.

后续步骤Next steps

此时,已创建一个使用 Azure Active Directory 进行管理身份验证的安全群集。At this point, you have a secure cluster with Azure Active Directory providing management authentication. 接下来,请连接到该群集,了解如何管理应用程序机密Next, connect to your cluster and learn how to manage application secrets.