您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

使用 Azure 资源管理器创建 Service Fabric 群集Create a Service Fabric cluster using Azure Resource Manager

Azure Service Fabric 群集是一组联网的虚拟机,可在其中部署和管理微服务。An Azure Service Fabric cluster is a network-connected set of virtual machines into which your microservices are deployed and managed. 在 Azure 中运行的 Service Fabric 群集是一种 Azure 资源,通过 Azure 资源管理器进行部署。A Service Fabric cluster running in Azure is an Azure resource and is deployed using the Azure Resource Manager. 本文介绍如何使用资源管理器在 Azure 中安全地部署 Service Fabric 群集。This article describes how to deploy a secure Service Fabric cluster in Azure using the Resource Manager. 可以使用默认模板或自定义模板。You can use a default cluster template or a custom template. 如果尚无自定义模板,请了解如何创建自定义模板If you don't already have a custom template, you can learn how to create one.

群集安全性是在首次设置群集时配置的,以后无法更改。Cluster security is configured when the cluster is first setup and cannot be changed later. 在设置群集之前,请先阅读 Service Fabric 群集安全性方案Before setting up a cluster, read Service Fabric cluster security scenarios. 在 Azure 中,Service Fabric 使用 x509 证书来保护群集及其终结点,对客户端进行身份验证以及对数据进行加密。In Azure, Service Fabric uses x509 certificate to secure your cluster and its endpoints, authenticate clients, and encrypt data. 另外,还建议使用 Azure Active Directory 来保护对管理终结点的访问。Azure Active Directory is also recommended to secure access to management endpoints. 在创建群集之前,必须先创建 Azure AD 租户和用户。Azure AD tenants and users must be created before creating the cluster. 有关详细信息,请阅读设置 Azure AD 来对客户端进行身份验证For more information, read Set up Azure AD to authenticate clients.

若要创建生产群集以运行生产工作负载,我们建议你首先阅读生产就绪情况核对清单If you are creating a production cluster to run production workloads, we recommend you first read through the production readiness checklist.

先决条件Prerequisites

在本文中,使用 Service Fabric RM powershell 或 Azure CLI 模块部署群集:In this article, use the Service Fabric RM powershell or Azure CLI modules to deploy a cluster:

以下为关于 Service Fabric 模块的参考文档:You can find the reference documentation for the Service Fabric modules here:

登录 AzureSign in to Azure

运行本文中任何命令之前,请先登录到 Azure。Before running any of the commands in this article, first sign in to Azure.

Connect-AzureRmAccount
Set-AzureRmContext -SubscriptionId <subscriptionId>
az login
az account set --subscription $subscriptionId

使用系统生成的自签名证书创建新群集Create a new cluster using a system generated self-signed certificate

使用如下命令创建一个受系统生成的自签名证书保护的群集。Use the following commands to create a cluster secured with a system generated self-signed certificate. 此命令将设置一个主要群集证书,用于保证群集的安全性以及设置使用该证书执行管理操作时所需的管理访问权限。This command sets up a primary cluster certificate that is used for cluster security and to set up admin access to perform management operations using that certificate. 自签名证书适合用于保护测试群集。Self-signed certificates are useful for securing test clusters. 应使用证书颁发机构 (CA) 提供的证书保护生产群集。Production clusters should be secured with a certificate from a certificate authority (CA).

使用此模块中随附的默认群集模板Use the default cluster template that ships in the module

通过默认模板,使用以下命令并指定最少量的参数快速创建群集。Use the following command to create a cluster quickly, by specifying minimal parameters, using the default template.

Azure Service Fabric 模板示例:Windows 模板Ubuntu 模板中提供了所用的模板The template that is used is available on the Azure Service Fabric template samples : windows template and Ubuntu template

以下命令可创建 Windows 或 Linux 群集,需指定相应的操作系统。The following command can create either Windows or Linux clusters, you need to specify the OS accordingly. PowerShell/CLI 命令还会在指定的 CertificateOutputFolder 中输出证书,但要确保已创建该证书文件夹。The PowerShell/CLI commands also output the certificate in the specified CertificateOutputFolder; however, make sure certificate folder already created. 此命令还采用 VM SKU 等其他参数。The command takes in other parameters such as VM SKU as well.

备注

以下 PowerShell 命令仅适用于 Azure 资源管理器 PowerShell 6.1 以上版本。 若要检查 Azure 资源管理器 PowerShell 版的当前版本,请运行以下 PowerShell 命令“Get-Module AzureRM”。 单击此链接升级 Azure 资源管理器 PowerShell 的版本。

使用 PowerShell 部署群集:Deploy the cluster using PowerShell:

$resourceGroupLocation="westus"
$resourceGroupName="mycluster"
$vaultName="myvault"
$vaultResourceGroupName="myvaultrg"
$CertSubjectName="mycluster.westus.cloudapp.azure.com"
$certPassword="Password123!@#" | ConvertTo-SecureString -AsPlainText -Force 
$vmpassword="Password4321!@#" | ConvertTo-SecureString -AsPlainText -Force
$vmuser="myadmin"
$os="WindowsServer2016DatacenterwithContainers"
$certOutputFolder="c:\certificates"

New-AzureRmServiceFabricCluster -ResourceGroupName $resourceGroupName -Location $resourceGroupLocation -CertificateOutputFolder $certOutputFolder -CertificatePassword $certpassword -CertificateSubjectName $CertSubjectName -OS $os -VmPassword $vmpassword -VmUserName $vmuser

使用 Azure CLI 部署群集:Deploy the cluster using Azure CLI:

declare resourceGroupLocation="westus"
declare resourceGroupName="mylinux"
declare vaultResourceGroupName="myvaultrg"
declare vaultName="myvault"
declare CertSubjectName="mylinux.westus.cloudapp.azure.com"
declare vmpassword="Password!1"
declare certpassword="Password!4321"
declare vmuser="myadmin"
declare vmOs="UbuntuServer1604"
declare certOutputFolder="c:\certificates"

az sf cluster create --resource-group $resourceGroupName --location $resourceGroupLocation  \
    --certificate-output-folder $certOutputFolder --certificate-password $certpassword  \
    --vault-name $vaultName --vault-resource-group $resourceGroupName  \
    --template-file $templateFilePath --parameter-file $parametersFilePath --vm-os $vmOs  \
    --vm-password $vmpassword --vm-user-name $vmuser

使用自己的自定义模板Use your own custom template

如果需要根据需要编写自定义模板,我们强烈建议从 Azure Service Fabric 模板示例中提供的模板之一着手。If you need to author a custom template to suit your needs, it is highly recommended that you start with one of the templates that are available on the Azure Service Fabric template samples. 了解如何自定义群集模板Learn how to customize your cluster template.

如果已有一个自定义模板,请仔细检查模板中的所有三个证书相关参数以及参数文件已按如下所示命名且如下所示的值为 null:If you already have a custom template, double-check that all the three certificate related parameters in the template and the parameter file are named as follows and values are null as follows:

   "certificateThumbprint": {
      "value": ""
    },
    "sourceVaultValue": {
      "value": ""
    },
    "certificateUrlValue": {
      "value": ""
    },

使用 PowerShell 部署群集:Deploy the cluster using PowerShell:

$resourceGroupLocation="westus"
$resourceGroupName="mycluster"
$CertSubjectName="mycluster.westus.cloudapp.azure.com"
$certPassword="Password!1" | ConvertTo-SecureString -AsPlainText -Force 
$certOutputFolder="c:\certificates"

$parameterFilePath="c:\mytemplates\mytemplateparm.json"
$templateFilePath="c:\mytemplates\mytemplate.json"

New-AzureRmServiceFabricCluster -ResourceGroupName $resourceGroupName -CertificateOutputFolder $certOutputFolder -CertificatePassword $certpassword -CertificateSubjectName $CertSubjectName -TemplateFile $templateFilePath -ParameterFile $parameterFilePath 

使用 Azure CLI 部署群集:Deploy the cluster using Azure CLI:

declare certPassword=""
declare resourceGroupLocation="westus"
declare resourceGroupName="mylinux"
declare certSubjectName="mylinuxsecure.westus.cloudapp.azure.com"
declare parameterFilePath="c:\mytemplates\linuxtemplateparm.json"
declare templateFilePath="c:\mytemplates\linuxtemplate.json"
declare certOutputFolder="c:\certificates"

az sf cluster create --resource-group $resourceGroupName --location $resourceGroupLocation  \
    --certificate-output-folder $certOutputFolder --certificate-password $certPassword  \
    --certificate-subject-name $certSubjectName \
    --template-file $templateFilePath --parameter-file $parametersFilePath

使用自己的 X.509 证书创建新的群集Create a new cluster using your own X.509 certificate

如果想要使用证书来保护群集,请使用以下命令创建群集。Use the following command to create cluster, if you have a certificate that you want to use to secure your cluster with.

如果这是一个同时用于其他目的的 CA 签名证书,则我们建议专门为 Key Vault 提供一个不同的资源组。If this is a CA signed certificate that you will end up using for other purposes as well, then it is recommended that you provide a distinct resource group specifically for your key vault. 建议将密钥保管库置于其资源组中。We recommend that you put the key vault into its own resource group. 这样可在不丢失密钥和机密的情况下删除计算和存储资源组,包括具有 Service Fabric 群集的资源组。This action lets you remove the compute and storage resource groups, including the resource group that contains your Service Fabric cluster, without losing your keys and secrets. 包含 Key Vault 的资源组必须与正在使用它的群集位于同一区域。The resource group that contains your key vault must be in the same region as the cluster that is using it.

使用模块中附带的默认“5 Node 1”节点类型模板Use the default five node, one node type template that ships in the module

Azure 示例:Windows 模板Ubuntu 模板中提供了所用的模板The template that is used is available on the Azure samples : Windows template and Ubuntu template

使用 PowerShell 部署群集:Deploy the cluster using PowerShell:

$resourceGroupLocation="westus"
$resourceGroupName="mylinux"
$vaultName="myvault"
$vaultResourceGroupName="myvaultrg"
$certPassword="Password!1" | ConvertTo-SecureString -AsPlainText -Force 
$vmpassword=("Password!4321" | ConvertTo-SecureString -AsPlainText -Force) 
$vmuser="myadmin"
$os="WindowsServer2016DatacenterwithContainers"

New-AzureRmServiceFabricCluster -ResourceGroupName $resourceGroupName -Location $resourceGroupLocation -KeyVaultResourceGroupName $vaultResourceGroupName -KeyVaultName $vaultName -CertificateFile C:\MyCertificates\chackocertificate3.pfx -CertificatePassword $certPassword -OS $os -VmPassword $vmpassword -VmUserName $vmuser 

使用 Azure CLI 部署群集:Deploy the cluster using Azure CLI:

declare vmPassword="Password!1"
declare certPassword="Password!1"
declare vmUser="myadmin"
declare resourceGroupLocation="westus"
declare resourceGroupName="mylinux"
declare vaultResourceGroupName="myvaultrg"
declare vaultName="myvault"
declare certificate-file="c:\certificates\mycert.pem"
declare vmOs="UbuntuServer1604"

az sf cluster create --resource-group $resourceGroupName --location $resourceGroupLocation  \
    --certificate-file $certificate-file --certificate-password $certPassword  \
    --vault-name $vaultName --vault-resource-group $vaultResourceGroupName  \
    --vm-os vmOs \
    --vm-password $vmPassword --vm-user-name $vmUser

使用自己的自定义群集模板Use your own custom cluster template

如果需要根据需要编写自定义模板,我们强烈建议从 Azure Service Fabric 模板示例中提供的模板之一着手。If you need to author a custom template to suit your needs, it is highly recommended that you start with one of the templates that are available on the Azure Service Fabric template samples. 了解如何自定义群集模板Learn how to customize your cluster template.

如果已有一个自定义模板,请确保模板中的所有三个证书相关参数以及参数文件已按如下所示命名并使用 null 值。If you already have a custom template, then make sure to double check that all the three certificate related parameters in the template and the parameter file are named as follows and values are null as follows.

   "certificateThumbprint": {
      "value": ""
    },
    "sourceVaultValue": {
      "value": ""
    },
    "certificateUrlValue": {
      "value": ""
    },

使用 PowerShell 部署群集:Deploy the cluster using PowerShell:

$resourceGroupLocation="westus"
$resourceGroupName="mylinux"
$vaultName="myvault"
$vaultResourceGroupName="myvaultrg"
$certPassword="Password!1" | ConvertTo-SecureString -AsPlainText -Force 
$os="WindowsServer2016DatacenterwithContainers"
$parameterFilePath="c:\mytemplates\mytemplateparm.json"
$templateFilePath="c:\mytemplates\mytemplate.json"
$certificateFile="C:\MyCertificates\chackonewcertificate3.pem"

New-AzureRmServiceFabricCluster -ResourceGroupName $resourceGroupName -Location $resourceGroupLocation -TemplateFile $templateFilePath -ParameterFile $parameterFilePath -KeyVaultResourceGroupName $vaultResourceGroupName -KeyVaultName $vaultName -CertificateFile $certificateFile -CertificatePassword $certPassword

使用 Azure CLI 部署群集:Deploy the cluster using Azure CLI:

declare certPassword="Password!1"
declare resourceGroupLocation="westus"
declare resourceGroupName="mylinux"
declare vaultResourceGroupName="myvaultrg"
declare vaultName="myvault"
declare parameterFilePath="c:\mytemplates\linuxtemplateparm.json"
declare templateFilePath="c:\mytemplates\linuxtemplate.json"

az sf cluster create --resource-group $resourceGroupName --location $resourceGroupLocation  \
    --certificate-file $certificate-file --certificate-password $password  \
    --vault-name $vaultName --vault-resource-group $vaultResourceGroupName  \
    --template-file $templateFilePath --parameter-file $parametersFilePath 

使用指向上传到密钥保管库中的机密的指针Use a pointer to a secret uploaded into a key vault

要使用现有密钥保管库,则必须针对部署启用该密钥保管库,使计算资源提供程序能够从中获取证书并将其安装在群集节点上。To use an existing key vault, the key vault must be enabled for deployment to allow the compute resource provider to get certificates from it and install it on cluster nodes.

使用 PowerShell 部署群集:Deploy the cluster using PowerShell:

Set-AzureRmKeyVaultAccessPolicy -VaultName 'ContosoKeyVault' -EnabledForDeployment

$parameterFilePath="c:\mytemplates\mytemplate.json"
$templateFilePath="c:\mytemplates\mytemplateparm.json"
$secretID="https://test1.vault.azure.net:443/secrets/testcertificate4/55ec7c4dc61a462bbc645ffc9b4b225f"

New-AzureRmServiceFabricCluster -ResourceGroupName $resourceGroupName -SecretIdentifier $secretId -TemplateFile $templateFilePath -ParameterFile $parameterFilePath 

使用 Azure CLI 部署群集:Deploy the cluster using Azure CLI:

declare $resourceGroupName = "testRG"
declare $parameterFilePath="c:\mytemplates\mytemplate.json"
declare $templateFilePath="c:\mytemplates\mytemplateparm.json"
declare $secertId="https://test1.vault.azure.net:443/secrets/testcertificate4/55ec7c4dc61a462bbc645ffc9b4b225f"

az sf cluster create --resource-group $resourceGroupName --location $resourceGroupLocation  \
    --secret-identifier az $secretID  \
    --template-file $templateFilePath --parameter-file $parametersFilePath 

后续步骤Next steps

此时 Azure 中已正在运行一个安全的群集。At this point, you have a secure cluster running in Azure. 接下来,请连接到该群集,了解如何管理应用程序机密Next, connect to your cluster and learn how to manage application secrets.