您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

使用 Azure 门户在 Azure 中创建 Service Fabric 群集Create a Service Fabric cluster in Azure using the Azure portal

本指南逐步介绍如何使用 Azure 门户在 Azure 中设置 Service Fabric 群集(Linux 或 Windows)。This is a step-by-step guide that walks you through the steps of setting up a Service Fabric cluster (Linux or Windows) in Azure using the Azure portal. 其中包括以下步骤:This guide walks you through the following steps:

  • 通过 Azure 门户在 Azure 中创建群集。Create a cluster in Azure through the Azure portal.
  • 使用证书对管理员进行身份验证。Authenticate administrators using certificates.

备注

有关更高级的安全选项(例如使用 Azure Active Directory 进行用户身份验证和设置应用程序安全证书),请使用 Azure 资源管理器创建群集For more advanced security options, such as user authentication with Azure Active Directory and setting up certificates for application security, create your cluster using Azure Resource Manager.

群集安全性Cluster security

证书在 Service Fabric 中用于提供身份验证和加密,为群集及其应用程序提供全方位的保护。Certificates are used in Service Fabric to provide authentication and encryption to secure various aspects of a cluster and its applications. 若要详细了解如何在 Service Fabric 中使用证书,请参阅 Service Fabric 群集安全方案For more information on how certificates are used in Service Fabric, see Service Fabric cluster security scenarios.

如果这是你首次创建 Service Fabric 群集或要为测试工作负荷部署群集,可跳到下一节(在 Azure 门户中创建群集)并使系统生成运行测试工作负荷所需的证书。If this is the first time you are creating a service fabric cluster or are deploying a cluster for test workloads, you can skip to the next section (Create cluster in the Azure Portal) and have the system generate certificates needed for your clusters that run test workloads. 如果要为生产工作负荷设置群集,请继续阅读。If you are setting up a cluster for production workloads, then continue reading.

群集和服务器证书(必需)Cluster and server certificate (required)

需要使用此证书来保护群集以及防止未经授权访问群集。This certificate is required to secure a cluster and prevent unauthorized access to it. 此证书通过多种方式保护群集:It provides cluster security in a couple ways:

  • 群集身份验证: 在群集联合的情况下对节点间的通信进行身份验证。Cluster authentication: Authenticates node-to-node communication for cluster federation. 只有可以使用此证书自我证明身份的节点才能加入群集。Only nodes that can prove their identity with this certificate can join the cluster.
  • 服务器身份验证: 在管理客户端上对群集管理终结点进行身份验证,使管理客户端知道它正在与真正的群集通信。Server authentication: Authenticates the cluster management endpoints to a management client, so that the management client knows it is talking to the real cluster. 此证书还通过 HTTPS 为 HTTPS 管理 API 和 Service Fabric Explorer 提供 SSL。This certificate also provides SSL for the HTTPS management API and for Service Fabric Explorer over HTTPS.

为满足这些用途,该证书必须符合以下要求:To serve these purposes, the certificate must meet the following requirements:

  • 证书必须包含私钥。The certificate must contain a private key.
  • 必须为密钥交换创建证书,并且该证书可导出到个人信息交换 (.pfx) 文件。The certificate must be created for key exchange, exportable to a Personal Information Exchange (.pfx) file.
  • 证书的使用者名称必须与访问 Service Fabric 群集使用的域相匹配。The certificate's subject name must match the domain used to access the Service Fabric cluster. 只有符合此要求,才能为群集的 HTTPS 管理终结点和 Service Fabric Explorer 提供 SSL。This is required to provide SSL for the cluster's HTTPS management endpoints and Service Fabric Explorer. 无法从证书颁发机构 (CA) 获取 .cloudapp.azure.com 域的 SSL 证书。You cannot obtain an SSL certificate from a certificate authority (CA) for the .cloudapp.azure.com domain. 获取群集的自定义域名。Acquire a custom domain name for your cluster. 在从 CA 请求证书时,该证书的使用者名称必须与用于群集的自定义域名匹配。When you request a certificate from a CA the certificate's subject name must match the custom domain name used for your cluster.

客户端身份验证证书Client authentication certificates

其他客户端证书可对执行群集管理任务的管理员进行身份验证。Additional client certificates authenticate administrators for cluster management tasks. Service Fabric 有两个访问级别:管理员只读用户Service Fabric has two access levels: admin and read-only user. 至少应使用一个证书进行管理访问。At minimum, a single certificate for administrative access should be used. 若要进行其他用户级别的访问,必须提供单独的证书。For additional user-level access, a separate certificate must be provided. 有关访问角色的详细信息,请参阅Service Fabric 客户端的基于角色的访问控制For more information on access roles, see role-based access control for Service Fabric clients.

无需将客户端身份验证证书上传到密钥保管库即可使用 Service Fabric。You do not need to upload Client authentication certificates to Key Vault to work with Service Fabric. 只需将这些证书提供给有权管理群集的用户。These certificates only need to be provided to users who are authorized for cluster management.

备注

建议使用 Azure Active Directory 对执行群集管理操作的客户端进行身份验证。Azure Active Directory is the recommended way to authenticate clients for cluster management operations. 若要使用 Azure Active Directory,必须使用 Azure 资源管理器创建群集To use Azure Active Directory, you must create a cluster using Azure Resource Manager.

应用程序证书(可选)Application certificates (optional)

可以出于应用程序安全目的,在群集上安装任意数量的附加证书。Any number of additional certificates can be installed on a cluster for application security purposes. 在创建群集之前,请考虑需要在节点上安装证书的应用程序安全方案,例如:Before creating your cluster, consider the application security scenarios that require a certificate to be installed on the nodes, such as:

  • 加密和解密应用程序配置值Encryption and decryption of application configuration values
  • 在复制期间跨节点加密数据Encryption of data across nodes during replication

通过 Azure 门户创建群集时,无法配置应用程序证书。Application certificates cannot be configured when creating a cluster through the Azure portal. 若要在设置群集时配置应用程序证书,必须使用 Azure 资源管理器创建群集To configure application certificates at cluster setup time, you must create a cluster using Azure Resource Manager. 也可以在创建群集后将应用程序证书添加到群集。You can also add application certificates to the cluster after it has been created.

在 Azure 门户中创建群集Create cluster in the Azure portal

创建生产群集以满足你的应用程序需求涉及到一些计划,因此,强烈建议你阅读并了解Service Fabric 群集规划注意事项文档。Creating a production cluster to meet your application needs involves some planning, to help you with that, it is strongly recommended that you read and understand the Service Fabric Cluster planning considerations document.

搜索 Service Fabric 群集资源Search for the Service Fabric cluster resource

登录到 Azure 门户Sign in to the Azure portal. 单击“创建资源”以添加新的资源模板。Click Create a resource to add a new resource template. 在“全部”下面的“市场”中搜索 Service Fabric 群集模板。Search for the Service Fabric Cluster template in the Marketplace under Everything. 从列表中选择“Service Fabric 群集”。Select Service Fabric Cluster from the list.

在 Azure 门户中搜索 Service Fabric 群集模板。

导航到“Service Fabric 群集”边栏选项卡,并单击“创建”。Navigate to the Service Fabric Cluster blade, and click Create.

“创建 Service Fabric 群集”边栏选项卡包含以下四个步骤:The Create Service Fabric cluster blade has the following four steps:

1. 基础知识1. Basics

创建新资源组的屏幕截图。

在“基本信息”边栏选项卡中,需要提供群集的基本详细信息。In the Basics blade, you need to provide the basic details for your cluster.

  1. 输入群集的名称。Enter the name of your cluster.

  2. 输入 VM 远程桌面的用户名密码Enter a User name and Password for Remote Desktop for the VMs.

  3. 务必选择要将群集部署到的订阅,尤其是在拥有多个订阅时。Make sure to select the Subscription that you want your cluster to be deployed to, especially if you have multiple subscriptions.

  4. 创建新的资源组Create a new Resource group. 最好让它与群集同名,这样稍后就可以轻松找到它们,在尝试更改部署或删除群集时非常有用。It is best to give it the same name as the cluster, since it helps in finding them later, especially when you are trying to make changes to your deployment or delete your cluster.

    备注

    尽管可以决定使用现有资源组,但最好还是创建新的资源组。Although you can decide to use an existing resource group, it is a good practice to create a new resource group. 这样做可以轻松删除群集及其使用的所有资源。This makes it easy to delete clusters and all the resources it uses.

  5. 选择要在其中创建群集的位置Select the Location in which you want to create the cluster. 如果计划使用已上传到 Key Vault 的现有证书,则必须使用 Key Vault 所在的区域。If you are planning to use an existing certificate that you have already uploaded to a key vault, You must use the same region that your Key vault is in.

2. 群集配置2. Cluster configuration

创建节点类型

配置群集节点。Configure your cluster nodes. 节点类型定义 VM 大小、VM 数目及其属性。Node types define the VM sizes, the number of VMs, and their properties. 群集可以有不只一个节点类型,但主节点类型(在门户定义的第一个节点类型)必须至少有 5 个 VM,因为这是 Service Fabric 系统服务放置到的节点类型。Your cluster can have more than one node type, but the primary node type (the first one that you define on the portal) must have at least five VMs, as this is the node type where Service Fabric system services are placed. 不需要配置“放置属性”,因为系统会自动添加了“NodeTypeName”的默认放置属性。Do not configure Placement Properties because a default placement property of "NodeTypeName" is added automatically.

备注

具有多个节点类型的常见情景是包含前端服务和后端服务的应用程序。A common scenario for multiple node types is an application that contains a front-end service and a back-end service. 要将前端服务放在端口向 Internet 开放的较小型 VM(D2_V2 等 VM 大小)上,同时要将后端服务放在没有向 Internet 开放端口的较大型 VM(D3_V2、D6_V2、D15_V2 等 VM 大小)上。You want to put the front-end service on smaller VMs (VM sizes like D2_V2) with ports open to the Internet, and put the back-end service on larger VMs (with VM sizes like D3_V2, D6_V2, D15_V2, and so on) with no Internet-facing ports open.

  1. 选择节点类型的名称(1 到 12 个字符,只能包含字母和数字)。Choose a name for your node type (1 to 12 characters containing only letters and numbers).
  2. 主节点类型的 VM 的大小下限取决于为群集选择的持久性层The minimum size of VMs for the primary node type is driven by the Durability tier you choose for the cluster. 持久性层的默认值为 bronze。The default for the durability tier is bronze. 有关持久性的详细信息,请参阅如何选择群集持久性 Service FabricFor more information on durability, see how to choose the Service Fabric cluster durability.
  3. 选择虚拟机大小Select the Virtual machine size. D 系列 VM 具有 SSD 驱动器,强烈建议用于有状态应用程序。D-series VMs have SSD drives and are highly recommended for stateful applications. 不要使用任何具有部分核心或可用磁盘容量小于 10 GB 的 VM SKU。Do not use any VM SKU that has partial cores or have less than 10 GB of available disk capacity. 有关选择 VM 大小的帮助,请参阅service fabric 群集规划注意事项文档Refer to service fabric cluster planning consideration document for help in selecting the VM size.
  4. 单个节点群集和三个节点群集仅用于测试。Single node cluster and three node clusters are meant for test use only. 它们不支持任何正在运行的生产工作负荷。They are not supported for any running production workloads.
  5. 选择节点类型的初始 VM 规模集容量Choose the Initial VM scale set capacity for the node type. 可在以后增加或减少节点类型中的 VM 数目,但对主节点类型,生产工作负荷的最小数是 5。You can scale up or down the number of VMs in a node type later on, but on the primary node type, the minimum is five for production workloads. 其他节点类型的下限可以是一个 VM。Other node types can have a minimum of one VM. 主节点类型的 VM 的数目下限决定群集的可靠性The minimum number of VMs for the primary node type drives the reliability of your cluster.
  6. 配置自定义终结点Configure Custom endpoints. 可在此字段中输入以逗号分隔的端口列表,可以通过 Azure 负载均衡器针对应用程序向公共 Internet 公开这些端口。This field allows you to enter a comma-separated list of ports that you want to expose through the Azure Load Balancer to the public Internet for your applications. 例如,如果计划在群集中部署 Web 应用程序,请在此处输入“80”,允许端口 80 的流量进入群集。For example, if you plan to deploy a web application to your cluster, enter "80" here to allow traffic on port 80 into your cluster. 有关终结点的详细信息,请参阅与应用程序进行通信For more information on endpoints, see communicating with applications
  7. 启用反向代理Enable reverse proxy. 借助 Service Fabric 反向代理,Service Fabric 群集中运行的微服务可以发现包含 http 终结点的其他服务,并与之通信。The Service Fabric reverse proxy helps microservices running in a Service Fabric cluster discover and communicate with other services that have http endpoints.
  8. 返回“群集配置”边栏选项卡,在“+显示可选设置”下,配置群集诊断Back in the Cluster configuration blade, under +Show optional settings, configure cluster diagnostics. 默认情况下,已在群集上启用诊断,以帮助排查问题。By default, diagnostics are enabled on your cluster to assist with troubleshooting issues. 要禁用诊断,请将其“状态”切换为“关闭”。If you want to disable diagnostics change the Status toggle to Off. 建议关闭诊断。Turning off diagnostics is not recommended. 如果已创建 Application Insights 项目,则提供该项目密钥,以便向其路由应用程序跟踪。If you already have Application Insights project created, then give its key, so that the application traces are routed to it.
  9. 包含 DNS 服务Include DNS service. DNS 服务是一项可选服务,使用户能够通过 DNS 协议查找其他服务。The DNS service an optional service that enables you to find other services using the DNS protocol.
  10. 选择要为群集设置的 Fabric 升级模式Select the Fabric upgrade mode you want set your cluster to. 如果希望系统自动选取最新可用版本并尝试将群集升级到最新版本,则选择“自动”。Select Automatic, if you want the system to automatically pick up the latest available version and try to upgrade your cluster to it. 如果想要选择受支持的版本,则将模式设置为“手动”。Set the mode to Manual, if you want to choose a supported version. 有关结构升级模式的更多详细信息,请参阅Service Fabric 群集升级文档。For more details on the Fabric upgrade mode see the Service Fabric Cluster Upgrade document.

备注

我们仅支持运行受支持的 Service Fabric 版本的群集。We support only clusters that are running supported versions of Service Fabric. 选择“手动”模式,表示将负责将群集升级到受支持的版本。By selecting the Manual mode, you are taking on the responsibility to upgrade your cluster to a supported version.

3. 安全性3. Security

Azure 门户上的安全配置屏幕截图。

为轻松设置安全测试群集,我们提供了“基本”选项。To make setting up a secure test cluster easy for you, we have provided the Basic option. 如果已有证书且已上传到密钥保管库(并已为部署启用密钥保管库),则使用“自定义”选项If you already have a certificate and have uploaded it to your key vault (and enabled the key vault for deployment), then use the Custom option

“基本”选项Basic Option

按照屏幕说明操作,添加或重复使用现有密钥保管库,并添加证书。Follow the screens to add or reuse an existing key vault and add a certificate. 添加证书是一个同步过程,因此必须等待证书创建完成。The addition of the certificate is a synchronous process and so you will have to wait for the certificate to be created.

在前面的过程完成前,请勿离开屏幕。Resist the temptation of navigating away from the screen until the preceding process is completed.

CreateKeyVault

现已创建密钥保管库,请编辑密钥保管库的访问策略。Now that the key vault is created, edit the access policies for your key vault.

CreateKeyVault2

依次单击“编辑访问策略”和“显示高级访问策略”,并启用对 Azure 虚拟机的访问权限以便进行部署。Click on the Edit access policies, then Show advanced access policies and enable access to Azure Virtual Machines for deployment. 建议同时启用模板部署。It is recommended that you enable the template deployment as well. 完成选择后,不要忘记单击“保存”按钮并关闭“访问策略”窗格。Once you have made your selections, do not forget to click the Save button and close out of the Access policies pane.

CreateKeyVault3

输入证书的名称,然后单击“确定”。Enter the name of the certificate and click OK.

CreateKeyVault4

“自定义”选项Custom Option

如果你已执行“基本”选项中的步骤,请跳过本节内容。Skip this section, if you have already performed the steps in the Basic Option.

SecurityCustomOption

你需要源密钥保管库、证书 URL 和证书指纹信息以完成“安全性”页。You need the Source key vault, Certificate URL, and Certificate thumbprint information to complete the security page. 如果“安全性”页未就绪,请打开另一个浏览器窗口,然后在 Azure 门户中执行以下操作If you do not have it handy, open up another browser window and in the Azure portal do the following

  1. 导航到密钥保管库服务。Navigate to your key vault service.

  2. 选择“属性”选项卡,并将“资源 ID”复制到另一个浏览器窗口上的“源密钥保管库”Select the "Properties" tab and copy the 'RESOURCE ID' to "Source key vault" on the other browser window

    CertInfo0

  3. 现在,选择“证书”选项卡。Now, select the "Certificates" tab.

  4. 单击“证书指纹”,转到“版本”页。Click on certificate thumbprint, which takes you to the Versions page.

  5. 单击当前版本下显示的 GUID。Click on the GUIDs you see under the current Version.

    CertInfo1

  6. 你现在应位于如下所示的屏幕上。You should now be on the screen like below. 将十六进制 SHA-1 指纹复制到另一个浏览器窗口中的“证书指纹”Copy the hexadecimal SHA-1 Thumbprint to "Certificate thumbprint" on the other browser window

  7. 将“机密标识符”复制到另一个浏览器窗口上的“证书 URL”。Copy the 'Secret Identifier' to the "Certificate URL" on other browser window.

    CertInfo2

选中“配置高级设置”复选框,输入管理客户端只读客户端的客户端证书。Check the Configure advanced settings box to enter client certificates for admin client and read-only client. 在这些字段中,输入管理客户端证书的指纹和只读用户客户端证书的指纹(如果适用)。In these fields, enter the thumbprint of your admin client certificate and the thumbprint of your read-only user client certificate, if applicable. 当管理员尝试连接群集时,仅当他们的证书指纹与此处输入的指纹值匹配时,才被授予访问权限。When administrators attempt to connect to the cluster, they are granted access only if they have a certificate with a thumbprint that matches the thumbprint values entered here.

4. 摘要4. Summary

现在可开始部署群集了。Now you are ready to deploy the cluster. 执行此操作前,请下载证书,查找较大蓝色信息框内的链接。Before you do that, download the certificate, look inside the large blue informational box for the link. 请确保将证书保存在安全的位置。Make sure to keep the cert in a safe place. 连接到群集时需要此证书。you need it to connect to your cluster. 由于下载的证书没有密码,因此建议添加一个。Since the certificate you downloaded does not have a password, it is advised that you add one.

若要完成群集创建,请单击“创建”。To complete the cluster creation, click Create. 还可以选择性下载模板。You can optionally download the template.

Summary

可以在通知栏中查看群集创建进度。You can see the creation progress in the notifications. (单击屏幕右上角的状态栏旁边的 "电铃" 图标。)如果在创建群集时单击了 "固定到启动板",则会看到 "部署" Service Fabric 群集固定到 "开始" 面板。(Click the "Bell" icon near the status bar at the upper right of your screen.) If you clicked Pin to Startboard while creating the cluster, you see Deploying Service Fabric Cluster pinned to the Start board. 此过程将需要一些时间才能完成。This process will take some time.

若要使用 Powershell 或 CLI 对群集执行管理操作,需要连接群集,请参阅连接群集,了解有关如何连接的详细信息。In order to perform management operations on your cluster using Powershell or CLI, you need to connect to your cluster, read more on how to at connecting to your cluster.

查看群集状态View your cluster status

仪表板中群集详细信息的屏幕截图。

创建群集后,可以在门户检查群集:Once your cluster is created, you can inspect your cluster in the portal:

  1. 转到“浏览”,并单击“Service Fabric 群集”。Go to Browse and click Service Fabric Clusters.
  2. 找到该群集并单击它。Locate your cluster and click it.
  3. 现在,仪表板会显示群集的详细信息,包括群集的公共终结点和 Service Fabric Explorer 的链接。You can now see the details of your cluster in the dashboard, including the cluster's public endpoint and a link to Service Fabric Explorer.

群集仪表板边栏选项卡上的“节点监视器”部分显示运行正常和不正常的 VM 的数目。The Node Monitor section on the cluster's dashboard blade indicates the number of VMs that are healthy and not healthy. 有关群集运行状况的详细信息,请参阅Service Fabric 运行状况模型简介You can find more details about the cluster's health at Service Fabric health model introduction.

备注

Service Fabric 群集需要一定数量的节点始终处于开机状态,以维护可用性和保留状态(称为“维护仲裁”)。Service Fabric clusters require a certain number of nodes to be up always to maintain availability and preserve state - referred to as "maintaining quorum". 因此,除非首先执行状态的完整备份,否则关闭群集中的所有计算机通常是不安全的。Therefore, it is typically not safe to shut down all machines in the cluster unless you have first performed a full backup of your state.

远程连接到虚拟机规模集实例或群集节点Remote connect to a Virtual Machine Scale Set instance or a cluster node

每次在群集中指定 NodeTypes,都会设置虚拟机规模集。Each of the NodeTypes you specify in your cluster results in a Virtual Machine Scale Set getting set-up.

后续步骤Next steps

此时,已创建一个使用证书进行管理身份验证的安全群集。At this point, you have a secure cluster using certificates for management authentication. 接下来,请连接到该群集,了解如何管理应用程序机密Next, connect to your cluster and learn how to manage application secrets. 此外,了解 Service Fabric 支持选项Also, learn about Service Fabric support options.