您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

将 Linux Service Fabric 群集部署到 Azure 虚拟网络Deploy a Linux Service Fabric cluster into an Azure virtual network

本文介绍了如何使用 Azure CLI 和模板将 Linux Service Fabric 群集部署到 Azure 虚拟网络 (VNET) 中。In this article you learn how to deploy a Linux Service Fabric cluster into an Azure virtual network (VNET) using Azure CLI and a template. 完成本教程后,云中会运行一个可在其中部署应用程序的群集。When you're finished, you have a cluster running in the cloud that you can deploy applications to. 若要使用 PowerShell 创建 Windows 群集,请参阅在 Azure 上创建安全的 Windows 群集To create a Windows cluster using PowerShell, see Create a secure Windows cluster on Azure.

必备组件Prerequisites

开始之前:Before you begin:

以下步骤将创建一个七节点 Service Fabric 群集。The following procedures create a seven-node Service Fabric cluster. 若要计算在 Azure 中运行 Service Fabric 群集的成本,请使用 Azure 定价计算器To calculate cost incurred by running a Service Fabric cluster in Azure use the Azure Pricing Calculator.

下载并浏览模板Download and explore the template

下载以下资源管理器模板文件:Download the following Resource Manager template files:

此模板将包含七个虚拟机和三个节点类型的安全群集部署到虚拟网络中。This template deploys a secure cluster of seven virtual machines and three node types into a virtual network. 其他示例模板可以在 GitHub 上找到。Other sample templates can be found on GitHub. AzureDeploy.json 部署一些资源,包括以下资源。The AzureDeploy.json deploys a number resources, including the following.

Service Fabric 群集Service Fabric cluster

Microsoft.ServiceFabric/clusters 资源中,部署了具有以下特征的 Linux 群集:In the Microsoft.ServiceFabric/clusters resource, a Linux cluster is deployed with the following characteristics:

  • 三个节点类型three node types
  • 主节点类型包含五个节点(可在模板参数中配置),其他节点类型各包含一个节点five nodes in the primary node type (configurable in the template parameters), one node in each of the other node types
  • OS:Ubuntu 16.04 LTS(可在模板参数中配置)OS: Ubuntu 16.04 LTS (configurable in the template parameters)
  • 证书保护(可在模板参数中配置)certificate secured (configurable in the template parameters)
  • 已启用 DNS 服务DNS service is enabled
  • 铜级持久性级别(可在模板参数中配置)Durability level of Bronze (configurable in the template parameters)
  • 银级可靠性级别(可在模板参数中配置)Reliability level of Silver (configurable in the template parameters)
  • 客户端连接终结点:19000(可在模板参数中配置)client connection endpoint: 19000 (configurable in the template parameters)
  • HTTP 网关终结点:19080(可在模板参数中配置)HTTP gateway endpoint: 19080 (configurable in the template parameters)

Azure 负载均衡器Azure load balancer

Microsoft.Network/loadBalancers 资源中,配置了负载均衡器,并为以下端口设置了探测和规则:In the Microsoft.Network/loadBalancers resource, a load balancer is configured and probes and rules setup for the following ports:

  • 客户端连接终结点:19000client connection endpoint: 19000
  • HTTP 网关终结点:19080HTTP gateway endpoint: 19080
  • 应用程序端口:80application port: 80
  • 应用程序端口:443application port: 443

虚拟网络和子网Virtual network and subnet

虚拟网络和子网的名称在模板参数中声明。The names of the virtual network and subnet are declared in the template parameters. 虚拟网络和子网的地址空间也在模板参数中声明,并在 Microsoft.Network/virtualNetworks 资源中配置:Address spaces of the virtual network and subnet are also declared in the template parameters and configured in the Microsoft.Network/virtualNetworks resource:

  • 虚拟网络地址空间:10.0.0.0/16virtual network address space: 10.0.0.0/16
  • Service Fabric 子网地址空间:10.0.2.0/24Service Fabric subnet address space: 10.0.2.0/24

如需其他任何应用程序端口,则需要调整 Microsoft.Network/loadBalancers 资源,以允许传入流量。If any other application ports are needed, then you will need to adjust the Microsoft.Network/loadBalancers resource to allow the traffic in.

设置模板参数Set template parameters

AzureDeploy.Parameters 参数文件声明用于部署群集和关联资源的多个值。The AzureDeploy.Parameters parameters file declares many values used to deploy the cluster and associated resources. 可能需要使用某些参数来修改部署:Some of the parameters that you might need to modify for your deployment:

参数Parameter 示例值Example value 说明Notes
adminUserNameadminUserName vmadminvmadmin 群集 VM 的管理员用户名。Admin username for the cluster VMs.
adminPasswordadminPassword Password#1234Password#1234 群集 VM 的管理员密码。Admin password for the cluster VMs.
clusterNameclusterName mysfcluster123mysfcluster123 群集的名称。Name of the cluster.
locationlocation southcentralussouthcentralus 群集的位置。Location of the cluster.
certificateThumbprintcertificateThumbprint

如果创建自签名证书或提供证书文件,则值应为空。Value should be empty if creating a self-signed certificate or providing a certificate file.

若要使用之前上传到密钥保管库的现有证书,请填写证书 SHA1 指纹值。To use an existing certificate previously uploaded to a key vault, fill in the certificate SHA1 thumbprint value. 例如“6190390162C988701DB5676EB81083EA608DCCF3”。For example, "6190390162C988701DB5676EB81083EA608DCCF3".

certificateUrlValuecertificateUrlValue

如果创建自签名证书或提供证书文件,则值应为空。Value should be empty if creating a self-signed certificate or providing a certificate file.

若要使用之前上传到 Key Vault 的现有证书,请填写证书 URL。To use an existing certificate previously uploaded to a key vault, fill in the certificate URL. 例如,“https://mykeyvault.vault.azure.net:443/secrets/mycertificate/02bea722c9ef4009a76c5052bcbf8346”。For example, "https://mykeyvault.vault.azure.net:443/secrets/mycertificate/02bea722c9ef4009a76c5052bcbf8346".

sourceVaultValuesourceVaultValue

如果创建自签名证书或提供证书文件,则值应为空。Value should be empty if creating a self-signed certificate or providing a certificate file.

若要使用之前上传到 Key Vault 的现有证书,请填写源保管库值。To use an existing certificate previously uploaded to a key vault, fill in the source vault value. 例如“/subscriptions/333cc2c84-12fa-5778-bd71-c71c07bf873f/resourceGroups/MyTestRG/providers/Microsoft.KeyVault/vaults/MYKEYVAULT”。For example, "/subscriptions/333cc2c84-12fa-5778-bd71-c71c07bf873f/resourceGroups/MyTestRG/providers/Microsoft.KeyVault/vaults/MYKEYVAULT".

部署虚拟网络和群集Deploy the virtual network and cluster

接下来,设置网络拓扑并部署 Service Fabric 群集。Next, set up the network topology and deploy the Service Fabric cluster. AzureDeploy.json 资源管理器模板为 Service Fabric 创建虚拟网络 (VNET) 和子网。The AzureDeploy.json Resource Manager template creates a virtual network (VNET) and a subnet for Service Fabric. 该模板还会部署一个已启用证书安全性的群集。The template also deploys a cluster with certificate security enabled. 对于生产群集,请使用证书颁发机构 (CA) 提供的证书作为群集证书。For production clusters, use a certificate from a certificate authority (CA) as the cluster certificate. 可以使用自签名证书来保护测试群集。A self-signed certificate can be used to secure test clusters.

本文中的模板部署一个群集,该群集使用证书指纹来标识群集证书。The template in this article deploy a cluster that uses the certificate thumbprint to identify the cluster certificate. 两个证书不能有相同的指纹,否则会增加证书管理的难度。No two certificates can have the same thumbprint, which makes certificate management more difficult. 将已部署的群集从使用证书指纹切换为使用证书公用名称会使证书管理更加简单。Switching a deployed cluster from using certificate thumbprints to using certificate common names makes certificate management much simpler. 若要了解如何更新群集,以便使用证书公用名称进行证书管理,请阅读将群集更改为使用证书公用名称进行管理To learn how to update the cluster to use certificate common names for certificate management, read change cluster to certificate common name management.

使用现有证书创建群集Create a cluster using an existing certificate

以下脚本使用 az sf cluster create 命令和模板部署一个以现有证书保护的新群集。The following script uses the az sf cluster create command and template to deploy a new cluster secured with an existing certificate. 该命令还会在 Azure 中创建新的 Key Vault,并上传证书。The command also creates a new key vault in Azure and uploads your certificate.

ResourceGroupName="sflinuxclustergroup"
Location="southcentralus"
Password="q6D7nN%6ck@6"
VaultName="linuxclusterkeyvault"
VaultGroupName="linuxclusterkeyvaultgroup"
CertPath="C:\MyCertificates\MyCertificate.pem"

# sign in to your Azure account and select your subscription
az login
az account set --subscription <guid>

# Create a new resource group for your deployment and give it a name and a location.
az group create --name $ResourceGroupName --location $Location

# Create the Service Fabric cluster.
az sf cluster create --resource-group $ResourceGroupName --location $Location \
   --certificate-password $Password --certificate-file $CertPath \
   --vault-name $VaultName --vault-resource-group $ResourceGroupName  \
   --template-file AzureDeploy.json --parameter-file AzureDeploy.Parameters.json

使用新的自签名证书创建群集Create a cluster using a new, self-signed certificate

以下脚本使用 az sf cluster create 命令和模板在 Azure 中部署新群集。The following script uses the az sf cluster create command and a template to deploy a new cluster in Azure. 此命令还会在 Azure 中创建新的密钥保管库、向密钥保管库添加新的自签名证书,并将证书文件下载到本地。The command also creates a new key vault in Azure, adds a new self-signed certificate to the key vault, and downloads the certificate file locally.

ResourceGroupName="sflinuxclustergroup"
ClusterName="sflinuxcluster"
Location="southcentralus"
Password="q6D7nN%6ck@6"
VaultName="linuxclusterkeyvault"
VaultGroupName="linuxclusterkeyvaultgroup"
CertPath="C:\MyCertificates"

az sf cluster create --resource-group $ResourceGroupName --location $Location --cluster-name $ClusterName --template-file C:\temp\cluster\AzureDeploy.json --parameter-file C:\temp\cluster\AzureDeploy.Parameters.json --certificate-password $Password --certificate-output-folder $CertPath --certificate-subject-name $ClusterName.$Location.cloudapp.azure.com --vault-name $VaultName --vault-resource-group $ResourceGroupName

连接到安全群集Connect to the secure cluster

使用密钥通过 Service Fabric CLI 命令 sfctl cluster select 连接到群集。Connect to the cluster using the Service Fabric CLI command sfctl cluster select with your key. 请注意仅针对自签名证书使用 --no-verify 选项。Note, only use the --no-verify option for a self-signed certificate.

sfctl cluster select --endpoint https://aztestcluster.southcentralus.cloudapp.azure.com:19080 \
--pem ./aztestcluster201709151446.pem --no-verify

检查是否已连接并使用 sfctl cluster health 命令检查群集是否处于正常状态。Check that you are connected and the cluster is healthy using the sfctl cluster health command.

sfctl cluster health

清理资源Clean up resources

如果不立即转到下一篇文章,可能需要删除该群集,以避免产生费用。If you're not immediately moving on to the next article, you might want to delete the cluster to avoid incurring charges.

后续步骤Next steps

了解如何缩放群集Learn how to scale a Cluster.

本文中的模板部署一个群集,该群集使用证书指纹来标识群集证书。The template in this article deploy a cluster that uses the certificate thumbprint to identify the cluster certificate. 两个证书不能有相同的指纹,否则会增加证书管理的难度。No two certificates can have the same thumbprint, which makes certificate management more difficult. 将已部署的群集从使用证书指纹切换为使用证书公用名称会使证书管理更加简单。Switching a deployed cluster from using certificate thumbprints to using certificate common names makes certificate management much simpler. 若要了解如何更新群集,以便使用证书公用名称进行证书管理,请阅读将群集更改为使用证书公用名称进行管理To learn how to update the cluster to use certificate common names for certificate management, read change cluster to certificate common name management.