您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

教程:将运行 Windows 的 Service Fabric 群集部署到 Azure 虚拟网络Tutorial: Deploy a Service Fabric cluster running Windows into an Azure virtual network

本教程是一个系列中的第一部分。This tutorial is part one of a series. 其中介绍了如何通过使用 PowerShell 和模板,将运行 Windows 的 Service Fabric 群集部署到 Azure 虚拟网络网络安全组You learn how to deploy an Azure Service Fabric cluster running Windows into an Azure virtual network and network security group by using PowerShell and a template. 完成本教程后,云中会运行一个可在其中部署应用程序的群集。When you're finished, you have a cluster running in the cloud to which you can deploy applications. 要创建使用 Azure CLI 的 Linux 群集,请参阅在 Azure 上创建安全的 Linux 群集To create a Linux cluster that uses the Azure CLI, see Create a secure Linux cluster on Azure.

本教程介绍一个生产方案。This tutorial describes a production scenario. 要创建小型群集以供测试,请参阅创建测试群集If you want to create a smaller cluster for testing purposes, see Create a test cluster.

本教程介绍如何执行下列操作:In this tutorial, you learn how to:

  • 使用 PowerShell 在 Azure 中创建 VNETCreate a VNET in Azure using PowerShell
  • 创建 Key Vault 并上传证书Create a key vault and upload a certificate
  • 设置 Azure Active Directory 身份验证Setup Azure Active Directory authentication
  • 配置诊断集合Configure diagnostics collection
  • 设置 EventStore 服务Set up the EventStore service
  • 设置 Azure Monitor 日志Set up Azure Monitor logs
  • 在 Azure PowerShell 中创建安全的 Service Fabric 群集Create a secure Service Fabric cluster in Azure PowerShell
  • 使用 X.509 证书保护群集Secure the cluster with an X.509 certificate
  • 使用 PowerShell 连接到群集Connect to the cluster using PowerShell
  • 删除群集Remove a cluster

在此系列教程中,你会学习如何:In this tutorial series you learn how to:

备注

本文进行了更新,以便使用新的 Azure PowerShell Az 模块。This article has been updated to use the new Azure PowerShell Az module. 你仍然可以使用 AzureRM 模块,至少在 2020 年 12 月之前,它将继续接收 bug 修补程序。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要详细了解新的 Az 模块和 AzureRM 兼容性,请参阅新 Azure Powershell Az 模块简介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 有关 Az 模块安装说明,请参阅安装 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

先决条件Prerequisites

在开始学习本教程之前:Before you begin this tutorial:

以下步骤将创建一个七节点 Service Fabric 群集。The following procedures create a seven-node Service Fabric cluster. 使用 Azure 定价计算器计算在 Azure 中运行 Service Fabric 群集所产生的成本。Use the Azure Pricing Calculator to calculate cost incurred by running a Service Fabric cluster in Azure.

下载并浏览模板Download and explore the template

下载以下 Azure 资源管理器模板文件:Download the following Azure Resource Manager template files:

此模板将包含七个虚拟机和三个节点类型的安全群集部署到虚拟网络和网络安全组中。This template deploys a secure cluster of seven virtual machines and three node types into a virtual network and a network security group. 其他示例模板可以在 GitHub 上找到。Other sample templates can be found on GitHub. azuredeploy.json 部署若干资源,包括以下资源。The azuredeploy.json deploys a number of resources, including the following.

Service Fabric 群集Service Fabric cluster

Microsoft.ServiceFabric/clusters 资源中,配置了具有以下特征的 Windows 群集:In the Microsoft.ServiceFabric/clusters resource, a Windows cluster is configured with the following characteristics:

  • 三个节点类型。Three node types.
  • 主节点类型包含五个节点(可在模板参数中配置),其他两个节点类型各包含一个节点。Five nodes in the primary node type (configurable in the template parameters), and one node in each of the other two node types.
  • OS:包含容器的 Windows Server 2016 Datacenter(可在模板参数中配置)。OS: Windows Server 2016 Datacenter with Containers (configurable in the template parameters).
  • 证书保护(可在模板参数中配置)。Certificate secured (configurable in the template parameters).
  • 已启用反向代理Reverse proxy is enabled.
  • 已启用 DNS 服务DNS service is enabled.
  • 铜级持久性级别(可在模板参数中配置)。Durability level of Bronze (configurable in the template parameters).
  • 银级可靠性级别(可在模板参数中配置)。Reliability level of Silver (configurable in the template parameters).
  • 客户端连接终结点:19000(可在模板参数中配置)。Client connection endpoint: 19000 (configurable in the template parameters).
  • HTTP 网关终结点:19080(可在模板参数中配置)。HTTP gateway endpoint: 19080 (configurable in the template parameters).

Azure 负载均衡器Azure Load Balancer

在 Microsoft.Network/loadBalancers 资源中配置负载均衡器。In the Microsoft.Network/loadBalancers resource, a load balancer is configured. 为以下端口设置探测和规则:Probes and rules are set up for the following ports:

  • 客户端连接终结点:19000Client connection endpoint: 19000
  • HTTP 网关终结点:19080HTTP gateway endpoint: 19080
  • 应用程序端口:80Application port: 80
  • 应用程序端口:443Application port: 443
  • Service Fabric 反向代理:19081Service Fabric reverse proxy: 19081

如需其他应用程序端口,则需要调整 Microsoft.Network/loadBalancers 资源和 Microsoft.Network/networkSecurityGroups 资源,以允许传入流量。If other application ports are needed, you'll need to adjust the Microsoft.Network/loadBalancers resource and the Microsoft.Network/networkSecurityGroups resource to allow the traffic in.

虚拟网络、子网和网络安全组Virtual network, subnet, and network security group

虚拟网络、子网和网络安全组的名称已在模板参数中声明。The names of the virtual network, subnet, and network security group are declared in the template parameters. 虚拟网络和子网的地址空间也在模板参数中声明,并在 Microsoft.Network/virtualNetworks 资源中配置:Address spaces of the virtual network and subnet are also declared in the template parameters and configured in the Microsoft.Network/virtualNetworks resource:

  • 虚拟网络地址空间:172.16.0.0/20Virtual network address space: 172.16.0.0/20
  • Service Fabric 子网地址空间:172.16.2.0/23Service Fabric subnet address space: 172.16.2.0/23

Microsoft.Network/networkSecurityGroups 资源中启用以下入站流量规则。The following inbound traffic rules are enabled in the Microsoft.Network/networkSecurityGroups resource. 可以通过更改模板变量来更改端口值。You can change the port values by changing the template variables.

  • ClientConnectionEndpoint (TCP):19000ClientConnectionEndpoint (TCP): 19000
  • HttpGatewayEndpoint (HTTP/TCP):19080HttpGatewayEndpoint (HTTP/TCP): 19080
  • SMB:445SMB: 445
  • Internodecommunication:1025、1026、1027Internodecommunication: 1025, 1026, 1027
  • 临时端口范围:49152 到 65534(至少需要 256 个端口)。Ephemeral port range: 49152 to 65534 (need a minimum of 256 ports).
  • 应用程序使用的端口:80 和 443Ports for application use: 80 and 443
  • 应用程序端口范围:49152 到 65534(用于测试服务间的通信。Application port range: 49152 to 65534 (used for service to service communication. 其他端口不会在负载平衡器上打开)。Other ports aren't opened on the Load balancer).
  • 阻止其他所有端口Block all other ports

如需其他应用程序端口,则需要调整 Microsoft.Network/loadBalancers 资源和 Microsoft.Network/networkSecurityGroups 资源,以允许传入流量。If other application ports are needed, you'll need to adjust the Microsoft.Network/loadBalancers resource and the Microsoft.Network/networkSecurityGroups resource to allow the traffic in.

Windows DefenderWindows Defender

默认情况下,Windows Defender 防病毒程序已安装在 Windows Server 2016 上并在其上运行。By default, the Windows Defender antivirus program is installed and functional on Windows Server 2016. 用户界面默认安装在一些 SKU 上,但不是必需的。The user interface is installed by default on some SKUs, but isn't required. 对于在模板中声明的每个节点类型/VM 规模集,将会使用 Azure VM 防病毒扩展排除 Service Fabric 目录和进程:For each node type/VM scale set declared in the template, the Azure VM Antimalware extension is used to exclude the Service Fabric directories and processes:

{
"name": "[concat('VMIaaSAntimalware','_vmNodeType0Name')]",
"properties": {
        "publisher": "Microsoft.Azure.Security",
        "type": "IaaSAntimalware",
        "typeHandlerVersion": "1.5",
        "settings": {
        "AntimalwareEnabled": "true",
        "Exclusions": {
                "Paths": "D:\\SvcFab;D:\\SvcFab\\Log;C:\\Program Files\\Microsoft Service Fabric",
                "Processes": "Fabric.exe;FabricHost.exe;FabricInstallerService.exe;FabricSetup.exe;FabricDeployer.exe;ImageBuilder.exe;FabricGateway.exe;FabricDCA.exe;FabricFAS.exe;FabricUOS.exe;FabricRM.exe;FileStoreService.exe"
        },
        "RealtimeProtectionEnabled": "true",
        "ScheduledScanSettings": {
                "isEnabled": "true",
                "scanType": "Quick",
                "day": "7",
                "time": "120"
        }
        },
        "protectedSettings": null
}
}

设置模板参数Set template parameters

azuredeploy.parameters.json 参数文件声明用于部署群集和关联资源的多个值。The azuredeploy.parameters.json parameters file declares many values used to deploy the cluster and associated resources. 下面是要为部署修改的参数:The following are parameters to modify for your deployment:

ParameterParameter 示例值Example value 说明Notes
adminUserNameadminUserName vmadminvmadmin 群集 VM 的管理员用户名。Admin username for the cluster VMs. VM 的用户名要求Username requirements for VM.
adminPasswordadminPassword Password#1234Password#1234 群集 VM 的管理员密码。Admin password for the cluster VMs. VM 的密码要求Password requirements for VM.
clusterNameclusterName mysfcluster123mysfcluster123 群集的名称。Name of the cluster. 仅可包含字母和数字。Can contain letters and numbers only. 长度可介于 3 到 23 个字符之间。Length can be between 3 and 23 characters.
位置location southcentralussouthcentralus 群集的位置。Location of the cluster.
certificateThumbprintcertificateThumbprint

如果创建自签名证书或提供证书文件,则值应为空。Value should be empty if creating a self-signed certificate or providing a certificate file.

若要使用之前上传到密钥保管库的现有证书,请填写证书 SHA1 指纹值。To use an existing certificate previously uploaded to a key vault, fill in the certificate SHA1 thumbprint value. 例如“6190390162C988701DB5676EB81083EA608DCCF3”。For example, "6190390162C988701DB5676EB81083EA608DCCF3".

certificateUrlValuecertificateUrlValue

如果创建自签名证书或提供证书文件,则值应为空。Value should be empty if creating a self-signed certificate or providing a certificate file.

若要使用之前上传到 Key Vault 的现有证书,请填写证书 URL。To use an existing certificate previously uploaded to a key vault, fill in the certificate URL. 例如,“https://mykeyvault.vault.azure.net:443/secrets/mycertificate/02bea722c9ef4009a76c5052bcbf8346”。For example, "https://mykeyvault.vault.azure.net:443/secrets/mycertificate/02bea722c9ef4009a76c5052bcbf8346".

sourceVaultValuesourceVaultValue

如果创建自签名证书或提供证书文件,则值应为空。Value should be empty if creating a self-signed certificate or providing a certificate file.

若要使用之前上传到 Key Vault 的现有证书,请填写源保管库值。To use an existing certificate previously uploaded to a key vault, fill in the source vault value. 例如“/subscriptions/333cc2c84-12fa-5778-bd71-c71c07bf873f/resourceGroups/MyTestRG/providers/Microsoft.KeyVault/vaults/MYKEYVAULT”。For example, "/subscriptions/333cc2c84-12fa-5778-bd71-c71c07bf873f/resourceGroups/MyTestRG/providers/Microsoft.KeyVault/vaults/MYKEYVAULT".

设置 Azure Active Directory 客户端身份验证Set up Azure Active Directory client authentication

如果将 Service Fabric 群集部署在某个公共网络中,而该网络托管在 Azure 上,则对于客户端到节点型相互身份验证,建议如下:For Service Fabric clusters deployed in a public network hosted on Azure, the recommendation for client-to-node mutual authentication is:

  • 对客户端标识使用 Azure Active Directory。Use Azure Active Directory for client identity.
  • 对服务器标识使用证书,并对 HTTP 通信进行 SSL 加密。Use a certificate for server identity and SSL encryption of HTTP communication.

必须在创建群集之前设置 Azure Active Directory (Azure AD),以便针对 Service Fabric 群集对客户端进行身份验证。Setting up Azure Active Directory (Azure AD) to authenticate clients for a Service Fabric cluster must be done before creating the cluster. 通过 Azure AD,组织(称为租户)可管理用户对应用程序的访问。Azure AD enables organizations (known as tenants) to manage user access to applications.

Service Fabric 群集提供其管理功能的各种入口点,包括基于 Web 的 Service Fabric ExplorerVisual StudioA Service Fabric cluster offers several entry points to its management functionality, including the web-based Service Fabric Explorer and Visual Studio. 因此,需要创建两个 Azure AD 应用程序来控制对群集的访问:一个 Web 应用程序和一个本机应用程序。As a result, you create two Azure AD applications to control access to the cluster: one web application and one native application. 创建应用程序后,将用户分配到只读和管理员角色。After the applications are created, you assign users to read-only and admin roles.

备注

在创建群集之前,请完成以下步骤。You must complete the following steps before you create the cluster. 因为脚本需要群集名称和终结点,这些值应是规划的值,而不是已创建的值。Because the scripts expect cluster names and endpoints, the values should be planned and not values that you have already created.

本文假设已创建了一个租户。In this article, we assume that you've already created a tenant. 如果未创建,请先阅读如何获取 Azure Active Directory 租户If you haven't, start by reading How to get an Azure Active Directory tenant.

为了简化涉及到配置 Azure AD 与 Service Fabric 群集的步骤,我们创建了一组 Windows PowerShell 脚本。To simplify steps involved in configuring Azure AD with a Service Fabric cluster, we've created a set of Windows PowerShell scripts. 将脚本下载到计算机。Download the scripts to your computer.

创建 Azure AD 应用程序并为用户分配角色Create Azure AD applications and assign users to roles

创建两个 Azure AD 应用程序来控制对群集的访问权限:一个 Web 应用程序和一个本机应用程序。Create two Azure AD applications to control access to the cluster: one web application and one native application. 创建用于表示群集的应用程序后,请将用户分配到 Service Fabric 支持的角色:只读和管理员。After you've created the applications to represent your cluster, assign your users to the roles supported by Service Fabric: read-only and admin.

运行 SetupApplications.ps1 并提供租户 ID、群集名称和 Web 应用程序回复 URL 作为参数。Run SetupApplications.ps1, and provide the tenant ID, cluster name, and web application reply URL as parameters. 请指定用户的用户名和密码。Specify usernames and passwords for the users. 例如:For example:

$Configobj = .\SetupApplications.ps1 -TenantId '<MyTenantID>' -ClusterName 'mysfcluster123' -WebApplicationReplyUrl 'https://mysfcluster123.eastus.cloudapp.azure.com:19080/Explorer/index.html' -AddResourceAccess
.\SetupUser.ps1 -ConfigObj $Configobj -UserName 'TestUser' -Password 'P@ssword!123'
.\SetupUser.ps1 -ConfigObj $Configobj -UserName 'TestAdmin' -Password 'P@ssword!123' -IsAdmin

备注

对于区域云(例如,Azure 政府、Azure 中国、Azure 德国),请指定 -Location 参数。For national clouds (for example Azure Government, Azure China, Azure Germany), specify the -Location parameter.

可在 Azure 门户中找到 TenantId 或目录 ID。You can find your TenantId, or directory ID, in the Azure portal. 选择“Azure Active Directory” > “属性”并复制“目录 ID”值。Select Azure Active Directory > Properties and copy the Directory ID value.

将 ClusterName 用作脚本创建的 Azure AD 应用程序的前缀。ClusterName is used to prefix the Azure AD applications that are created by the script. 无需完全匹配实际的群集名称。It doesn't need to exactly match the actual cluster name. 只是为了操作更加简便,可将 Azure AD 项目映射到正在使用的 Service Fabric 群集。It only makes it easier to map Azure AD artifacts to the Service Fabric cluster in use.

WebApplicationReplyUrl 是 Azure AD 在完成登录过程之后返回给用户的默认终结点。WebApplicationReplyUrl is the default endpoint that Azure AD returns to your users after they finish signing in. 将此终结点设置为群集的 Service Fabric Explorer 的终结点,默认值为:Set this endpoint as the Service Fabric Explorer endpoint for your cluster, which by default is:

https://<cluster_domain>:19080/Explorerhttps://<cluster_domain>:19080/Explorer

系统会提示登录到具有 Azure AD 租户管理权限的帐户。You're prompted to sign in to an account that has administrative privileges for the Azure AD tenant. 完成此操作后,脚本会创建 Web 和本机应用程序来代表 Service Fabric 群集。After you sign in, the script creates the web and native applications to represent your Service Fabric cluster. Azure 门户中的租户的应用程序中,应会看到两个新条目:In the tenant's applications in the Azure portal, you should see two new entries:

  • ClusterName_ClusterClusterName_Cluster
  • ClusterName_ClientClusterName_Client

创建群集时该脚本显示资源管理器模板所需的 JSON,因此最好不要关闭 PowerShell 窗口。The script prints the JSON required by the Resource Manager template when you create the cluster, so it's a good idea to keep the PowerShell window open.

"azureActiveDirectory": {
  "tenantId":"<guid>",
  "clusterApplication":"<guid>",
  "clientApplication":"<guid>"
},

添加 Azure AD 配置以使用 Azure AD 访问客户端Add Azure AD configuration to use Azure AD for client access

azuredeploy.jsonMicrosoft.ServiceFabric/clusters 节中配置 Azure AD。In the azuredeploy.json, configure Azure AD in the Microsoft.ServiceFabric/clusters section. 为租户 ID、群集应用程序 ID 和客户端应用程序 ID 添加参数。Add parameters for the tenant ID, cluster application ID, and client application ID.

{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json",
  "contentVersion": "1.0.0.0",
  "parameters": {
    ...

    "aadTenantId": {
      "type": "string",
      "defaultValue": "0e3d2646-78b3-4711-b8be-74a381d9890c"
    },
    "aadClusterApplicationId": {
      "type": "string",
      "defaultValue": "cb147d34-b0b9-4e77-81d6-420fef0c4180"
    },
    "aadClientApplicationId": {
      "type": "string",
      "defaultValue": "7a8f3b37-cc40-45cc-9b8f-57b8919ea461"
    }
  },

...

{
  "apiVersion": "2018-02-01",
  "type": "Microsoft.ServiceFabric/clusters",
  "name": "[parameters('clusterName')]",
  ...
  "properties": {
    ...
    "azureActiveDirectory": {
      "tenantId": "[parameters('aadTenantId')]",
      "clusterApplication": "[parameters('aadClusterApplicationId')]",
      "clientApplication": "[parameters('aadClientApplicationId')]"
    },
    ...
  }
}

azuredeploy.parameters.json 参数文件中添加参数值。Add the parameter values in the azuredeploy.parameters.json parameters file. 例如:For example:

"aadTenantId": {
"value": "0e3d2646-78b3-4711-b8be-74a381d9890c"
},
"aadClusterApplicationId": {
"value": "cb147d34-b0b9-4e77-81d6-420fef0c4180"
},
"aadClientApplicationId": {
"value": "7a8f3b37-cc40-45cc-9b8f-57b8919ea461"
}

在群集上配置诊断集合Configure diagnostics collection on the cluster

运行 Service Fabric 群集时,最好是从一个中心位置的所有节点中收集日志。When you're running a Service Fabric cluster, it's a good idea to collect the logs from all the nodes in a central location. 将日志放在中心位置可帮助分析和排查群集中的问题,或该群集中运行的应用程序与服务的问题。Having the logs in a central location helps you analyze and troubleshoot issues in your cluster, or issues in the applications and services running in that cluster.

上传和收集日志的方式之一是使用可将日志上传到 Azure 存储、也能选择发送日志到 Azure Application Insights 或事件中心的 Azure 诊断 (WAD) 扩展。One way to upload and collect logs is to use the Azure Diagnostics (WAD) extension, which uploads logs to Azure Storage, and also has the option to send logs to Azure Application Insights or Event Hubs. 也可以使用外部进程读取存储中的事件,并将其放在分析平台产品(例如 Azure Monitor 日志或其他日志分析解决方案)中。You can also use an external process to read the events from storage and place them in an analysis platform product, such as Azure Monitor logs or another log-parsing solution.

如果是按照本教程执行的操作,则已在模板 中配置了诊断集合。If you are following this tutorial, diagnostics collection is already configured in the template.

如果存在尚未部署诊断的现有群集,可以通过群集模板来添加或更新该扩展。If you have an existing cluster that doesn't have Diagnostics deployed, you can add or update it via the cluster template. 修改用于创建现有群集的资源管理器模板,或者从门户下载该模板。Modify the Resource Manager template that's used to create the existing cluster or download the template from the portal. 执行以下任务来修改 template.json 文件:Modify the template.json file by performing the following tasks:

将新存储资源添加到模板中的资源部分:Add a new storage resource to the resources section in the template:

"resources": [
...
{
  "apiVersion": "2015-05-01-preview",
  "type": "Microsoft.Storage/storageAccounts",
  "name": "[parameters('applicationDiagnosticsStorageAccountName')]",
  "location": "[parameters('computeLocation')]",
  "sku": {
    "accountType": "[parameters('applicationDiagnosticsStorageAccountType')]"
  },
  "tags": {
    "resourceType": "Service Fabric",
    "clusterName": "[parameters('clusterName')]"
  }
},
...
]

下一步,将存储帐户名称和类型的参数添加到模板的参数部分。Next, add parameters for the storage account name and type to the parameters section of the template. 将占位符文本 storage account name goes here 替换为所需的存储帐户的名称。Replace the placeholder text storage account name goes here with the name of the storage account you'd like.

"parameters": {
...
"applicationDiagnosticsStorageAccountType": {
    "type": "string",
    "allowedValues": [
    "Standard_LRS",
    "Standard_GRS"
    ],
    "defaultValue": "Standard_LRS",
    "metadata": {
    "description": "Replication option for the application diagnostics storage account"
    }
},
"applicationDiagnosticsStorageAccountName": {
    "type": "string",
    "defaultValue": "**STORAGE ACCOUNT NAME GOES HERE**",
    "metadata": {
    "description": "Name for the storage account that contains application diagnostics data from the cluster"
    }
},
...
}

下一步,将 IaaSDiagnostics 扩展名添加到群集中每个 Microsoft.Compute/virtualMachineScaleSets 资源的 VirtualMachineProfile 属性的扩展数组中。Next, add the IaaSDiagnostics extension to the extensions array of the VirtualMachineProfile property of each Microsoft.Compute/virtualMachineScaleSets resource in the cluster. 如果使用的是示例模板,则有三个虚拟机规模集(每个节点类型对应集群中的一个规模集)。If you're using the sample template, there are three virtual machine scale sets (one for each node type in the cluster).

"apiVersion": "2018-10-01",
"type": "Microsoft.Compute/virtualMachineScaleSets",
"name": "[variables('vmNodeType1Name')]",
"properties": {
    ...
    "virtualMachineProfile": {
        "extensionProfile": {
            "extensions": [
                {
                    "name": "[concat(parameters('vmNodeType0Name'),'_Microsoft.Insights.VMDiagnosticsSettings')]",
                    "properties": {
                        "type": "IaaSDiagnostics",
                        "autoUpgradeMinorVersion": true,
                        "protectedSettings": {
                        "storageAccountName": "[parameters('applicationDiagnosticsStorageAccountName')]",
                        "storageAccountKey": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', parameters('applicationDiagnosticsStorageAccountName')),'2015-05-01-preview').key1]",
                        "storageAccountEndPoint": "https://core.windows.net/"
                        },
                        "publisher": "Microsoft.Azure.Diagnostics",
                        "settings": {
                        "WadCfg": {
                            "DiagnosticMonitorConfiguration": {
                            "overallQuotaInMB": "50000",
                            "EtwProviders": {
                                "EtwEventSourceProviderConfiguration": [
                                {
                                    "provider": "Microsoft-ServiceFabric-Actors",
                                    "scheduledTransferKeywordFilter": "1",
                                    "scheduledTransferPeriod": "PT5M",
                                    "DefaultEvents": {
                                    "eventDestination": "ServiceFabricReliableActorEventTable"
                                    }
                                },
                                {
                                    "provider": "Microsoft-ServiceFabric-Services",
                                    "scheduledTransferPeriod": "PT5M",
                                    "DefaultEvents": {
                                    "eventDestination": "ServiceFabricReliableServiceEventTable"
                                    }
                                }
                                ],
                                "EtwManifestProviderConfiguration": [
                                {
                                    "provider": "cbd93bc2-71e5-4566-b3a7-595d8eeca6e8",
                                    "scheduledTransferLogLevelFilter": "Information",
                                    "scheduledTransferKeywordFilter": "4611686018427387904",
                                    "scheduledTransferPeriod": "PT5M",
                                    "DefaultEvents": {
                                    "eventDestination": "ServiceFabricSystemEventTable"
                                    }
                                }
                                ]
                            }
                            }
                        },
                        "StorageAccount": "[parameters('applicationDiagnosticsStorageAccountName')]"
                        },
                        "typeHandlerVersion": "1.5"
                    }
                }
            ...
            ]
        }
    }
}

配置 EventStore 服务Configure the EventStore service

EventStore 服务是 Service Fabric 中的监视选项。The EventStore service is a monitoring option in Service Fabric. EventStore 提供了在给定时间点中了解群集或工作负载的状态的方法。EventStore provides a way to understand the state of your cluster or workloads at a given point in time. EventStore 是有状态 Service Fabric 服务,它维护群集中的事件。The EventStore is a stateful Service Fabric service that maintains events from the cluster. 事件通过 Service Fabric Explorer、REST 和 API 公开。The event are exposed through the Service Fabric Explorer, REST and APIs. EventStore 直接查询群集来获取关于群集中的任何实体的诊断数据,并且应当用来帮助执行以下操作:EventStore queries the cluster directly to get diagnostics data on any entity in your cluster and should be used to help:

  • 在开发或测试时或者当可能使用监视管道时对问题进行诊断Diagnose issues in development or testing, or where you might be using a monitoring pipeline
  • 确认正在正确处理对群集执行的管理操作Confirm that management actions you are taking on your cluster are being processed correctly
  • 获取 Service Fabric 如何与特定实体进行交互的“快照”Get a "snapshot" of how Service Fabric is interacting with a particular entity

要在群集上启用 EventStore 服务,请将以下内容添加到 Microsoft.ServiceFabric/clusters 资源的 fabricSettings 属性中:To enable the EventStore service on your cluster, add the following to the fabricSettings property of the Microsoft.ServiceFabric/clusters resource:

"apiVersion": "2018-02-01",
"type": "Microsoft.ServiceFabric/clusters",
"name": "[parameters('clusterName')]",
"properties": {
    ...
    "fabricSettings": [
        ...
        {
            "name": "EventStoreService",
            "parameters": [
                {
                "name": "TargetReplicaSetSize",
                "value": "3"
                },
                {
                "name": "MinReplicaSetSize",
                "value": "1"
                }
            ]
        }
    ]
}

为群集设置 Azure Monitor 日志Set up Azure Monitor logs for the cluster

要监视群集级别的事件,建议使用 Azure Monitor 日志。Azure Monitor logs is our recommendation to monitor cluster level events. 要设置 Azure Monitor 日志来监视群集,需要启用诊断功能以查看群集级别事件To set up Azure Monitor logs to monitor your cluster, you need to have diagnostics enabled to view cluster-level events.

需要将工作区连接到来自群集的诊断数据。The workspace needs to be connected to the diagnostics data coming from your cluster. 此日志数据存储在 applicationDiagnosticsStorageAccountName 存储帐户、WADServiceFabric*EventTable、WADWindowsEventLogsTable 和 WADETWEventTable 表中。This log data is stored in the applicationDiagnosticsStorageAccountName storage account, in the WADServiceFabric*EventTable, WADWindowsEventLogsTable, and WADETWEventTable tables.

添加 Azure Log Analytics 工作区并将解决方案添加到该工作区:Add the Azure Log Analytics workspace and add the solution to the workspace:

"resources": [
    ...
    {
        "apiVersion": "2015-11-01-preview",
        "location": "[parameters('omsRegion')]",
        "name": "[parameters('omsWorkspacename')]",
        "type": "Microsoft.OperationalInsights/workspaces",
        "properties": {
            "sku": {
                "name": "Free"
            }
        },
        "resources": [
            {
                "apiVersion": "2015-11-01-preview",
                "name": "[concat(variables('applicationDiagnosticsStorageAccountName'),parameters('omsWorkspacename'))]",
                "type": "storageinsightconfigs",
                "dependsOn": [
                    "[concat('Microsoft.OperationalInsights/workspaces/', parameters('omsWorkspacename'))]",
                    "[concat('Microsoft.Storage/storageAccounts/', variables('applicationDiagnosticsStorageAccountName'))]"
                ],
                "properties": {
                    "containers": [],
                    "tables": [
                        "WADServiceFabric*EventTable",
                        "WADWindowsEventLogsTable",
                        "WADETWEventTable"
                    ],
                    "storageAccount": {
                        "id": "[resourceId('Microsoft.Storage/storageaccounts/', variables('applicationDiagnosticsStorageAccountName'))]",
                        "key": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('applicationDiagnosticsStorageAccountName')),'2015-06-15').key1]"
                    }
                }
            },
            {
                "apiVersion": "2015-11-01-preview",
                "type": "datasources",
                "name": "sampleWindowsPerfCounter",
                "dependsOn": [
                    "[concat('Microsoft.OperationalInsights/workspaces/', parameters('omsWorkspacename'))]"
                ],
                "kind": "WindowsPerformanceCounter",
                "properties": {
                    "objectName": "Memory",
                    "instanceName": "*",
                    "intervalSeconds": 10,
                    "counterName": "Available MBytes"
                }
            },
            {
                "apiVersion": "2015-11-01-preview",
                "type": "datasources",
                "name": "sampleWindowsPerfCounter2",
                "dependsOn": [
                    "[concat('Microsoft.OperationalInsights/workspaces/', parameters('omsWorkspacename'))]"
                ],
                "kind": "WindowsPerformanceCounter",
                "properties": {
                    "objectName": "Service Fabric Service",
                    "instanceName": "*",
                    "intervalSeconds": 10,
                    "counterName": "Average milliseconds per request"
                }
            }
        ]
    },
    {
        "apiVersion": "2015-11-01-preview",
        "location": "[parameters('omsRegion')]",
        "name": "[variables('solution')]",
        "type": "Microsoft.OperationsManagement/solutions",
        "dependsOn": [
            "[concat('Microsoft.OperationalInsights/workspaces/', parameters('omsWorkspacename'))]"
        ],
        "properties": {
            "workspaceResourceId": "[resourceId('Microsoft.OperationalInsights/workspaces/', parameters('omsWorkspacename'))]"
        },
        "plan": {
            "name": "[variables('solution')]",
            "publisher": "Microsoft",
            "product": "[Concat('OMSGallery/', variables('solutionName'))]",
            "promotionCode": ""
        }
    }
]

下一步,添加参数Next, add parameters

"parameters": {
    ...
    "omsWorkspacename": {
        "type": "string",
        "defaultValue": "mysfomsworkspace",
        "metadata": {
            "description": "Name of your OMS Log Analytics Workspace"
        }
    },
    "omsRegion": {
        "type": "string",
        "defaultValue": "West Europe",
        "allowedValues": [
            "West Europe",
            "East US",
            "Southeast Asia"
        ],
        "metadata": {
            "description": "Specify the Azure Region for your OMS workspace"
        }
    }
}

下一步,添加变量:Next, add variables:

"variables": {
    ...
    "solution": "[Concat('ServiceFabric', '(', parameters('omsWorkspacename'), ')')]",
    "solutionName": "ServiceFabric"
}

将 Log Analytics 代理扩展添加到群集中的每个虚拟机规模集,并将代理连接到 Log Analytics 工作区。Add the Log Analytics agent extension to each virtual machine scale set in the cluster and connect the agent to the Log Analytics workspace. 这可收集关于容器、应用程序和性能监视的诊断数据。This enables collecting diagnostics data about containers, applications, and performance monitoring. 通过将其作为扩展添加到虚拟机规模集资源,Azure 资源管理器可确保它安装在每个节点上,即使在缩放群集时也是如此。By adding it as an extension to the virtual machine scale set resource, Azure Resource Manager ensures that it gets installed on every node, even when scaling the cluster.

"apiVersion": "2018-10-01",
"type": "Microsoft.Compute/virtualMachineScaleSets",
"name": "[variables('vmNodeType1Name')]",
"properties": {
    ...
    "virtualMachineProfile": {
        "extensionProfile": {
            "extensions": [
                {
                    "name": "[concat(variables('vmNodeType0Name'),'OMS')]",
                    "properties": {
                        "publisher": "Microsoft.EnterpriseCloud.Monitoring",
                        "type": "MicrosoftMonitoringAgent",
                        "typeHandlerVersion": "1.0",
                        "autoUpgradeMinorVersion": true,
                        "settings": {
                            "workspaceId": "[reference(resourceId('Microsoft.OperationalInsights/workspaces/', parameters('omsWorkspacename')), '2015-11-01-preview').customerId]"
                        },
                        "protectedSettings": {
                            "workspaceKey": "[listKeys(resourceId('Microsoft.OperationalInsights/workspaces/', parameters('omsWorkspacename')),'2015-11-01-preview').primarySharedKey]"
                        }
                    }
                }
            ...
            ]
        }
    }
}

部署虚拟网络和群集Deploy the virtual network and cluster

接下来,设置网络拓扑并部署 Service Fabric 群集。Next, set up the network topology and deploy the Service Fabric cluster. azuredeploy.json 资源管理器模板针对 Service Fabric 创建虚拟网络、子网和网络安全组。The azuredeploy.json Resource Manager template creates a virtual network, subnet, and network security group for Service Fabric. 该模板还会部署一个已启用证书安全性的群集。The template also deploys a cluster with certificate security enabled. 对于生产群集,请使用证书颁发机构提供的证书作为群集证书。For production clusters, use a certificate from a certificate authority as the cluster certificate. 可以使用自签名证书来保护测试群集。A self-signed certificate can be used to secure test clusters.

本文中的模板部署一个群集,该群集使用证书指纹来标识群集证书。The template in this article deploys a cluster that uses the certificate thumbprint to identify the cluster certificate. 两个证书不能有相同的指纹,否则会增加证书管理的难度。No two certificates can have the same thumbprint, which makes certificate management more difficult. 将已部署的群集从证书指纹切换为证书公用名称可简化证书管理。Switching a deployed cluster from certificate thumbprints to certificate common names simplifies certificate management. 若要了解如何更新群集,以便使用证书公用名称进行证书管理,请阅读将群集更改为使用证书公用名称进行管理To learn how to update the cluster to use certificate common names for certificate management, read Change cluster to certificate common name management.

通过使用现有证书创建群集Create a cluster by using an existing certificate

以下脚本使用 New-AzServiceFabricCluster cmdlet 和模板在 Azure 中部署新群集。The following script uses the New-AzServiceFabricCluster cmdlet and a template to deploy a new cluster in Azure. 该 cmdlet 在 Azure 中创建新的密钥保管库,并上传证书。The cmdlet creates a new key vault in Azure and uploads your certificate.

# Variables.
$groupname = "sfclustertutorialgroup"
$clusterloc="southcentralus"  # Must match the location parameter in the template
$templatepath="C:\temp\cluster"

$certpwd="q6D7nN%6ck@6" | ConvertTo-SecureString -AsPlainText -Force
$clustername = "mysfcluster123"  # Must match the clustername parameter in the template
$vaultname = "clusterkeyvault123"
$vaultgroupname="clusterkeyvaultgroup123"
$subname="$clustername.$clusterloc.cloudapp.azure.com"

# Sign in to your Azure account and select your subscription
Connect-AzAccount
Get-AzSubscription
Set-AzContext -SubscriptionId <guid>

# Create a new resource group for your deployment, and give it a name and a location.
New-AzResourceGroup -Name $groupname -Location $clusterloc

# Create the Service Fabric cluster.
New-AzServiceFabricCluster  -ResourceGroupName $groupname -TemplateFile "$templatepath\azuredeploy.json" `
-ParameterFile "$templatepath\azuredeploy.parameters.json" -CertificatePassword $certpwd `
-KeyVaultName $vaultname -KeyVaultResourceGroupName $vaultgroupname -CertificateFile $certpath

通过使用新的自签名证书创建群集Create a cluster by using a new, self-signed certificate

以下脚本使用 New-AzServiceFabricCluster cmdlet 和模板在 Azure 中部署新群集。The following script uses the New-AzServiceFabricCluster cmdlet and a template to deploy a new cluster in Azure. 该 cmdlet 在 Azure 中创建新的 Key Vault、向 Key Vault 添加新的自签名证书,并将证书文件下载到本地。The cmdlet creates a new key vault in Azure, adds a new self-signed certificate to the key vault, and downloads the certificate file locally.

# Variables.
$groupname = "sfclustertutorialgroup"
$clusterloc="southcentralus"  # Must match the location parameter in the template
$templatepath="C:\temp\cluster"

$certpwd="q6D7nN%6ck@6" | ConvertTo-SecureString -AsPlainText -Force
$certfolder="c:\mycertificates\"
$clustername = "mysfcluster123"
$vaultname = "clusterkeyvault123"
$vaultgroupname="clusterkeyvaultgroup123"
$subname="$clustername.$clusterloc.cloudapp.azure.com"

# Sign in to your Azure account and select your subscription
Connect-AzAccount
Get-AzSubscription
Set-AzContext -SubscriptionId <guid>

# Create a new resource group for your deployment, and give it a name and a location.
New-AzResourceGroup -Name $groupname -Location $clusterloc

# Create the Service Fabric cluster.
New-AzServiceFabricCluster  -ResourceGroupName $groupname -TemplateFile "$templatepath\azuredeploy.json" `
-ParameterFile "$templatepath\azuredeploy.parameters.json" -CertificatePassword $certpwd `
-CertificateOutputFolder $certfolder -KeyVaultName $vaultname -KeyVaultResourceGroupName $vaultgroupname -CertificateSubjectName $subname

连接到安全群集Connect to the secure cluster

通过使用连同 Service Fabric SDK 一起安装的 Service Fabric PowerShell 模块连接到群集。Connect to the cluster by using the Service Fabric PowerShell module installed with the Service Fabric SDK. 首先,将证书安装到计算机上当前用户的“个人(我的)”存储中。First, install the certificate into the Personal (My) store of the current user on your computer. 运行以下 PowerShell 命令:Run the following PowerShell command:

$certpwd="q6D7nN%6ck@6" | ConvertTo-SecureString -AsPlainText -Force
Import-PfxCertificate -Exportable -CertStoreLocation Cert:\CurrentUser\My `
        -FilePath C:\mycertificates\mysfcluster20170531104310.pfx `
        -Password $certpwd

现在可以连接到安全群集了。You're now ready to connect to your secure cluster.

Service Fabric PowerShell 模块提供许多 cmdlet 用于管理 Service Fabric 群集、应用程序和服务。The Service Fabric PowerShell module provides many cmdlets for managing Service Fabric clusters, applications, and services. 使用 Connect-ServiceFabricCluster cmdlet 连接到安全群集。Use the Connect-ServiceFabricCluster cmdlet to connect to the secure cluster. 可在上一步骤的输出中找到证书 SHA1 指纹和连接终结点详细信息。The certificate SHA1 thumbprint and connection endpoint details are found in the output from the previous step.

如果以前设置过 Azure AD 客户端身份验证,请运行以下命令:If you previously set up Azure AD client authentication, run the following command:

Connect-ServiceFabricCluster -ConnectionEndpoint mysfcluster123.southcentralus.cloudapp.azure.com:19000 `
        -KeepAliveIntervalInSec 10 `
        -AzureActiveDirectory `
        -ServerCertThumbprint C4C1E541AD512B8065280292A8BA6079C3F26F10

如果没有设置过 Azure AD 客户端身份验证,请运行以下命令:If you didn't set up Azure AD client authentication, run the following command:

Connect-ServiceFabricCluster -ConnectionEndpoint mysfcluster123.southcentralus.cloudapp.azure.com:19000 `
          -KeepAliveIntervalInSec 10 `
          -X509Credential -ServerCertThumbprint C4C1E541AD512B8065280292A8BA6079C3F26F10 `
          -FindType FindByThumbprint -FindValue C4C1E541AD512B8065280292A8BA6079C3F26F10 `
          -StoreLocation CurrentUser -StoreName My

通过使用 Get-ServiceFabricClusterHealth cmdlet 检查是否已连接并且群集是否正常运行。Check that you're connected and that the cluster is healthy by using the Get-ServiceFabricClusterHealth cmdlet.

Get-ServiceFabricClusterHealth

清理资源Clean up resources

本教程系列中的其他文章将会使用本文中创建的群集。The other articles in this tutorial series use the cluster you've created. 如果不立即转到下一篇文章,可能需要删除该群集,以避免产生费用。If you're not immediately moving on to the next article, you might want to delete the cluster to avoid incurring charges.

后续步骤Next steps

请转到以下教程了解如何缩放群集。Advance to the following tutorial to learn how to scale your cluster.

  • 使用 PowerShell 在 Azure 中创建 VNETCreate a VNET in Azure using PowerShell
  • 创建 Key Vault 并上传证书Create a key vault and upload a certificate
  • 设置 Azure Active Directory 身份验证Setup Azure Active Directory authentication
  • 配置诊断集合Configure diagnostics collection
  • 设置 EventStore 服务Set up the EventStore service
  • 设置 Azure Monitor 日志Set up Azure Monitor logs
  • 在 Azure PowerShell 中创建安全的 Service Fabric 群集Create a secure Service Fabric cluster in Azure PowerShell
  • 使用 X.509 证书保护群集Secure the cluster with an X.509 certificate
  • 使用 PowerShell 连接到群集Connect to the cluster using PowerShell
  • 删除群集Remove a cluster

下一步,请转到以下教程了解如何监视群集。Next, advance to the following tutorial to learn how to monitor your cluster.