Azure Service Fabric 安全性檢查清單Azure Service Fabric security checklist

本文提供便於使用的檢查清單,以協助您保護 Azure Service Fabric 環境。This article provides an easy-to-use checklist that will help you secure your Azure Service Fabric environment.

簡介Introduction

Azure Service Fabric 是分散式系統平台,可讓您輕鬆封裝、部署及管理可調整和可信賴的微服務。Azure Service Fabric is a distributed systems platform that makes it easy to package, deploy, and manage scalable and reliable microservices. Service Fabric 也可解決開發與管理雲端應用程式時遭遇的重大挑戰。Service Fabric also addresses the significant challenges in developing and managing cloud applications. 開發人員與管理員能夠避免複雜的基礎結構問題,專注於實作關鍵且嚴格要求之可調整、可信賴且可管理的工作負載。Developers and administrators can avoid complex infrastructure problems and focus on implementing mission-critical, demanding workloads that are scalable, reliable, and manageable.

檢查清單Checklist

您可以使用下列檢查清單,確保未忽略安全 Azure Service Fabric 解決方案管理和設定中的任何重要問題。Use the following checklist to help you make sure that you haven’t overlooked any important issues in management and configuration of a secure Azure Service Fabric solution.

檢查清單類別Checklist Category 描述Description
角色型存取控制 (RBAC)Role based access control (RBAC)
  • 存取控制可讓叢集系統管理員針對不同的使用者群組限制特定叢集作業的存取權,讓叢集更加安全。Access control allows the cluster administrator to limit access to certain cluster operations for different groups of users, making the cluster more secure.
  • 系統管理員可以完整存取管理功能 (包括讀取/寫入功能)。Administrators have full access to management capabilities (including read/write capabilities).
  • 使用者預設只具有管理功能的讀取存取權 (例如查詢功能),以及解析應用程式和服務的能力。Users, by default, have only read access to management capabilities (for example, query capabilities), and the ability to resolve applications and services.
X.509 憑證和 Service FabricX.509 certificates and Service Fabric
叢集安全性Cluster Security
叢集驗證Cluster authentication
伺服器驗證Server authentication
應用程式安全性Application security
  • 將應用程式組態值加密和解密。Encryption and decryption of application configuration values.
  • 在複寫期間將資料跨節點加密。Encryption of data across nodes during replication.
叢集憑證Cluster Certificate
  • 需有此憑證,才能保護叢集上節點之間的通訊。This certificate is required to secure the communication between the nodes on a cluster.
  • 在 Thumbprint 區段中設定主要憑證的指紋,以及在 ThumbprintSecondary 變數中設定次要憑證的指紋。Set the thumbprint of the primary certificate in the Thumbprint section and that of the secondary in the ThumbprintSecondary variables.
ServerCertificateServerCertificate
  • 用戶端嘗試連線到此叢集時,會向用戶端此憑證顯示此憑證。This certificate is presented to the client when it tries to connect to this cluster. 您可以使用兩個不同的伺服器憑證 (主要和次要) 進行更新。You can use two different server certificates, a primary and a secondary for upgrade.
ClientCertificateThumbprintsClientCertificateThumbprints
  • 這是您想在經過驗證的用戶端上安裝的一組憑證。This is a set of certificates that you want to install on the authenticated clients.
ClientCertificateCommonNamesClientCertificateCommonNames
  • 針對 CertificateCommonName 設定第一個用戶端憑證的一般名稱。Set the common name of the first client certificate for the CertificateCommonName. CertificateIssuerThumbprint 是此憑證的簽發者指紋。The CertificateIssuerThumbprint is the thumbprint for the issuer of this certificate.
ReverseProxyCertificateReverseProxyCertificate
  • 如果您想要保護反向 Proxy,可以指定此選擇性憑證。This is an optional certificate that can be specified if you want to secure your Reverse Proxy.
Key VaultKey Vault
  • 用來管理 Azure 中 Service Fabric 叢集的憑證。Used to manage certificates for Service Fabric clusters in Azure.

後續步驟Next steps