使用 Azure 入口網站在 Azure 中建立 Service Fabric 叢集Create a Service Fabric cluster in Azure using the Azure portal

本逐步指南可逐步引導您使用 Azure 入口網站於 Azure 設定 Service Fabric 叢集 (Linux 或 Windows)。This is a step-by-step guide that walks you through the steps of setting up a Service Fabric cluster (Linux or Windows) in Azure using the Azure portal. 本指南將逐步引導您完成下列步驟:This guide walks you through the following steps:

  • 透過 Azure 入口網站在 Azure 中建立叢集。Create a cluster in Azure through the Azure portal.
  • 使用憑證驗證系統管理員。Authenticate administrators using certificates.

注意

如需更進階的安全性選項 (例如使用 Azure Active Directory 進行使用者驗證及設定應用程式安全性的憑證),請參閱使用 Azure Resource Manager 建立您的叢集For more advanced security options, such as user authentication with Azure Active Directory and setting up certificates for application security, create your cluster using Azure Resource Manager.

叢集安全性Cluster security

憑證是在 Service Fabric 中用來提供驗證與加密,以保護叢集和其應用程式的各個層面。Certificates are used in Service Fabric to provide authentication and encryption to secure various aspects of a cluster and its applications. 如需如何在 Service Fabric 中使用憑證的詳細資訊,請參閱 Service Fabric 叢集安全性案例For more information on how certificates are used in Service Fabric, see Service Fabric cluster security scenarios.

如果這是您第一次為測試工作負載而建立 Service Fabric 叢集或部署叢集,您可以跳到下一節 (在 Azure 入口網站中建立叢集),並讓系統產生執行測試工作負載之叢集所需的憑證。If this is the first time you are creating a service fabric cluster or are deploying a cluster for test workloads, you can skip to the next section (Create cluster in the Azure Portal) and have the system generate certificates needed for your clusters that run test workloads. 如果您準備為生產工作負載設定叢集,請繼續閱讀。If you are setting up a cluster for production workloads, then continue reading.

叢集和伺服器憑證 (必要)Cluster and server certificate (required)

需要此憑證來保護叢集安全及防止未經授權存取叢集。This certificate is required to secure a cluster and prevent unauthorized access to it. 它會透過幾種方式提供叢集安全性:It provides cluster security in a couple ways:

  • 叢集驗證: 驗證叢集同盟的節點對節點通訊。Cluster authentication: Authenticates node-to-node communication for cluster federation. 只有可使用此憑證提供其身分識別的節點可以加入叢集。Only nodes that can prove their identity with this certificate can join the cluster.
  • 伺服器驗證: 向管理用戶端驗證叢集管理端點,讓管理用戶端知道它正在與實際的叢集交談。Server authentication: Authenticates the cluster management endpoints to a management client, so that the management client knows it is talking to the real cluster. 此憑證也會為 HTTPS 管理 API 及透過 HTTPS 的 Service Fabric Explorer 提供 TLS。This certificate also provides TLS for the HTTPS management API and for Service Fabric Explorer over HTTPS.

為用於這些用途,憑證必須符合下列要求:To serve these purposes, the certificate must meet the following requirements:

  • 憑證必須包含私密金鑰。The certificate must contain a private key.
  • 憑證必須是為了進行金鑰交換而建立,且可匯出成個人資訊交換檔 (.pfx)。The certificate must be created for key exchange, exportable to a Personal Information Exchange (.pfx) file.
  • 憑證的主體名稱必須符合用來存取 Service Fabric 叢集的網域。The certificate's subject name must match the domain used to access the Service Fabric cluster. 若要為叢集的 HTTPS 管理端點和 Service Fabric Explorer 提供 TLS,這是必要的。This is required to provide TLS for the cluster's HTTPS management endpoints and Service Fabric Explorer. 您無法從憑證授權單位單位(CA)取得.cloudapp.azure.com網域的 TLS/SSL 憑證。You cannot obtain a TLS/SSL certificate from a certificate authority (CA) for the .cloudapp.azure.com domain. 為您的叢集取得自訂網域名稱。Acquire a custom domain name for your cluster. 當您向 CA 要求憑證時,憑證的主體名稱必須符合用於您叢集的自訂網域名稱。When you request a certificate from a CA the certificate's subject name must match the custom domain name used for your cluster.

用戶端驗證憑證Client authentication certificates

其他用戶端憑證會驗證系統管理員以執行叢集管理工作。Additional client certificates authenticate administrators for cluster management tasks. Service Fabric 有兩個存取層級:[系統管理員]**** 和 [唯讀使用者]****。Service Fabric has two access levels: admin and read-only user. 您至少應使用一個單一憑證以用於進行系統管理存取。At minimum, a single certificate for administrative access should be used. 若要進行其他使用者層級存取,則必須提供個別憑證。For additional user-level access, a separate certificate must be provided. 如需存取角色的詳細資訊,請參閱角色型存取控制 (適用於 Service Fabric 用戶端)For more information on access roles, see role-based access control for Service Fabric clients.

若要使用 Service Fabric,您並不需要將用戶端驗證憑證上傳至金鑰保存庫。You do not need to upload Client authentication certificates to Key Vault to work with Service Fabric. 這些憑證只需要提供給獲得授權來管理叢集的使用者。These certificates only need to be provided to users who are authorized for cluster management.

注意

建議使用 Azure Active Directory 驗證用戶端以執行叢集管理作業。Azure Active Directory is the recommended way to authenticate clients for cluster management operations. 若要使用 Azure Active Directory,您必須使用 Azure Resource Manager 建立叢集To use Azure Active Directory, you must create a cluster using Azure Resource Manager.

應用程式憑證 (選用)Application certificates (optional)

您可以針對應用程式安全性目的,在叢集上安裝任何數目的其他憑證。Any number of additional certificates can be installed on a cluster for application security purposes. 在建立您的叢集之前,請考量需要在節點上安裝憑證的應用程式安全性案例,例如:Before creating your cluster, consider the application security scenarios that require a certificate to be installed on the nodes, such as:

  • 加密和解密應用程式組態值Encryption and decryption of application configuration values
  • 在複寫期間跨節點加密資料Encryption of data across nodes during replication

透過 Azure 入口網站建立叢集時無法設定應用程式憑證。Application certificates cannot be configured when creating a cluster through the Azure portal. 若要在建立叢集時設定應用程式憑證,您必須使用 Azure Resource Manager 建立叢集To configure application certificates at cluster setup time, you must create a cluster using Azure Resource Manager. 您也可以在建立叢集之後將應用程式憑證新增到叢集。You can also add application certificates to the cluster after it has been created.

在 Azure 入口網站中建立叢集Create cluster in the Azure portal

若想建立生產叢集以滿足應用程式需求,您需要先行規劃,為了幫助您解決這個問題,我們強烈建議您閱讀並了解 Service Fabric 叢集規劃考量文件。Creating a production cluster to meet your application needs involves some planning, to help you with that, it is strongly recommended that you read and understand the Service Fabric Cluster planning considerations document.

搜尋 Service Fabric 叢集資源Search for the Service Fabric cluster resource

登入 Azure 入口網站Sign in to the Azure portal. 按一下 [建立資源]**** 以新增新的資源範本。Click Create a resource to add a new resource template. 在 [全部內容]**** 下方的 [Marketplace]**** 中搜尋 Service Fabric 叢集範本。Search for the Service Fabric Cluster template in the Marketplace under Everything. 選取清單中的 [Service Fabric 叢集] **** 。Select Service Fabric Cluster from the list.

在 Azure 入口網站上搜尋 Service Fabric 叢集範本。

瀏覽至 [Service Fabric 叢集]**** 刀鋒視窗,並按一下 [建立]****。Navigate to the Service Fabric Cluster blade, and click Create.

[建立 Service Fabric叢集] 分頁具有下列四個步驟:The Create Service Fabric cluster blade has the following four steps:

1. 基本概念1. Basics

建立新資源群組的螢幕擷取畫面。

您必須在 [基本] 刀鋒視窗中提供您叢集的基本詳細資料。In the Basics blade, you need to provide the basic details for your cluster.

  1. 輸入您的叢集名稱。Enter the name of your cluster.

  2. 輸入 VM 遠端桌面的 [使用者名稱]**** 和 [密碼]****。Enter a User name and Password for Remote Desktop for the VMs.

  3. 請務必選取您要部署叢集的 [訂用帳戶] **** ,尤其是在您擁有多個訂用帳戶時。Make sure to select the Subscription that you want your cluster to be deployed to, especially if you have multiple subscriptions.

  4. 建立新的資源群組Create a new Resource group. 最好讓它與叢集同名,因為這有助於稍後尋找它們,尤其是當您嘗試變更您的部署及刪除您的叢集時,特別有用。It is best to give it the same name as the cluster, since it helps in finding them later, especially when you are trying to make changes to your deployment or delete your cluster.

    注意

    雖然您可以決定使用現有的資源群組,但最好還是建立新的資源群組。Although you can decide to use an existing resource group, it is a good practice to create a new resource group. 這可讓您輕鬆地刪除叢集及其所使用的所有資源。This makes it easy to delete clusters and all the resources it uses.

  5. 選取您要在其中建立叢集的 [位置]****。Select the Location in which you want to create the cluster. 如果您打算使用您已上傳至金鑰保存庫的現有憑證,您必須使用與金鑰保存庫所在位置相同的區域。If you are planning to use an existing certificate that you have already uploaded to a key vault, You must use the same region that your Key vault is in.

2. 叢集設定2. Cluster configuration

建立節點類型

設定您的叢集節點。Configure your cluster nodes. 可用來定義定義 VM 的大小、VM 的數目,以及 VM 的屬性。Node types define the VM sizes, the number of VMs, and their properties. 您的叢集可以有多個節點類型,但主要節點類型 (您在入口網站定義的第一個節點類型) 必須至少有 5 個 VM。這是 Service Fabric 系統服務放置所在的節點類型。Your cluster can have more than one node type, but the primary node type (the first one that you define on the portal) must have at least five VMs, as this is the node type where Service Fabric system services are placed. 請勿設定 [放置屬性]****,因為會自動新增 "NodeTypeName" 預設放置屬性。Do not configure Placement Properties because a default placement property of "NodeTypeName" is added automatically.

注意

多個節點類型的常見案例是包含前端服務和後端服務的應用程式。A common scenario for multiple node types is an application that contains a front-end service and a back-end service. 您想要將「前端」服務放在連接埠對網際網路開放的較小型 VM (D2_V2 等 VM 大小) 上,並將「後端」服務放在連接埠不對網際網路開放的較大型 VM (D3_V2、D6_V2、D15_V2 等 VM 大小) 上。You want to put the front-end service on smaller VMs (VM sizes like D2_V2) with ports open to the Internet, and put the back-end service on larger VMs (with VM sizes like D3_V2, D6_V2, D15_V2, and so on) with no Internet-facing ports open.

  1. 選擇節點類型的名稱 (1 到 12 個字元,只能包含字母和數字)。Choose a name for your node type (1 to 12 characters containing only letters and numbers).
  2. 主要節點類型的 VM 大小下限取決於您為叢集選擇的持久性層級。The minimum size of VMs for the primary node type is driven by the Durability tier you choose for the cluster. 持久性層級的預設值為 Bronze。The default for the durability tier is bronze. 如需關於持久性的詳細資訊,請參閱如何選擇 Service Fabric 叢集持久性For more information on durability, see how to choose the Service Fabric cluster durability.
  3. 選取虛擬機器大小Select the Virtual machine size. D 系列 VM 擁有 SSD 磁碟機,且強烈建議用於具狀態應用程式。D-series VMs have SSD drives and are highly recommended for stateful applications. 請勿使用任何只有部分核心或可用磁碟容量少於 10 GB 的 VM SKU。Do not use any VM SKU that has partial cores or have less than 10 GB of available disk capacity. 如需有關選取 VM 大小的說明,請參閱 Service Fabric 叢集規劃考量文件Refer to service fabric cluster planning consideration document for help in selecting the VM size.
  4. 單一節點叢集與三個節點叢集僅供測試使用。Single node cluster and three node clusters are meant for test use only. 這些節點叢集不支援任何執行中的生產工作負載。They are not supported for any running production workloads.
  5. 選擇節點類型的初始 VM 擴展集容量Choose the Initial VM scale set capacity for the node type. 您稍後可以相應縮小或相應放大節點類型中的 Vm 數目,但在主要節點類型上,生產工作負載的最小值為5。You can scale in or out the number of VMs in a node type later on, but on the primary node type, the minimum is five for production workloads. 其他節點類型可以有 1 個 VM 的下限。Other node types can have a minimum of one VM. 叢集的可靠性取決於主要節點類型的 VM 數目下限。The minimum number of VMs for the primary node type drives the reliability of your cluster.
  6. 設定自訂端點Configure Custom endpoints. 此欄位可讓您輸入以逗號區隔的連接埠清單,您可以透過 Azure Load Balancer 針對您的應用程式向公用網際網路公開這些連接埠。This field allows you to enter a comma-separated list of ports that you want to expose through the Azure Load Balancer to the public Internet for your applications. 例如,如果您計劃對您的叢集部署 Web 應用程式,請在這裡輸入「80」來允許連接埠 80 的流量進入您的叢集。For example, if you plan to deploy a web application to your cluster, enter "80" here to allow traffic on port 80 into your cluster. 如需端點的詳細資訊,請參閱與應用程式通訊For more information on endpoints, see communicating with applications
  7. 啟用反向 ProxyEnable reverse proxy. Service Fabric 反向 Proxy 可協助在 Service Fabric 叢集中執行的微服務進行探索,並與其他擁有 http 端點的服務通訊。The Service Fabric reverse proxy helps microservices running in a Service Fabric cluster discover and communicate with other services that have http endpoints.
  8. 回到 [叢集設定]**** 刀鋒視窗,在 [+ 顯示選用設定]**** 下,設定叢集診斷Back in the Cluster configuration blade, under +Show optional settings, configure cluster diagnostics. 預設會在您的叢集上啟用診斷功能,以協助排解疑難問題。By default, diagnostics are enabled on your cluster to assist with troubleshooting issues. 如果您要停用診斷,請將其 [狀態]**** 切換至 [關閉]****。If you want to disable diagnostics change the Status toggle to Off. 建議將診斷關閉。Turning off diagnostics is not recommended. 如果您已經建立了 Application Insights 專案,那麼請提供其密鑰,以便將應用程式追蹤透過路由方式傳送至該專案。If you already have Application Insights project created, then give its key, so that the application traces are routed to it.
  9. 包含 DNS 服務Include DNS service. DNS 服務可讓您尋找使用 DNS 通訊協定的其他服務所用的選用服務。The DNS service an optional service that enables you to find other services using the DNS protocol.
  10. 選取您想要將叢集設定為的網狀架構升級模式Select the Fabric upgrade mode you want set your cluster to. 如果您要讓系統自動挑選最新可用的版本,並嘗試將叢集升級到此版本,請選取 [自動] ****。Select Automatic, if you want the system to automatically pick up the latest available version and try to upgrade your cluster to it. 如果您想要選擇支援的版本,將模式設定為 [手動] ****。Set the mode to Manual, if you want to choose a supported version. 如需 Fabric 升級模式的詳細資訊,請參閱 Service Fabric 叢集升級文件For more details on the Fabric upgrade mode see the Service Fabric Cluster Upgrade document.

注意

我們支援的叢集限於執行支援的 Service Fabric 版本。We support only clusters that are running supported versions of Service Fabric. 如果選取 [手動] **** 模式,您必須負責將叢集升級到支援的版本。By selecting the Manual mode, you are taking on the responsibility to upgrade your cluster to a supported version.

3. 安全性3. Security

Azure 入口網站上安全性設定的螢幕擷取畫面。

為了讓您輕鬆設定安全的測試叢集,我們已提供 [基本]**** 選項。To make setting up a secure test cluster easy for you, we have provided the Basic option. 如果您已擁有憑證,並且已將憑證上傳至金鑰保存庫 (且已啟用金鑰保存庫以供部署),則請使用 [自訂]**** 選項If you already have a certificate and have uploaded it to your key vault (and enabled the key vault for deployment), then use the Custom option

基本選項Basic Option

請遵循畫面指示新增或重複使用現有的金鑰保存庫,並新增憑證。Follow the screens to add or reuse an existing key vault and add a certificate. 新增憑證為同步的程序,所以您必須等待憑證建立完成。The addition of the certificate is a synchronous process and so you will have to wait for the certificate to be created.

請不要離開畫面,直到前述程序完成為止。Resist the temptation of navigating away from the screen until the preceding process is completed.

CreateKeyVault

建立金鑰保存庫後,編輯金鑰保存庫的存取原則。Now that the key vault is created, edit the access policies for your key vault.

CreateKeyVault2

按一下 [編輯存取原則]****,然後按一下 [顯示進階存取原則]****,並啟用 Azure 虛擬機器的存取權以進行部署。Click on the Edit access policies, then Show advanced access policies and enable access to Azure Virtual Machines for deployment. 建議您也啟用範本部署。It is recommended that you enable the template deployment as well. 選取完畢時,請務必按一下 [儲存]**** 按鈕,並關閉 [存取原則]**** 窗格。Once you have made your selections, do not forget to click the Save button and close out of the Access policies pane.

CreateKeyVault3

輸入憑證的名稱,並按一下 [確定]****。Enter the name of the certificate and click OK.

CreateKeyVault4

自訂選項Custom Option

如果您已在 [基本]**** 選項中執行步驟,請跳過本節。Skip this section, if you have already performed the steps in the Basic Option.

SecurityCustomOption

您需要來源金鑰保存庫、憑證 URL 和憑證指紋資訊,以完成安全性頁面。You need the Source key vault, Certificate URL, and Certificate thumbprint information to complete the security page. 如果您手邊沒有這些資訊,請開啟另一個瀏覽器視窗,然後在 Azure 入口網站中執行下列動作If you do not have it handy, open up another browser window and in the Azure portal do the following

  1. 巡覽至您的金鑰保存庫服務。Navigate to your key vault service.

  2. 選取 [屬性] 索引標籤,然後將 [資源識別碼] 複製到另一個瀏覽器視窗的 [來源金鑰保存庫] 中Select the "Properties" tab and copy the 'RESOURCE ID' to "Source key vault" on the other browser window

    CertInfo0

  3. 現在,請選取 [憑證] 索引標籤。Now, select the "Certificates" tab.

  4. 按一下憑證指紋,這將帶您前往 [版本] 頁面。Click on certificate thumbprint, which takes you to the Versions page.

  5. 按一下您在目前版本下看到的 GUID。Click on the GUIDs you see under the current Version.

    CertInfo1

  6. 您現在應該在如下所示的畫面中。You should now be on the screen like below. 將十六進位 SHA-1 指紋複製到另一個瀏覽器視窗的 [憑證指紋] 中Copy the hexadecimal SHA-1 Thumbprint to "Certificate thumbprint" on the other browser window

  7. 將 [祕密識別碼] 複製到另一個瀏覽器視窗的 [憑證 URL] 中。Copy the 'Secret Identifier' to the "Certificate URL" on other browser window.

    CertInfo2

選取 [設定進階設定]**** 核取方塊來輸入系統管理用戶端唯讀用戶端的用戶端憑證。Check the Configure advanced settings box to enter client certificates for admin client and read-only client. 在這些欄位中,輸入系統管理用戶端憑證的指紋和唯讀使用者用戶端憑證的指紋 (如果適用)。In these fields, enter the thumbprint of your admin client certificate and the thumbprint of your read-only user client certificate, if applicable. 當系統管理員嘗試連線叢集時,只有在他們的憑證指紋和這裡輸入的指紋值相符時,才會被授與存取權。When administrators attempt to connect to the cluster, they are granted access only if they have a certificate with a thumbprint that matches the thumbprint values entered here.

4. 摘要4. Summary

現在您已經準備好部署叢集。Now you are ready to deploy the cluster. 在進行作業前,請先下載憑證,並在大型藍色資訊方塊中查看連結。Before you do that, download the certificate, look inside the large blue informational box for the link. 請務必將憑證保存在安全的地方。Make sure to keep the cert in a safe place. 您需要將憑證連線到叢集。you need it to connect to your cluster. 由於您下載的憑證沒有密碼,建議您新增密碼。Since the certificate you downloaded does not have a password, it is advised that you add one.

若要完成叢集建立作業,請按一下 [建立]****。To complete the cluster creation, click Create. 您也可以選擇性下載此範本。You can optionally download the template.

摘要

您可以在通知功能中看到叢集的建立進度。You can see the creation progress in the notifications. (按一下畫面右上方狀態列附近的「鐘」圖示)。如果您在建立叢集時按了 [釘選到開始面板],您會看到將 Service Fabric 的叢集部署開始面板。(Click the "Bell" icon near the status bar at the upper right of your screen.) If you clicked Pin to Startboard while creating the cluster, you see Deploying Service Fabric Cluster pinned to the Start board. 此程序需要一些時間。This process will take some time.

若要使用 Powershell 或 CLI 在您的叢集上執行管理作業,您需要連接至叢集,請參閱如何連接至您的叢集,了解更多資訊。In order to perform management operations on your cluster using Powershell or CLI, you need to connect to your cluster, read more on how to at connecting to your cluster.

檢視叢集狀態View your cluster status

[儀表板] 中叢集詳細資料的螢幕擷取畫面。

建立叢集之後,您就可以在入口網站檢查您的叢集:Once your cluster is created, you can inspect your cluster in the portal:

  1. 移至 [瀏覽]****,然後按一下 [Service Fabric 叢集]****。Go to Browse and click Service Fabric Clusters.
  2. 找出您的叢集,然後按一下它。Locate your cluster and click it.
  3. 現在儀表板會顯示叢集的詳細資料,包括叢集的公用端點和 Service Fabric Explorer 的連結。You can now see the details of your cluster in the dashboard, including the cluster's public endpoint and a link to Service Fabric Explorer.

叢集之儀表板刀鋒視窗上的 [節點監視器] **** 區段會指出健康狀態良好和不良的 VM 數目。The Node Monitor section on the cluster's dashboard blade indicates the number of VMs that are healthy and not healthy. 如需進一步了解叢集健康狀態,請參閱 Service Fabric 健康狀態模型簡介You can find more details about the cluster's health at Service Fabric health model introduction.

注意

Service Fabric 叢集需要有一定數量的節點保持運作中,以維護可用性並維持狀態 - 稱為「維持仲裁」。Service Fabric clusters require a certain number of nodes to be up always to maintain availability and preserve state - referred to as "maintaining quorum". 因此,除非您已先執行狀態的完整備份,否則關閉叢集中的所有電腦通常並不安全。Therefore, it is typically not safe to shut down all machines in the cluster unless you have first performed a full backup of your state.

遠端連接到虛擬機器擴展集執行個體或叢集節點Remote connect to a Virtual Machine Scale Set instance or a cluster node

您在叢集中指定的每個 NodeTypes 都會形成虛擬機器擴展集。Each of the NodeTypes you specify in your cluster results in a Virtual Machine Scale Set getting set-up.

後續步驟Next steps

此時,您擁有一個使用憑證來管理驗證的安全叢集。At this point, you have a secure cluster using certificates for management authentication. 接下來,請連線到您的叢集並了解如何管理應用程式密碼Next, connect to your cluster and learn how to manage application secrets. 同時,了解 Service Fabric 支援選項Also, learn about Service Fabric support options.