Service Fabric 叢集獨立叢集的概觀Overview of Service Fabric Standalone clusters

Service Fabric 叢集是一組由網路連接的虛擬或實體機器,可用來將您的微服務部署到其中並進行管理。A Service Fabric cluster is a network-connected set of virtual or physical machines into which your microservices are deployed and managed. 隸屬於叢集的機器或 VM 稱為叢集模式。A machine or VM that is part of a cluster is called a cluster node. 叢集可擴充至數千個節點。Clusters can scale to thousands of nodes. 若您新增節點至叢集,則 Service Fabric 會重新平衡全體增加節點數的服務資料分割複本和執行個體。If you add new nodes to the cluster, Service Fabric rebalances the service partition replicas and instances across the increased number of nodes. 整體應用程式效能會有所改善,改善,並減少爭用記憶體的存取權。Overall application performance improves and contention for access to memory decreases. 若未有效率地使用叢集中的節點,您可減少叢集中的節點數目。If the nodes in the cluster are not being used efficiently, you can decrease the number of nodes in the cluster. Service Fabric 會再次重新平衡全體減少節點數的資料分割複本和執行個體,以善加使用每個節點上的硬體。Service Fabric again rebalances the partition replicas and instances across the decreased number of nodes to make better use of the hardware on each node.

節點類型會定義叢集中一組節點的大小、數目和屬性。A node type defines the size, number, and properties for a set of nodes in the cluster. 然後每個節點類型可以獨立相應增加或相應減少,可以開啟不同組的連接埠,並可以有不同的容量度量。Each node type can then be scaled up or down independently, have different sets of ports open, and can have different capacity metrics. 節點類型是用來定義一組叢集節點的角色,例如「前端」或「後端」。Node types are used to define roles for a set of cluster nodes, such as "front end" or "back end". 您的叢集可以有多個節點類型,但主要節點類型必須至少有五個 VM 供生產環境叢集使用 (或至少有三個 VM 供測試叢集使用)。Your cluster can have more than one node type, but the primary node type must have at least five VMs for production clusters (or at least three VMs for test clusters). Service Fabric 系統服務是放置在主要節點類型的節點上。Service Fabric system services are placed on the nodes of the primary node type.

在內部部署環境建立 Service Fabric 叢集的程序會與在您所選擇、具有一組 VM 的任何雲端建立叢集的程序類似。The process for creating a Service Fabric cluster on-premises is similar to the process of creating a cluster on any cloud of your choice with a set of VMs. 佈建 VM 的初始步驟取決於您要使用的雲端提供者或內部部署環境。The initial steps to provision the VMs are governed by the cloud provider or on-premises environment that you are using. 在您有一組彼此之間已啟用網路連線的 VM 之後,則安裝 Service Fabric 套件、編輯叢集設定,以及執行叢集建立與管理指令碼的步驟將會相同。Once you have a set of VMs with network connectivity enabled between them, then the steps to set up the Service Fabric package, edit the cluster settings, and run the cluster creation and management scripts are identical. 這可確保當您選擇以新裝載環境做為目標時,可將您操作和管理 Service Fabric 叢集方面的知識與經驗轉移過去。This ensures that your knowledge and experience of operating and managing Service Fabric clusters is transferable when you choose to target new hosting environments.

叢集安全性Cluster security

Service Fabric 叢集是您所擁有的資源。A Service Fabric cluster is a resource that you own. 保護叢集是您的責任,從而協助避免未經授權的使用者與它們連線。It is your responsibility to secure your clusters to help prevent unauthorized users from connecting to them. 在叢集上執行生產工作負載時,安全的叢集尤其重要。A secure cluster is especially important when you are running production workloads on the cluster.

注意

Windows 驗證是以 Kerberos 為基礎。Windows authentication is based on Kerberos. NTLM 不支援做為驗證類型。NTLM is not supported as an authentication type.

請盡可能針對 Service Fabric 叢集使用 x.509 憑證驗證。Whenever possible, use X.509 certificate authentication for Service Fabric clusters.

節點對節點安全性Node-to-node security

節點對節點安全性會保護叢集中 VM 與電腦之間的通訊。Node-to-node security secures communication between the VMs or computers in a cluster. 此安全性情節可確保只有獲得授權加入叢集的電腦可以參與裝載應用程式和叢集中的服務。This security scenario ensures that only computers that are authorized to join the cluster can participate in hosting applications and services in the cluster. Service Fabric 會使用 X.509 憑證來保護叢集,並提供應用程式的安全性功能。Service Fabric uses X.509 certificates to secure a cluster and provide application security features. 需要叢集憑證才能保護叢集流量,並提供叢集和伺服器驗證。A cluster certificate is required to secure cluster traffic and provide cluster and server authentication. 自我簽署憑證可用於測試叢集,但是應該使用來自受信任憑證授權單位的憑證來保護生產環境叢集。Self signed-certificates can be used for test clusters, but a certificate from a trusted certificate authority should be used to secure production clusters.

Windows 安全性也可以針對 Windows 獨立叢集啟用。Windows security can also be enabled for a Windows standalone cluster. 如果您有 Windows Server 2012 R2 和 Windows Active Directory,建議您搭配使用 Windows 安全性與群組受管理的服務帳戶。If you have Windows Server 2012 R2 and Windows Active Directory, we recommend that you use Windows security with group Managed Service Accounts. 否則,使用 Windows 安全性與 Windows 帳戶。Otherwise, use Windows security with Windows accounts.

如需詳細資訊,請參閱節點對節點安全性For more information, read Node-to-node security

用戶端對節點安全性Client-to-node security

用戶端對節點安全性會驗證用戶端,並協助保護用戶端與叢集中個別節點之間的通訊。Client-to-node security authenticates clients and helps secure communication between a client and individual nodes in the cluster. 這個類型的安全性可協助確保只有獲得授權的使用者能存取叢集與叢集上部署的應用程式。This type of security helps ensure that only authorized users can access the cluster and the applications that are deployed on the cluster. 用戶端是透過其 X.509 憑證安全性認證進行唯一識別。Clients are uniquely identified through either their X.509 certificate security credentials. 任意數目的選擇性用戶端憑證可用來向叢集驗證系統管理員或使用者用戶端。Any number of optional client certificates can be used to authenticate admin or user clients with the cluster.

除了用戶端憑證之外,也可以設定 Azure Active Directory 來向叢集驗證用戶端。In addition to client certificates, Azure Active Directory can also be configured to authenticate clients with the cluster.

如需詳細資訊,請參閱用戶端對節點安全性For more information, read Client-to-node security

Service Fabric 以角色為基礎的存取控制Service Fabric role-based access control

Service Fabric 也支援存取控制來限制不同使用者群組對特定叢集作業的存取。Service Fabric also supports access control to limit access to certain cluster operations for different groups of users. 這樣有助於讓叢集更安全。This helps make the cluster more secure. 針對連線到叢集的用戶端,支援兩種存取控制類型:系統管理員角色和使用者角色。Two access control types are supported for clients that connect to a cluster: Administrator role and User role.

如需詳細資訊,請參閱 Service Fabric 角色型存取控制For more information, read Service Fabric role-based access control.

擴縮Scaling

應用程式需求會隨著時間而變更。Application demands change over time. 您可能需要增加叢集資源以因應增加的應用程式工作負載或網路流量,或是在需要下降時減少叢集資源。You may need to increase cluster resources to meet increased application workload or network traffic or decrease cluster resources when demand drops. 在建立 Service Fabric 叢集之後,您可以水平調整叢集 (變更節點數目),或以垂直方式調整 (變更節點的資源)。After creating a Service Fabric cluster, you can scale the cluster horizontally (change the number of nodes) or vertically (change the resources of the nodes). 您可以隨時調整叢集,即使正在叢集上執行工作負載,也是如此。You can scale the cluster at any time, even when workloads are running on the cluster. 在叢集進行調整時,您的應用程式也會自動調整。As the cluster scales, your applications automatically scale as well.

如需詳細資訊,請參閱調整獨立叢集For more information, read Scaling standalone clusters.

升級中Upgrading

獨立叢集是由您完全擁有的資源。A standalone cluster is a resource that you entirely own. 由您負責修補基礎 OS 和起始網狀架構升級。You are responsible for patching the underlying OS and initiating fabric upgrades. 您可以設定您的叢集 (在 Microsoft 發行新版本時) 接收自動執行階段升級,或選擇選取您需要的受支援執行階段版本。You can set your cluster to receive automatic runtime upgrades, when Microsoft releases a new version, or choose to select a supported runtime version that you want. 除了網狀架構升級,您亦可修補 OS 並更新憑證或應用程式連接埠等叢集設定。In addition to fabric upgrades, you can also patch the OS and update cluster configuration such as certificates or application ports.

如需詳細資訊,請參閱升級獨立叢集For more information, read Upgrading standalone clusters.

支援的作業系統Supported operating systems

您可以在執行下列作業系統的 VM 或電腦上建立叢集 (尚不支援 Linux):You are able to create clusters on VMs or computers running these operating systems (Linux is not yet supported):

  • Windows Server 2012 R2Windows Server 2012 R2
  • Windows Server 2016Windows Server 2016
  • Windows Server 2019Windows Server 2019

下一步Next steps

深入了解保護調整升級獨立叢集。Read more about securing, scaling, and upgrading standalone clusters.

了解 Service Fabric 支援選項Learn about Service Fabric support options.