將 Linux Service Fabric 叢集部署到 Azure 虛擬網路Deploy a Linux Service Fabric cluster into an Azure virtual network

在此文章中,您學到如何使用 Azure CLI 與範本將 Linux Service Fabric 叢集部署到 Azure 虛擬網路 (VNET)In this article you learn how to deploy a Linux Service Fabric cluster into an Azure virtual network (VNET) using Azure CLI and a template. 完成時,您會有在您可以部署應用程式的雲端中執行的叢集。When you're finished, you have a cluster running in the cloud that you can deploy applications to. 若要使用 PowerShell 建立 Windows 叢集,請參閱在 Azure 上建立安全的 Windows 叢集To create a Windows cluster using PowerShell, see Create a secure Windows cluster on Azure.

必要條件Prerequisites

開始之前:Before you begin:

下列程序會建立含七個節點的 Service Fabric 叢集。The following procedures create a seven-node Service Fabric cluster. 若要計算在 Azure 中執行 Service Fabric 叢集產生的成本,請使用 Azure 價格計算機To calculate cost incurred by running a Service Fabric cluster in Azure use the Azure Pricing Calculator.

下載並瀏覽範本Download and explore the template

下載下列 Resource Manager 範本檔案:Download the following Resource Manager template files:

此範本會將一個由七部虛擬機器和三個節點類型組成的安全叢集部署到虛擬網路中。This template deploys a secure cluster of seven virtual machines and three node types into a virtual network. 您可以在 GitHub 上找到其他範例範本。Other sample templates can be found on GitHub. Azuredeploy.parameters.json」會部署一些資源, 包括下列各項。The AzureDeploy.json deploys a number resources, including the following.

Service Fabric 叢集Service Fabric cluster

Microsoft.ServiceFabric/clusters Linux 叢集會以下列特性部署:In the Microsoft.ServiceFabric/clusters resource, a Linux cluster is deployed with the following characteristics:

  • 三個節點類型three node types
  • 主要節點類型中的 五個節點 (可在範本參數中設定),其他節點類型各有一個節點five nodes in the primary node type (configurable in the template parameters), one node in each of the other node types
  • OS: Ubuntu 16.04 LTS (可在範本參數中設定)OS: Ubuntu 16.04 LTS (configurable in the template parameters)
  • 受保護的憑證 (可在範本參數中設定)certificate secured (configurable in the template parameters)
  • 啟用 DNS 服務DNS service is enabled
  • Bronze 的耐久性層級 (可在範本參數中設定)Durability level of Bronze (configurable in the template parameters)
  • Silver 的可靠性層級 (可在範本參數中設定)Reliability level of Silver (configurable in the template parameters)
  • 用戶端連線端點:19000 (可在範本參數中設定)client connection endpoint: 19000 (configurable in the template parameters)
  • HTTP 閘道端點:19080 (可在範本參數中設定)HTTP gateway endpoint: 19080 (configurable in the template parameters)

Azure Load BalancerAzure load balancer

Microsoft.Network/loadBalancers 資源中,會為下列連接埠設定負載平衡器,並進行探查和規則的設定:In the Microsoft.Network/loadBalancers resource, a load balancer is configured and probes and rules setup for the following ports:

  • 用戶端連線端點:19000client connection endpoint: 19000
  • HTTP 閘道端點:19080HTTP gateway endpoint: 19080
  • 應用程式連接埠:80application port: 80
  • 應用程式連接埠:443application port: 443

虛擬網路和子網路Virtual network and subnet

虛擬網路和子網路的名稱會在範本參數中宣告。The names of the virtual network and subnet are declared in the template parameters. 虛擬網路和子網路的位址空間也會在範本參數中宣告,並設定於 Microsoft.Network/virtualNetworks 資源中:Address spaces of the virtual network and subnet are also declared in the template parameters and configured in the Microsoft.Network/virtualNetworks resource:

  • 虛擬網路位址空間:10.0.0.0/16virtual network address space: 10.0.0.0/16
  • Service Fabric 子網路位址空間:10.0.2.0/24Service Fabric subnet address space: 10.0.2.0/24

如果需要任何其他應用程式連接埠,則您必須調整 Microsoft.Network/loadBalancers 資源,以允許流量進入。If any other application ports are needed, then you will need to adjust the Microsoft.Network/loadBalancers resource to allow the traffic in.

設定範本參數Set template parameters

Azuredeploy.parameters.json」參數檔案會宣告許多用來部署叢集和相關聯資源的值。The AzureDeploy.Parameters parameters file declares many values used to deploy the cluster and associated resources. 您可能需要為自己的部署修改某些參數:Some of the parameters that you might need to modify for your deployment:

參數Parameter 範例值Example value 注意Notes
adminUserNameadminUserName vmadminvmadmin 叢集 VM 的系統管理員使用者名稱。Admin username for the cluster VMs.
adminPasswordadminPassword Password#1234Password#1234 叢集 VM 的系統管理員密碼。Admin password for the cluster VMs.
clusterNameclusterName mysfcluster123mysfcluster123 叢集的名稱。Name of the cluster.
位置location southcentralussouthcentralus 叢集的位置。Location of the cluster.
certificateThumbprintcertificateThumbprint

如果建立自我簽署憑證或提供憑證檔案,則值應該空白。Value should be empty if creating a self-signed certificate or providing a certificate file.

若要使用先前上傳至金鑰保存庫的現有憑證,請填入憑證 SHA1 指紋值。To use an existing certificate previously uploaded to a key vault, fill in the certificate SHA1 thumbprint value. 例如 "6190390162C988701DB5676EB81083EA608DCCF3"。For example, "6190390162C988701DB5676EB81083EA608DCCF3".

certificateUrlValuecertificateUrlValue

如果建立自我簽署憑證或提供憑證檔案,則值應該空白。Value should be empty if creating a self-signed certificate or providing a certificate file.

若要使用先前上傳至金鑰保存庫的現有憑證,請填入憑證 URL。To use an existing certificate previously uploaded to a key vault, fill in the certificate URL. 例如,"https://mykeyvault.vault.azure.net:443/secrets/mycertificate/02bea722c9ef4009a76c5052bcbf8346"。For example, "https://mykeyvault.vault.azure.net:443/secrets/mycertificate/02bea722c9ef4009a76c5052bcbf8346".

sourceVaultValuesourceVaultValue

如果建立自我簽署憑證或提供憑證檔案,則值應該空白。Value should be empty if creating a self-signed certificate or providing a certificate file.

若要使用先前上傳至金鑰保存庫的現有憑證,請填入來源保存庫值。To use an existing certificate previously uploaded to a key vault, fill in the source vault value. 例如 "/subscriptions/333cc2c84-12fa-5778-bd71-c71c07bf873f/resourceGroups/MyTestRG/providers/Microsoft.KeyVault/vaults/MYKEYVAULT"。For example, "/subscriptions/333cc2c84-12fa-5778-bd71-c71c07bf873f/resourceGroups/MyTestRG/providers/Microsoft.KeyVault/vaults/MYKEYVAULT".

部署虛擬網路和叢集Deploy the virtual network and cluster

接下來,請設定網路拓撲並部署 Service Fabric 叢集。Next, set up the network topology and deploy the Service Fabric cluster. Azuredeploy.parameters.json」 Resource Manager 範本會為 Service Fabric 建立虛擬網路 (VNET) 和子網。The AzureDeploy.json Resource Manager template creates a virtual network (VNET) and a subnet for Service Fabric. 範本也會部署啟用憑證安全性的叢集。The template also deploys a cluster with certificate security enabled. 對於生產叢集,請使用憑證授權單位 (CA) 提供的憑證作為叢集憑證。For production clusters, use a certificate from a certificate authority (CA) as the cluster certificate. 自我簽署憑證可用來保護測試叢集。A self-signed certificate can be used to secure test clusters.

此文章中的範本會部署使用憑證指紋來識別叢集憑證的叢集。The template in this article deploy a cluster that uses the certificate thumbprint to identify the cluster certificate. 憑證的指紋皆不相同,因而使憑證管理更為困難。No two certificates can have the same thumbprint, which makes certificate management more difficult. 將使用憑證指紋的已部署叢集切換為使用憑證通用名稱,有助於大幅簡化憑證管理作業。Switching a deployed cluster from using certificate thumbprints to using certificate common names makes certificate management much simpler. 若要了解如何更新叢集以使用憑證通用名稱進行憑證管理,請參閱將叢集變更為使用憑證通用名稱進行管理To learn how to update the cluster to use certificate common names for certificate management, read change cluster to certificate common name management.

使用現有的憑證建立叢集Create a cluster using an existing certificate

下列指令碼會使用 az sf cluster create 命令和範本,部署以現有憑證保護的新叢集。The following script uses the az sf cluster create command and template to deploy a new cluster secured with an existing certificate. 此命令也會在 Azure 中建立新的金鑰保存庫,並上傳您的憑證。The command also creates a new key vault in Azure and uploads your certificate.

ResourceGroupName="sflinuxclustergroup"
Location="southcentralus"
Password="q6D7nN%6ck@6"
VaultName="linuxclusterkeyvault"
VaultGroupName="linuxclusterkeyvaultgroup"
CertPath="C:\MyCertificates\MyCertificate.pem"

# sign in to your Azure account and select your subscription
az login
az account set --subscription <guid>

# Create a new resource group for your deployment and give it a name and a location.
az group create --name $ResourceGroupName --location $Location

# Create the Service Fabric cluster.
az sf cluster create --resource-group $ResourceGroupName --location $Location \
   --certificate-password $Password --certificate-file $CertPath \
   --vault-name $VaultName --vault-resource-group $ResourceGroupName  \
   --template-file AzureDeploy.json --parameter-file AzureDeploy.Parameters.json

使用新的自我簽署憑證建立叢集Create a cluster using a new, self-signed certificate

下列指令碼會使用 az sf cluster create 命令和範本,在 Azure 中部署新的叢集。The following script uses the az sf cluster create command and a template to deploy a new cluster in Azure. 此命令也會在 Azure 中建立新的金鑰保存庫、將新的自我簽署憑證新增至金鑰保存庫,並將憑證檔案下載至本機。The command also creates a new key vault in Azure, adds a new self-signed certificate to the key vault, and downloads the certificate file locally.

ResourceGroupName="sflinuxclustergroup"
ClusterName="sflinuxcluster"
Location="southcentralus"
Password="q6D7nN%6ck@6"
VaultName="linuxclusterkeyvault"
VaultGroupName="linuxclusterkeyvaultgroup"
CertPath="C:\MyCertificates"

az sf cluster create --resource-group $ResourceGroupName --location $Location --cluster-name $ClusterName --template-file C:\temp\cluster\AzureDeploy.json --parameter-file C:\temp\cluster\AzureDeploy.Parameters.json --certificate-password $Password --certificate-output-folder $CertPath --certificate-subject-name $ClusterName.$Location.cloudapp.azure.com --vault-name $VaultName --vault-resource-group $ResourceGroupName

連線到安全的叢集Connect to the secure cluster

使用 Service Fabric CLI 命令 sfctl cluster select 搭配您的金鑰來連線到叢集。Connect to the cluster using the Service Fabric CLI command sfctl cluster select with your key. 請注意,只能針對自我簽署憑證使用 --no-verify 選項。Note, only use the --no-verify option for a self-signed certificate.

sfctl cluster select --endpoint https://aztestcluster.southcentralus.cloudapp.azure.com:19080 \
--pem ./aztestcluster201709151446.pem --no-verify

使用 sfctl cluster health 命令來檢查您連接的叢集是否狀況良好。Check that you are connected and the cluster is healthy using the sfctl cluster health command.

sfctl cluster health

清除資源Clean up resources

如果您現在不打算繼續閱讀下一篇文章,您可能要刪除該叢集以避免產生費用。If you're not immediately moving on to the next article, you might want to delete the cluster to avoid incurring charges.

後續步驟Next steps

了解如何調整叢集規模Learn how to scale a Cluster.

此文章中的範本會部署使用憑證指紋來識別叢集憑證的叢集。The template in this article deploy a cluster that uses the certificate thumbprint to identify the cluster certificate. 憑證的指紋皆不相同,因而使憑證管理更為困難。No two certificates can have the same thumbprint, which makes certificate management more difficult. 將使用憑證指紋的已部署叢集切換為使用憑證通用名稱,有助於大幅簡化憑證管理作業。Switching a deployed cluster from using certificate thumbprints to using certificate common names makes certificate management much simpler. 若要了解如何更新叢集以使用憑證通用名稱進行憑證管理,請參閱將叢集變更為使用憑證通用名稱進行管理To learn how to update the cluster to use certificate common names for certificate management, read change cluster to certificate common name management.