教學課程:將執行 Windows 的 Service Fabric 叢集部署到 Azure 虛擬網路Tutorial: Deploy a Service Fabric cluster running Windows into an Azure virtual network

本教學課程是一個系列的第一部分。This tutorial is part one of a series. 您會了解如何使用 PowerShell 和範本,將執行 Windows 的 Azure Service Fabric 叢集部署到 Azure 虛擬網路網路安全性群組You learn how to deploy an Azure Service Fabric cluster running Windows into an Azure virtual network and network security group by using PowerShell and a template. 完成時,您會有在雲端執行的叢集,讓您可在其中部署應用程式。When you're finished, you have a cluster running in the cloud to which you can deploy applications. 若要建立 Linux 叢集來使用 Azure CLI,請參閱在 Azure 上建立安全的 Linux 叢集To create a Linux cluster that uses the Azure CLI, see Create a secure Linux cluster on Azure.

此教學課程說明的是生產環境案例。This tutorial describes a production scenario. 如果您想要建立測試用的更小型叢集,請參閱建立測試叢集If you want to create a smaller cluster for testing purposes, see Create a test cluster.

在本教學課程中,您了解如何:In this tutorial, you learn how to:

  • 使用 PowerShell 在 Azure 中建立 VNETCreate a VNET in Azure using PowerShell
  • 建立金鑰保存庫並上傳憑證Create a key vault and upload a certificate
  • 設定 Azure Active Directory 驗證Setup Azure Active Directory authentication
  • 設定診斷集合Configure diagnostics collection
  • 設定 EventStore 服務Set up the EventStore service
  • 設定 Azure 監視器記錄Set up Azure Monitor logs
  • 在 Azure PowerShell 中建立安全的 Service Fabric 叢集Create a secure Service Fabric cluster in Azure PowerShell
  • 使用 X.509 憑證保護叢集Secure the cluster with an X.509 certificate
  • 使用 PowerShell 連線到叢集Connect to the cluster using PowerShell
  • 刪除叢集Remove a cluster

在本教學課程系列中,您將了解如何:In this tutorial series you learn how to:

注意

本文已更新為使用新的 Azure PowerShell Az 模組。This article has been updated to use the new Azure PowerShell Az module. AzureRM 模組在至少 2020 年 12 月之前都還會持續收到錯誤 (Bug) 修正,因此您仍然可以持續使用。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要深入了解新的 Az 模組和 AzureRM 的相容性,請參閱新的 Azure PowerShell Az 模組簡介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 如需 Az 模組安裝指示,請參閱安裝 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

必要條件Prerequisites

開始進行本教學課程之前:Before you begin this tutorial:

下列程序會建立含七個節點的 Service Fabric 叢集。The following procedures create a seven-node Service Fabric cluster. 使用 Azure 價格計算機來計算在 Azure 中執行 Service Fabric 叢集所產生的成本。Use the Azure Pricing Calculator to calculate cost incurred by running a Service Fabric cluster in Azure.

下載並瀏覽範本Download and explore the template

下載下列 Azure Resource Manager 範本檔案:Download the following Azure Resource Manager template files:

此範本會將一個由七個虛擬機器和三個節點類型組成的安全叢集部署到虛擬網路和網路安全性群組中。This template deploys a secure cluster of seven virtual machines and three node types into a virtual network and a network security group. 您可以在 GitHub 上找到其他範例範本。Other sample templates can be found on GitHub. azuredeploy.json 會部署多項資源,包括下列各項。The azuredeploy.json deploys a number of resources, including the following.

Service Fabric 叢集Service Fabric cluster

Microsoft.ServiceFabric/clusters 資源中,Windows 叢集會以下列特性設定:In the Microsoft.ServiceFabric/clusters resource, a Windows cluster is configured with the following characteristics:

  • 三個節點類型。Three node types.
  • 主要節點類型中的五個節點 (可在範本參數中設定),以及其他兩個節點類型中各一個節點。Five nodes in the primary node type (configurable in the template parameters), and one node in each of the other two node types.
  • 作業系統:Windows Server 2016 Datacenter with Containers (可在範本參數中設定)。OS: Windows Server 2016 Datacenter with Containers (configurable in the template parameters).
  • 受保護的憑證 (可在範本參數中設定)。Certificate secured (configurable in the template parameters).
  • 啟用反向 ProxyReverse proxy is enabled.
  • 啟用 DNS 服務DNS service is enabled.
  • 銅級持久性層級 (可在範本參數中設定)。Durability level of Bronze (configurable in the template parameters).
  • 銀級可靠性層級 (可在範本參數中設定)。Reliability level of Silver (configurable in the template parameters).
  • 用戶端連線端點:19000 (可在範本參數中設定)。Client connection endpoint: 19000 (configurable in the template parameters).
  • HTTP 閘道端點:19080 (可在範本參數中設定)。HTTP gateway endpoint: 19080 (configurable in the template parameters).

Azure Load BalancerAzure Load Balancer

Microsoft.Network/loadBalancers 資源中,設定負載平衡器。In the Microsoft.Network/loadBalancers resource, a load balancer is configured. 為下列連接埠設定探查和規則:Probes and rules are set up for the following ports:

  • 用戶端連線端點:19000Client connection endpoint: 19000
  • HTTP 閘道端點:19080HTTP gateway endpoint: 19080
  • 應用程式連接埠:80Application port: 80
  • 應用程式連接埠:443Application port: 443
  • Service Fabric 反向 Proxy:19081Service Fabric reverse proxy: 19081

如果需要其他應用程式連接埠,您必須調整 Microsoft.Network/loadBalancers 資源和 Microsoft.Network/networkSecurityGroups 資源,以允許流量進入。If other application ports are needed, you'll need to adjust the Microsoft.Network/loadBalancers resource and the Microsoft.Network/networkSecurityGroups resource to allow the traffic in.

虛擬網路、子網路和網路安全性群組Virtual network, subnet, and network security group

虛擬網路、子網路和網路安全性群組的名稱會在範本參數中宣告。The names of the virtual network, subnet, and network security group are declared in the template parameters. 虛擬網路和子網路的位址空間也會在範本參數中宣告,並設定於 Microsoft.Network/virtualNetworks 資源中:Address spaces of the virtual network and subnet are also declared in the template parameters and configured in the Microsoft.Network/virtualNetworks resource:

  • 虛擬網路位址空間:172.16.0.0/20Virtual network address space: 172.16.0.0/20
  • Service Fabric 子網路位址空間:172.16.2.0/23Service Fabric subnet address space: 172.16.2.0/23

Microsoft.Network/networkSecurityGroups 資源中會啟用下列輸入流量規則。The following inbound traffic rules are enabled in the Microsoft.Network/networkSecurityGroups resource. 您可以藉由變更範本變數來變更連接埠值。You can change the port values by changing the template variables.

  • ClientConnectionEndpoint (TCP):19000ClientConnectionEndpoint (TCP): 19000
  • HttpGatewayEndpoint (HTTP/TCP):19080HttpGatewayEndpoint (HTTP/TCP): 19080
  • SMB:445SMB: 445
  • Internodecommunication:1025、1026、1027Internodecommunication: 1025, 1026, 1027
  • 暫時連接埠範圍:49152 到 65534 (至少需要 256 個連接埠)。Ephemeral port range: 49152 to 65534 (need a minimum of 256 ports).
  • 應用程式使用的連接埠:80 和 443Ports for application use: 80 and 443
  • 應用程式連接埠範圍:49152 到 65534 (用於服務對服務的通訊。Application port range: 49152 to 65534 (used for service to service communication. 並未在負載平衡器上開啟其他連接埠)。Other ports aren't opened on the Load balancer).
  • 封鎖所有其他連接埠Block all other ports

如果需要其他應用程式連接埠,您必須調整 Microsoft.Network/loadBalancers 資源和 Microsoft.Network/networkSecurityGroups 資源,以允許流量進入。If other application ports are needed, you'll need to adjust the Microsoft.Network/loadBalancers resource and the Microsoft.Network/networkSecurityGroups resource to allow the traffic in.

Windows DefenderWindows Defender

根據預設,會在 Windows Server 2016 上安裝並執行 Windows Defender 防毒程式By default, the Windows Defender antivirus program is installed and functional on Windows Server 2016. 某些 SKU 上預設會安裝使用者介面,但並非必要。The user interface is installed by default on some SKUs, but isn't required. 針對在範本中宣告的每個節點類型/VM 擴展集,可以使用 Azure VM 反惡意程式碼擴充功能來排除 Service Fabric 目錄和程序:For each node type/VM scale set declared in the template, the Azure VM Antimalware extension is used to exclude the Service Fabric directories and processes:

{
"name": "[concat('VMIaaSAntimalware','_vmNodeType0Name')]",
"properties": {
        "publisher": "Microsoft.Azure.Security",
        "type": "IaaSAntimalware",
        "typeHandlerVersion": "1.5",
        "settings": {
        "AntimalwareEnabled": "true",
        "Exclusions": {
                "Paths": "D:\\SvcFab;D:\\SvcFab\\Log;C:\\Program Files\\Microsoft Service Fabric",
                "Processes": "Fabric.exe;FabricHost.exe;FabricInstallerService.exe;FabricSetup.exe;FabricDeployer.exe;ImageBuilder.exe;FabricGateway.exe;FabricDCA.exe;FabricFAS.exe;FabricUOS.exe;FabricRM.exe;FileStoreService.exe"
        },
        "RealtimeProtectionEnabled": "true",
        "ScheduledScanSettings": {
                "isEnabled": "true",
                "scanType": "Quick",
                "day": "7",
                "time": "120"
        }
        },
        "protectedSettings": null
}
}

設定範本參數Set template parameters

azuredeploy.parameters.json 參數檔案會宣告多個用來部署叢集和相關聯資源的值。The azuredeploy.parameters.json parameters file declares many values used to deploy the cluster and associated resources. 以下為要針對您的部署進行修改的參數:The following are parameters to modify for your deployment:

參數Parameter 範例值Example value 注意事項Notes
adminUserNameadminUserName vmadminvmadmin 叢集 VM 的系統管理員使用者名稱。Admin username for the cluster VMs. VM 的使用者名稱需求Username requirements for VM.
adminPasswordadminPassword Password#1234Password#1234 叢集 VM 的系統管理員密碼。Admin password for the cluster VMs. VM 的密碼需求Password requirements for VM.
clusterNameclusterName mysfcluster123mysfcluster123 叢集的名稱。Name of the cluster. 只能包含字母和數字。Can contain letters and numbers only. 長度可介於 3 到 23 個字元之間。Length can be between 3 and 23 characters.
locationlocation southcentralussouthcentralus 叢集的位置。Location of the cluster.
certificateThumbprintcertificateThumbprint

如果建立自我簽署憑證或提供憑證檔案,則值應該空白。Value should be empty if creating a self-signed certificate or providing a certificate file.

若要使用先前上傳至金鑰保存庫的現有憑證,請填入憑證 SHA1 指紋值。To use an existing certificate previously uploaded to a key vault, fill in the certificate SHA1 thumbprint value. 例如 "6190390162C988701DB5676EB81083EA608DCCF3"。For example, "6190390162C988701DB5676EB81083EA608DCCF3".

certificateUrlValuecertificateUrlValue

如果建立自我簽署憑證或提供憑證檔案,則值應該空白。Value should be empty if creating a self-signed certificate or providing a certificate file.

若要使用先前上傳至金鑰保存庫的現有憑證,請填入憑證 URL。To use an existing certificate previously uploaded to a key vault, fill in the certificate URL. 例如,"https://mykeyvault.vault.azure.net:443/secrets/mycertificate/02bea722c9ef4009a76c5052bcbf8346"。For example, "https://mykeyvault.vault.azure.net:443/secrets/mycertificate/02bea722c9ef4009a76c5052bcbf8346".

sourceVaultValuesourceVaultValue

如果建立自我簽署憑證或提供憑證檔案,則值應該空白。Value should be empty if creating a self-signed certificate or providing a certificate file.

若要使用先前上傳至金鑰保存庫的現有憑證,請填入來源保存庫值。To use an existing certificate previously uploaded to a key vault, fill in the source vault value. 例如 "/subscriptions/333cc2c84-12fa-5778-bd71-c71c07bf873f/resourceGroups/MyTestRG/providers/Microsoft.KeyVault/vaults/MYKEYVAULT"。For example, "/subscriptions/333cc2c84-12fa-5778-bd71-c71c07bf873f/resourceGroups/MyTestRG/providers/Microsoft.KeyVault/vaults/MYKEYVAULT".

設定 Azure Active Directory 用戶端驗證Set up Azure Active Directory client authentication

對於部署在裝載於 Azure 上之公用網路中的 Service Fabric 叢集,我們建議從用戶端到節點的相互驗證應採用:For Service Fabric clusters deployed in a public network hosted on Azure, the recommendation for client-to-node mutual authentication is:

  • 使用 Azure Active Directory 進行用戶端識別。Use Azure Active Directory for client identity.
  • 使用憑證進行伺服器識別,並對 HTTP 通訊使用 SSL 加密。Use a certificate for server identity and SSL encryption of HTTP communication.

建立叢集之前,必須先設定 Azure Active Directory (Azure AD) 以驗證 Service Fabric 叢集的用戶端。Setting up Azure Active Directory (Azure AD) to authenticate clients for a Service Fabric cluster must be done before creating the cluster. Azure AD 可讓組織 (稱為租用戶) 管理使用者對應用程式的存取。Azure AD enables organizations (known as tenants) to manage user access to applications.

Service Fabric 叢集提供其管理功能的各種進入點 (包括 Web 型 Service Fabric ExplorerVisual Studio)。A Service Fabric cluster offers several entry points to its management functionality, including the web-based Service Fabric Explorer and Visual Studio. 因此,您將建立兩個 Azure AD 應用程式來控制對叢集的存取:一個 Web 應用程式和一個原生應用程式。As a result, you create two Azure AD applications to control access to the cluster: one web application and one native application. 建立應用程式之後,您可以將使用者指派給唯讀和系統管理員角色。After the applications are created, you assign users to read-only and admin roles.

注意

建立叢集之前,您必須先完成下列步驟。You must complete the following steps before you create the cluster. 由於指令碼會預期叢集名稱和端點,因此這些值應該是計劃的值,而不是您已經建立的值。Because the scripts expect cluster names and endpoints, the values should be planned and not values that you have already created.

在本文中,我們假設您已經建立租用戶。In this article, we assume that you've already created a tenant. 如果您尚未建立租用戶,請先閱讀如何取得 Azure Active Directory 租用戶If you haven't, start by reading How to get an Azure Active Directory tenant.

為了簡化使用 Service Fabric 叢集設定 Azure AD 所涉及的步驟,我們建立了一組 Windows PowerShell 指令碼。To simplify steps involved in configuring Azure AD with a Service Fabric cluster, we've created a set of Windows PowerShell scripts. 將指令碼下載到您的電腦。Download the scripts to your computer.

建立 Azure AD 應用程式,並將使用者指派給角色Create Azure AD applications and assign users to roles

建立兩個 Azure AD 應用程式來控制對叢集的存取:一個 Web 應用程式和一個原生應用程式。Create two Azure AD applications to control access to the cluster: one web application and one native application. 建立應用程式來代表您的叢集之後,請將使用者指派給 Service Fabric 所支援的角色︰唯讀和管理員。After you've created the applications to represent your cluster, assign your users to the roles supported by Service Fabric: read-only and admin.

執行 SetupApplications.ps1,並提供租用戶識別碼、叢集名稱和 Web 應用程式回覆 URL 作為參數。Run SetupApplications.ps1, and provide the tenant ID, cluster name, and web application reply URL as parameters. 指定使用者的使用者名稱和密碼。Specify usernames and passwords for the users. 例如︰For example:

$Configobj = .\SetupApplications.ps1 -TenantId '<MyTenantID>' -ClusterName 'mysfcluster123' -WebApplicationReplyUrl 'https://mysfcluster123.eastus.cloudapp.azure.com:19080/Explorer/index.html' -AddResourceAccess
.\SetupUser.ps1 -ConfigObj $Configobj -UserName 'TestUser' -Password 'P@ssword!123'
.\SetupUser.ps1 -ConfigObj $Configobj -UserName 'TestAdmin' -Password 'P@ssword!123' -IsAdmin

注意

對於國家雲 (例如 Azure Government、Azure 中國、Azure 德國),指定 -Location 參數。For national clouds (for example Azure Government, Azure China, Azure Germany), specify the -Location parameter.

您可以在 Azure 入口網站中找到您的租用戶識別碼或目錄識別碼。You can find your TenantId, or directory ID, in the Azure portal. 選取 [Azure Active Directory] > [屬性] ,然後複製 [目錄識別碼] 值。Select Azure Active Directory > Properties and copy the Directory ID value.

ClusterName 會用來為指令碼所建立的 Azure AD 應用程式加上前置詞。ClusterName is used to prefix the Azure AD applications that are created by the script. 它不需要與實際叢集名稱完全相符。It doesn't need to exactly match the actual cluster name. 它只會使您能夠更輕鬆地將 Azure AD 成品對應到使用中的 Service Fabric 叢集。It only makes it easier to map Azure AD artifacts to the Service Fabric cluster in use.

WebApplicationReplyUrl 是在您的使用者完成登入之後,Azure AD 傳回給他們的預設端點。WebApplicationReplyUrl is the default endpoint that Azure AD returns to your users after they finish signing in. 請將此端點設定為您叢集的 Service Fabric Explorer 端點,預設為︰Set this endpoint as the Service Fabric Explorer endpoint for your cluster, which by default is:

https://<cluster_domain>:19080/Explorerhttps://<cluster_domain>:19080/Explorer

系統會提示您登入具有 Azure AD 租用戶系統管理權限的帳戶。You're prompted to sign in to an account that has administrative privileges for the Azure AD tenant. 在您登入之後,指令碼會建立 Web 和原生應用程式來代表 Service Fabric 叢集。After you sign in, the script creates the web and native applications to represent your Service Fabric cluster. Azure 入口網站的租用戶應用程式中,應該會看到兩個新項目:In the tenant's applications in the Azure portal, you should see two new entries:

  • ClusterName_叢集ClusterName_Cluster
  • ClusterName_用戶端ClusterName_Client

此指令碼會列印您建立叢集時 Resource Manager 範本所需的 JSON,因此建議讓 PowerShell 視窗保持開啟。The script prints the JSON required by the Resource Manager template when you create the cluster, so it's a good idea to keep the PowerShell window open.

"azureActiveDirectory": {
  "tenantId":"<guid>",
  "clusterApplication":"<guid>",
  "clientApplication":"<guid>"
},

新增 Azure AD 設定以針對用戶端存取使用 Azure ADAdd Azure AD configuration to use Azure AD for client access

azuredeploy.jsonMicrosoft.ServiceFabric/clusters 區段中設定 Azure AD。In the azuredeploy.json, configure Azure AD in the Microsoft.ServiceFabric/clusters section. 新增租用戶識別碼、叢集應用程式識別碼和用戶端應用程式識別碼的參數。Add parameters for the tenant ID, cluster application ID, and client application ID.

{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json",
  "contentVersion": "1.0.0.0",
  "parameters": {
    ...

    "aadTenantId": {
      "type": "string",
      "defaultValue": "0e3d2646-78b3-4711-b8be-74a381d9890c"
    },
    "aadClusterApplicationId": {
      "type": "string",
      "defaultValue": "cb147d34-b0b9-4e77-81d6-420fef0c4180"
    },
    "aadClientApplicationId": {
      "type": "string",
      "defaultValue": "7a8f3b37-cc40-45cc-9b8f-57b8919ea461"
    }
  },

...

{
  "apiVersion": "2018-02-01",
  "type": "Microsoft.ServiceFabric/clusters",
  "name": "[parameters('clusterName')]",
  ...
  "properties": {
    ...
    "azureActiveDirectory": {
      "tenantId": "[parameters('aadTenantId')]",
      "clusterApplication": "[parameters('aadClusterApplicationId')]",
      "clientApplication": "[parameters('aadClientApplicationId')]"
    },
    ...
  }
}

azuredeploy.parameters.json 參數檔案中新增參數值。Add the parameter values in the azuredeploy.parameters.json parameters file. 例如︰For example:

"aadTenantId": {
"value": "0e3d2646-78b3-4711-b8be-74a381d9890c"
},
"aadClusterApplicationId": {
"value": "cb147d34-b0b9-4e77-81d6-420fef0c4180"
},
"aadClientApplicationId": {
"value": "7a8f3b37-cc40-45cc-9b8f-57b8919ea461"
}

在叢集上設定診斷集合Configure diagnostics collection on the cluster

當您執行 Service Fabric 叢集時,最好在一個集中位置收集來自所有節點的記錄。When you're running a Service Fabric cluster, it's a good idea to collect the logs from all the nodes in a central location. 將記錄集中在中央位置,可協助您分析並針對叢集或該叢集中執行之應用程式與服務的問題進行疑難排解。Having the logs in a central location helps you analyze and troubleshoot issues in your cluster, or issues in the applications and services running in that cluster.

上傳和收集記錄的方式之一就是使用 Azure 診斷 (WAD) 擴充功能,此擴充功能可將記錄上傳到 Azure 儲存體,也提供選項來將記錄傳送至 Azure Application Insights 或事件中樞。One way to upload and collect logs is to use the Azure Diagnostics (WAD) extension, which uploads logs to Azure Storage, and also has the option to send logs to Azure Application Insights or Event Hubs. 您也可以使用外部流程來讀取儲存體中的事件,然後將它們放置於 Azure 監視器記錄之類的分析平台產品或其他記錄剖析解決方案中。You can also use an external process to read the events from storage and place them in an analysis platform product, such as Azure Monitor logs or another log-parsing solution.

如果您要遵循本教學課程,診斷集合就已經設定於範本中。If you are following this tutorial, diagnostics collection is already configured in the template.

如果您具有未部署診斷的現有叢集,您可以透過叢集範本來新增或更新它。If you have an existing cluster that doesn't have Diagnostics deployed, you can add or update it via the cluster template. 修改用來建立現有叢集的 Resource Manager 範本,或是從入口網站下載範本。Modify the Resource Manager template that's used to create the existing cluster or download the template from the portal. 執行下列工作來修改 template.json 檔案:Modify the template.json file by performing the following tasks:

將新的儲存體資源新增到範本中的 resources 區段:Add a new storage resource to the resources section in the template:

"resources": [
...
{
  "apiVersion": "2015-05-01-preview",
  "type": "Microsoft.Storage/storageAccounts",
  "name": "[parameters('applicationDiagnosticsStorageAccountName')]",
  "location": "[parameters('computeLocation')]",
  "sku": {
    "accountType": "[parameters('applicationDiagnosticsStorageAccountType')]"
  },
  "tags": {
    "resourceType": "Service Fabric",
    "clusterName": "[parameters('clusterName')]"
  }
},
...
]

接下來,將適用於儲存體帳戶名稱和類型的參數新增到範本的 parameters 區段。Next, add parameters for the storage account name and type to the parameters section of the template. 以您偏好的儲存體帳戶名稱來取代預留位置文字 storage account name goes here。Replace the placeholder text storage account name goes here with the name of the storage account you'd like.

"parameters": {
...
"applicationDiagnosticsStorageAccountType": {
    "type": "string",
    "allowedValues": [
    "Standard_LRS",
    "Standard_GRS"
    ],
    "defaultValue": "Standard_LRS",
    "metadata": {
    "description": "Replication option for the application diagnostics storage account"
    }
},
"applicationDiagnosticsStorageAccountName": {
    "type": "string",
    "defaultValue": "**STORAGE ACCOUNT NAME GOES HERE**",
    "metadata": {
    "description": "Name for the storage account that contains application diagnostics data from the cluster"
    }
},
...
}

接下來,將 IaaSDiagnostics 擴充功能新增到叢集中每個 Microsoft.Compute/virtualMachineScaleSets 資源之 VirtualMachineProfile 屬性的擴充功能陣列。Next, add the IaaSDiagnostics extension to the extensions array of the VirtualMachineProfile property of each Microsoft.Compute/virtualMachineScaleSets resource in the cluster. 如果您使用範例範本,即會有三個虛擬機器擴展集 (叢集中的每個節點類型各一個)。If you're using the sample template, there are three virtual machine scale sets (one for each node type in the cluster).

"apiVersion": "2018-10-01",
"type": "Microsoft.Compute/virtualMachineScaleSets",
"name": "[variables('vmNodeType1Name')]",
"properties": {
    ...
    "virtualMachineProfile": {
        "extensionProfile": {
            "extensions": [
                {
                    "name": "[concat(parameters('vmNodeType0Name'),'_Microsoft.Insights.VMDiagnosticsSettings')]",
                    "properties": {
                        "type": "IaaSDiagnostics",
                        "autoUpgradeMinorVersion": true,
                        "protectedSettings": {
                        "storageAccountName": "[parameters('applicationDiagnosticsStorageAccountName')]",
                        "storageAccountKey": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', parameters('applicationDiagnosticsStorageAccountName')),'2015-05-01-preview').key1]",
                        "storageAccountEndPoint": "https://core.windows.net/"
                        },
                        "publisher": "Microsoft.Azure.Diagnostics",
                        "settings": {
                        "WadCfg": {
                            "DiagnosticMonitorConfiguration": {
                            "overallQuotaInMB": "50000",
                            "EtwProviders": {
                                "EtwEventSourceProviderConfiguration": [
                                {
                                    "provider": "Microsoft-ServiceFabric-Actors",
                                    "scheduledTransferKeywordFilter": "1",
                                    "scheduledTransferPeriod": "PT5M",
                                    "DefaultEvents": {
                                    "eventDestination": "ServiceFabricReliableActorEventTable"
                                    }
                                },
                                {
                                    "provider": "Microsoft-ServiceFabric-Services",
                                    "scheduledTransferPeriod": "PT5M",
                                    "DefaultEvents": {
                                    "eventDestination": "ServiceFabricReliableServiceEventTable"
                                    }
                                }
                                ],
                                "EtwManifestProviderConfiguration": [
                                {
                                    "provider": "cbd93bc2-71e5-4566-b3a7-595d8eeca6e8",
                                    "scheduledTransferLogLevelFilter": "Information",
                                    "scheduledTransferKeywordFilter": "4611686018427387904",
                                    "scheduledTransferPeriod": "PT5M",
                                    "DefaultEvents": {
                                    "eventDestination": "ServiceFabricSystemEventTable"
                                    }
                                }
                                ]
                            }
                            }
                        },
                        "StorageAccount": "[parameters('applicationDiagnosticsStorageAccountName')]"
                        },
                        "typeHandlerVersion": "1.5"
                    }
                }
            ...
            ]
        }
    }
}

設定 EventStore 服務Configure the EventStore service

EventStore 服務是 Service Fabric 中的監視選項。The EventStore service is a monitoring option in Service Fabric. EventStore 可讓您了解您的叢集或工作負載在指定時間點的狀態。EventStore provides a way to understand the state of your cluster or workloads at a given point in time. EventStore 是具狀態的 Service Fabric 服務,可維護叢集中的事件。The EventStore is a stateful Service Fabric service that maintains events from the cluster. 此事件會透過 Service Fabric Explorer、REST 和 API 公開。The event are exposed through the Service Fabric Explorer, REST and APIs. EventStore 可直接查詢叢集,取得叢集中任何實體的診斷資料,應可用來協助您:EventStore queries the cluster directly to get diagnostics data on any entity in your cluster and should be used to help:

  • 診斷開發或測試中的問題,或在使用監視管線的場合中診斷問題Diagnose issues in development or testing, or where you might be using a monitoring pipeline
  • 確認正確處理您針對叢集採取的管理動作Confirm that management actions you are taking on your cluster are being processed correctly
  • 取得 Service Fabric 如何與特定實體互動的「快照集」Get a "snapshot" of how Service Fabric is interacting with a particular entity

若要在叢集上啟用 EventStore 服務,請將下列內容新增到 Microsoft.ServiceFabric/clusters 資源的 fabricSettings 屬性:To enable the EventStore service on your cluster, add the following to the fabricSettings property of the Microsoft.ServiceFabric/clusters resource:

"apiVersion": "2018-02-01",
"type": "Microsoft.ServiceFabric/clusters",
"name": "[parameters('clusterName')]",
"properties": {
    ...
    "fabricSettings": [
        ...
        {
            "name": "EventStoreService",
            "parameters": [
                {
                "name": "TargetReplicaSetSize",
                "value": "3"
                },
                {
                "name": "MinReplicaSetSize",
                "value": "1"
                }
            ]
        }
    ]
}

針對叢集設定 Azure 監視器記錄Set up Azure Monitor logs for the cluster

建議您使用 Azure 監視器記錄來監視叢集層級事件。Azure Monitor logs is our recommendation to monitor cluster level events. 若要設定 Azure 監視器記錄來監視叢集,您需要啟用診斷來檢視叢集層級事件To set up Azure Monitor logs to monitor your cluster, you need to have diagnostics enabled to view cluster-level events.

工作區需要連線到來自叢集的診斷資料。The workspace needs to be connected to the diagnostics data coming from your cluster. 此記錄資料儲存於 applicationDiagnosticsStorageAccountName 儲存體帳戶,此帳戶位於 WADServiceFabric*EventTable、WADWindowsEventLogsTable 及 WADETWEventTable 資料表中。This log data is stored in the applicationDiagnosticsStorageAccountName storage account, in the WADServiceFabric*EventTable, WADWindowsEventLogsTable, and WADETWEventTable tables.

新增 Azure Log Analytics 工作區,並將解決方案新增至工作區:Add the Azure Log Analytics workspace and add the solution to the workspace:

"resources": [
    ...
    {
        "apiVersion": "2015-11-01-preview",
        "location": "[parameters('omsRegion')]",
        "name": "[parameters('omsWorkspacename')]",
        "type": "Microsoft.OperationalInsights/workspaces",
        "properties": {
            "sku": {
                "name": "Free"
            }
        },
        "resources": [
            {
                "apiVersion": "2015-11-01-preview",
                "name": "[concat(variables('applicationDiagnosticsStorageAccountName'),parameters('omsWorkspacename'))]",
                "type": "storageinsightconfigs",
                "dependsOn": [
                    "[concat('Microsoft.OperationalInsights/workspaces/', parameters('omsWorkspacename'))]",
                    "[concat('Microsoft.Storage/storageAccounts/', variables('applicationDiagnosticsStorageAccountName'))]"
                ],
                "properties": {
                    "containers": [],
                    "tables": [
                        "WADServiceFabric*EventTable",
                        "WADWindowsEventLogsTable",
                        "WADETWEventTable"
                    ],
                    "storageAccount": {
                        "id": "[resourceId('Microsoft.Storage/storageaccounts/', variables('applicationDiagnosticsStorageAccountName'))]",
                        "key": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('applicationDiagnosticsStorageAccountName')),'2015-06-15').key1]"
                    }
                }
            },
            {
                "apiVersion": "2015-11-01-preview",
                "type": "datasources",
                "name": "sampleWindowsPerfCounter",
                "dependsOn": [
                    "[concat('Microsoft.OperationalInsights/workspaces/', parameters('omsWorkspacename'))]"
                ],
                "kind": "WindowsPerformanceCounter",
                "properties": {
                    "objectName": "Memory",
                    "instanceName": "*",
                    "intervalSeconds": 10,
                    "counterName": "Available MBytes"
                }
            },
            {
                "apiVersion": "2015-11-01-preview",
                "type": "datasources",
                "name": "sampleWindowsPerfCounter2",
                "dependsOn": [
                    "[concat('Microsoft.OperationalInsights/workspaces/', parameters('omsWorkspacename'))]"
                ],
                "kind": "WindowsPerformanceCounter",
                "properties": {
                    "objectName": "Service Fabric Service",
                    "instanceName": "*",
                    "intervalSeconds": 10,
                    "counterName": "Average milliseconds per request"
                }
            }
        ]
    },
    {
        "apiVersion": "2015-11-01-preview",
        "location": "[parameters('omsRegion')]",
        "name": "[variables('solution')]",
        "type": "Microsoft.OperationsManagement/solutions",
        "dependsOn": [
            "[concat('Microsoft.OperationalInsights/workspaces/', parameters('omsWorkspacename'))]"
        ],
        "properties": {
            "workspaceResourceId": "[resourceId('Microsoft.OperationalInsights/workspaces/', parameters('omsWorkspacename'))]"
        },
        "plan": {
            "name": "[variables('solution')]",
            "publisher": "Microsoft",
            "product": "[Concat('OMSGallery/', variables('solutionName'))]",
            "promotionCode": ""
        }
    }
]

接下來,新增參數Next, add parameters

"parameters": {
    ...
    "omsWorkspacename": {
        "type": "string",
        "defaultValue": "mysfomsworkspace",
        "metadata": {
            "description": "Name of your OMS Log Analytics Workspace"
        }
    },
    "omsRegion": {
        "type": "string",
        "defaultValue": "West Europe",
        "allowedValues": [
            "West Europe",
            "East US",
            "Southeast Asia"
        ],
        "metadata": {
            "description": "Specify the Azure Region for your OMS workspace"
        }
    }
}

接下來,新增變數:Next, add variables:

"variables": {
    ...
    "solution": "[Concat('ServiceFabric', '(', parameters('omsWorkspacename'), ')')]",
    "solutionName": "ServiceFabric"
}

將 Log Analytics 代理程式擴充功能新增到叢集中的每個虛擬機器擴展集,並將代理程式連線到 Log Analytics 工作區。Add the Log Analytics agent extension to each virtual machine scale set in the cluster and connect the agent to the Log Analytics workspace. 如此即可收集容器、應用程式和效能監控的相關診斷資料。This enables collecting diagnostics data about containers, applications, and performance monitoring. 透過將它新增為虛擬機器擴展集資源的延伸模組,Azure Resource Manager 可確保其本身在每個節點上安裝,即使在調整叢集規模時也是如此。By adding it as an extension to the virtual machine scale set resource, Azure Resource Manager ensures that it gets installed on every node, even when scaling the cluster.

"apiVersion": "2018-10-01",
"type": "Microsoft.Compute/virtualMachineScaleSets",
"name": "[variables('vmNodeType1Name')]",
"properties": {
    ...
    "virtualMachineProfile": {
        "extensionProfile": {
            "extensions": [
                {
                    "name": "[concat(variables('vmNodeType0Name'),'OMS')]",
                    "properties": {
                        "publisher": "Microsoft.EnterpriseCloud.Monitoring",
                        "type": "MicrosoftMonitoringAgent",
                        "typeHandlerVersion": "1.0",
                        "autoUpgradeMinorVersion": true,
                        "settings": {
                            "workspaceId": "[reference(resourceId('Microsoft.OperationalInsights/workspaces/', parameters('omsWorkspacename')), '2015-11-01-preview').customerId]"
                        },
                        "protectedSettings": {
                            "workspaceKey": "[listKeys(resourceId('Microsoft.OperationalInsights/workspaces/', parameters('omsWorkspacename')),'2015-11-01-preview').primarySharedKey]"
                        }
                    }
                }
            ...
            ]
        }
    }
}

部署虛擬網路和叢集Deploy the virtual network and cluster

接下來,請設定網路拓撲並部署 Service Fabric 叢集。Next, set up the network topology and deploy the Service Fabric cluster. azuredeploy.json Resource Manager 範本會建立適用於 Service Fabric 的虛擬網路、子網路及網路安全性群組。The azuredeploy.json Resource Manager template creates a virtual network, subnet, and network security group for Service Fabric. 範本也會部署啟用憑證安全性的叢集。The template also deploys a cluster with certificate security enabled. 對於生產叢集,使用憑證授權單位所提供的憑證作為叢集憑證。For production clusters, use a certificate from a certificate authority as the cluster certificate. 自我簽署憑證可用來保護測試叢集。A self-signed certificate can be used to secure test clusters.

本文中的範本會部署使用憑證指紋來識別叢集憑證的叢集。The template in this article deploys a cluster that uses the certificate thumbprint to identify the cluster certificate. 憑證的指紋皆不相同,因而使憑證管理更為困難。No two certificates can have the same thumbprint, which makes certificate management more difficult. 將已部署的叢集從憑證指紋切換為憑證通用名稱,可簡化憑證管理。Switching a deployed cluster from certificate thumbprints to certificate common names simplifies certificate management. 若要了解如何更新叢集以使用憑證通用名稱進行憑證管理,請參閱將叢集變更為憑證通用名稱管理To learn how to update the cluster to use certificate common names for certificate management, read Change cluster to certificate common name management.

使用現有的憑證建立叢集Create a cluster by using an existing certificate

下列指令碼會使用 New-AzServiceFabricCluster Cmdlet 和範本在 Azure 中部署新的叢集。The following script uses the New-AzServiceFabricCluster cmdlet and a template to deploy a new cluster in Azure. 此 Cmdlet 會在 Azure 中建立新的金鑰保存庫,並上傳您的憑證。The cmdlet creates a new key vault in Azure and uploads your certificate.

# Variables.
$groupname = "sfclustertutorialgroup"
$clusterloc="southcentralus"  # Must match the location parameter in the template
$templatepath="C:\temp\cluster"

$certpwd="q6D7nN%6ck@6" | ConvertTo-SecureString -AsPlainText -Force
$clustername = "mysfcluster123"  # Must match the clustername parameter in the template
$vaultname = "clusterkeyvault123"
$vaultgroupname="clusterkeyvaultgroup123"
$subname="$clustername.$clusterloc.cloudapp.azure.com"

# Sign in to your Azure account and select your subscription
Connect-AzAccount
Get-AzSubscription
Set-AzContext -SubscriptionId <guid>

# Create a new resource group for your deployment, and give it a name and a location.
New-AzResourceGroup -Name $groupname -Location $clusterloc

# Create the Service Fabric cluster.
New-AzServiceFabricCluster  -ResourceGroupName $groupname -TemplateFile "$templatepath\azuredeploy.json" `
-ParameterFile "$templatepath\azuredeploy.parameters.json" -CertificatePassword $certpwd `
-KeyVaultName $vaultname -KeyVaultResourceGroupName $vaultgroupname -CertificateFile $certpath

使用新的自我簽署憑證建立叢集Create a cluster by using a new, self-signed certificate

下列指令碼會使用 New-AzServiceFabricCluster Cmdlet 和範本在 Azure 中部署新的叢集。The following script uses the New-AzServiceFabricCluster cmdlet and a template to deploy a new cluster in Azure. 此 Cmdlet 會在 Azure 中建立新的金鑰保存庫、將新的自我簽署憑證新增至金鑰保存庫,並在本機下載憑證檔案。The cmdlet creates a new key vault in Azure, adds a new self-signed certificate to the key vault, and downloads the certificate file locally.

# Variables.
$groupname = "sfclustertutorialgroup"
$clusterloc="southcentralus"  # Must match the location parameter in the template
$templatepath="C:\temp\cluster"

$certpwd="q6D7nN%6ck@6" | ConvertTo-SecureString -AsPlainText -Force
$certfolder="c:\mycertificates\"
$clustername = "mysfcluster123"
$vaultname = "clusterkeyvault123"
$vaultgroupname="clusterkeyvaultgroup123"
$subname="$clustername.$clusterloc.cloudapp.azure.com"

# Sign in to your Azure account and select your subscription
Connect-AzAccount
Get-AzSubscription
Set-AzContext -SubscriptionId <guid>

# Create a new resource group for your deployment, and give it a name and a location.
New-AzResourceGroup -Name $groupname -Location $clusterloc

# Create the Service Fabric cluster.
New-AzServiceFabricCluster  -ResourceGroupName $groupname -TemplateFile "$templatepath\azuredeploy.json" `
-ParameterFile "$templatepath\azuredeploy.parameters.json" -CertificatePassword $certpwd `
-CertificateOutputFolder $certfolder -KeyVaultName $vaultname -KeyVaultResourceGroupName $vaultgroupname -CertificateSubjectName $subname

連線到安全的叢集Connect to the secure cluster

使用隨 Service Fabric SDK 一起安裝的 Service Fabric PowerShell 模組連線到叢集。Connect to the cluster by using the Service Fabric PowerShell module installed with the Service Fabric SDK. 首先,將憑證安裝到您的電腦上目前使用者的個人 (My) 存放區。First, install the certificate into the Personal (My) store of the current user on your computer. 執行下列 PowerShell 命令:Run the following PowerShell command:

$certpwd="q6D7nN%6ck@6" | ConvertTo-SecureString -AsPlainText -Force
Import-PfxCertificate -Exportable -CertStoreLocation Cert:\CurrentUser\My `
        -FilePath C:\mycertificates\mysfcluster20170531104310.pfx `
        -Password $certpwd

您現在即可連線到您安全的叢集。You're now ready to connect to your secure cluster.

Service Fabric PowerShell 模組提供許多 Cmdlet 來管理 Service Fabric 叢集、應用程式和服務。The Service Fabric PowerShell module provides many cmdlets for managing Service Fabric clusters, applications, and services. 使用 Connect-ServiceFabricCluster Cmdlet 連接到安全的叢集。Use the Connect-ServiceFabricCluster cmdlet to connect to the secure cluster. 在上一個步驟的輸出中找到憑證 SHA1 指紋和連線端點詳細資料。The certificate SHA1 thumbprint and connection endpoint details are found in the output from the previous step.

如果您先前曾設定 Azure AD 用戶端驗證,請執行下列命令:If you previously set up Azure AD client authentication, run the following command:

Connect-ServiceFabricCluster -ConnectionEndpoint mysfcluster123.southcentralus.cloudapp.azure.com:19000 `
        -KeepAliveIntervalInSec 10 `
        -AzureActiveDirectory `
        -ServerCertThumbprint C4C1E541AD512B8065280292A8BA6079C3F26F10

如果您未設定 Azure AD 用戶端驗證,則執行下列命令:If you didn't set up Azure AD client authentication, run the following command:

Connect-ServiceFabricCluster -ConnectionEndpoint mysfcluster123.southcentralus.cloudapp.azure.com:19000 `
          -KeepAliveIntervalInSec 10 `
          -X509Credential -ServerCertThumbprint C4C1E541AD512B8065280292A8BA6079C3F26F10 `
          -FindType FindByThumbprint -FindValue C4C1E541AD512B8065280292A8BA6079C3F26F10 `
          -StoreLocation CurrentUser -StoreName My

使用 Get-ServiceFabricClusterHealth Cmdlet 檢查您已連線,而且叢集狀況良好。Check that you're connected and that the cluster is healthy by using the Get-ServiceFabricClusterHealth cmdlet.

Get-ServiceFabricClusterHealth

清除資源Clean up resources

此教學課程系列的其他文章會使用您建立的叢集。The other articles in this tutorial series use the cluster you've created. 如果您現在不打算繼續閱讀下一篇文章,您可能要刪除該叢集以避免產生費用。If you're not immediately moving on to the next article, you might want to delete the cluster to avoid incurring charges.

後續步驟Next steps

前進到下列教學課程,以了解如何調整叢集。Advance to the following tutorial to learn how to scale your cluster.

  • 使用 PowerShell 在 Azure 中建立 VNETCreate a VNET in Azure using PowerShell
  • 建立金鑰保存庫並上傳憑證Create a key vault and upload a certificate
  • 設定 Azure Active Directory 驗證Setup Azure Active Directory authentication
  • 設定診斷集合Configure diagnostics collection
  • 設定 EventStore 服務Set up the EventStore service
  • 設定 Azure 監視器記錄Set up Azure Monitor logs
  • 在 Azure PowerShell 中建立安全的 Service Fabric 叢集Create a secure Service Fabric cluster in Azure PowerShell
  • 使用 X.509 憑證保護叢集Secure the cluster with an X.509 certificate
  • 使用 PowerShell 連線到叢集Connect to the cluster using PowerShell
  • 刪除叢集Remove a cluster

接下來,前進到下列教學課程,以了解如何監視叢集。Next, advance to the following tutorial to learn how to monitor your cluster.