Creating a secure Service Fabric Cluster in Microsoft Azure with internal load balancer on an existing virtual network– Part 1

In this post, I want to walk you through creating of a Service Fabric Cluster in Microsoft Azure, and make it a secure one. Moreover, we do not use the public IP address for the load balancer which is the default configuration of the Azure Portal when you are creating a Service Fabric. We will assign an internal IP address to the load balancer and place the Service Fabric on an Existing VNET in your Azure subscription.

I have divided this post into two parts:

Part1 – Creating a secure Service Fabric Cluster in Microsoft Azure with internal load balancer on an existing virtual LAN

Part2 – Creating a secure Service Fabric Cluster in Microsoft Azure with internal load balancer on an existing virtual LAN

For a general understanding of the Service Fabric, you can read this article:

https://docs.microsoft.com/en-us/azure/service-fabric/service-fabric-overview

For a comparison of the Azure Service Fabric and Azure Cloud Services, you can read my former post:

http://www.sharepointjunkies.com/azure-service-fabric-vs-azure-cloud-services-for-cloud-native-applications/

Microsoft has a couple of articles on TechNet and MSDN regarding the steps involved in creating a Service fabric and customize it in a way that you can place it on your existing virtual network. In this article, I try to consolidate all those posts and walk you through this, step by step.

https://docs.microsoft.com/en-us/azure/service-fabric/service-fabric-cluster-creation-via-portal

https://docs.microsoft.com/en-us/azure/service-fabric/service-fabric-patterns-networking

Steps highlights

  1. Create the keyvault and certificates
  2. Generate the default Service Fabric ARM Template from the Azure portal
  3. Modify the template.json file
  4. Deploy the modified template to the Azure subscription

Assumptions

  • You have an Azure subscription
  • Azure Powershell is setup in your box and you have a basic knowledge of Powershell cmdlets
  • You have an existing VNET with a subnet to assign it to the Service Fabric in your Azure subscription (these values are test values for my virtual network):
    • Resource Group Name =   test_res_12
    • VNET Name = Server-VNET
    • Subnet Name = Server-Subnet
    • Subnet address space = 172.16.0.0/24

Step 1 – create the keyvault and certificates

For a general information regarding the Azure keyvault, you can read this link:

https://docs.microsoft.com/en-us/azure/key-vault/key-vault-whatis

To have a secure cluster in your Service Fabric cluster in Microsoft Azure, you need to create a certificate for your cluster and upload it to the Azure keyvault. Azure Service Fabric uses X.509 certificates to secure a cluster. In the production environment, your certificate file should be signed by an authoritative Certificate Authority. If you are creating this environment for your development or testing purposes, you can use a self-signed certificate to encrypt your cluster.

The process of creating certificate and upload it to keyvault to get the information you want is quite cumbersome in Powershell. Fortunately, there is a prepackaged Powershell cmdlets available for this purpose that you can use it. Here is the link:

https://github.com/ChackDan/Service-Fabric/tree/master/Scripts/ServiceFabricRPHelpers

you should clone or download the whole package from the github on your local computer, and then browse to the location and import the module:

If you get an error when you want to run this cmdlet, it is possible that the file is being blocked because you have downloaded it from the public internet. You should right click on the file and unblock the psm1 and dll files in the folder and then import the module.

After that, run these commands to create a new self-signed certificate and upload it to Azure keyvault and get the required values:

It asks you for a password for the private key encryption. For the vault name, you should come up with a unique name. and, pay attention to the dns name to modify it in a way that suits you in the future. You can use wild character * to create a wildcard certificate for your Service Fabric cluster. Moreover, the location of the keyvault should be the same as the Service Fabric cluster that you want to create (in this example, westus2)

After you run these cmdlets successfully, you will get the values of these items:

  • CertificateThumbprint
  • SourceVault
  • CertificateURL

keep them in a text file. We need these values in the next steps.

Step 2 – generate the default Service Fabric ARM template

In this step, we use the Azure Portal to create a new Service Fabric cluster. We will fill out all the parameters and going to the end of the process. At the very last step, instead of creating the Service Fabric Cluster, we will download the ARM template for further modifications.

Login to the Azure portal and click on the new and search for the ‘service fabric’. Then click the Create button.

Enter the basic configuration parameters.

In the next step, select the node type count, and then configure each node type accordingly. For the first node type in your service fabric cluster, you need at least a scaleset of 5 instances of virtual machines.

Click ok and go to the step 3 for the security parameters. Click on the Secure mode and copy the values of the Powershell cmdlet output which you had run in the previous step and click ok.

In the step 4 Summary, you see the link to download the template.

Click on that to download the template.

In the next page you see the generated ARM template. Click on the download to download the ARM template.

A template.zip file will be downloaded in your local machine. Unzip it. There are multiple files with different formats. We need template.json to continue work on.

We continue this on Part 2 of this series.

About

MCSE, PMP, With more than 12 years experience in Microsoft technologies.

View all posts by

One thought on “Creating a secure Service Fabric Cluster in Microsoft Azure with internal load balancer on an existing virtual network– Part 1

Leave a Reply