Azure Service Fabric 安全性最佳做法Azure Service Fabric security best practices

在 Azure 上部署应用程序的过程快速、轻松且经济高效。Deploying an application on Azure is fast, easy, and cost-effective. 将云应用程序部署到生产环境前,请先查看有必要遵照和建议的最佳做法列表,了解最好应如何在应用程序中实现群集安全性。Before you deploy your cloud application into production, review our list of essential and recommended best practices for implementing secure clusters in your application.

Service Fabric 是分布式系统平台,可借助它轻松打包、部署和管理可缩放且可靠的微服务。Azure Service Fabric is a distributed systems platform that makes it easy to package, deploy, and manage scalable and reliable microservices. Service Fabric 还解决了开发和管理云应用程序中的重大难题。Service Fabric also addresses the significant challenges in developing and managing cloud applications. 开发人员和管理员不仅可以避免复杂的基础结构问题,而且可以专注于实现可缩放、可靠且可管理的要求苛刻的任务关键型工作负荷。Developers and administrators can avoid complex infrastructure problems and focus on implementing mission-critical, demanding workloads that are scalable, reliable, and manageable.

对于每项最佳做法,本文将说明:For each best practice, we explain:

  • 最佳做法是什么。What the best practice is.
  • 应遵照最佳做法的具体原因。Why you should implement the best practice.
  • 如果未遵照最佳做法,会有什么样的后果。What might happen if you don't implement the best practice.
  • 如何学会遵照最佳做法。How you can learn to implement the best practice.

建议遵照以下 Azure Service Fabric 安全性最佳做法:We recommend the following Azure Service Fabric security best practices:

  • 使用 Azure 资源管理器模板和 Service Fabric PowerShell 模块创建安全群集。Use Azure Resource Manager templates and the Service Fabric PowerShell module to create secure clusters.
  • 使用 X.509 证书。Use X.509 certificates.
  • 配置安全策略。Configure security policies.
  • 实现 Reliable Actors 安全配置。Implement the Reliable Actors security configuration.
  • 为 Azure Service Fabric 配置 TLS。Configure TLS for Azure Service Fabric.
  • 将 Azure Service Fabric 与网络隔离和安全功能结合使用。Use network isolation and security with Azure Service Fabric.
  • 出于安全考虑,配置 Azure Key Vault。Configure Azure Key Vault for security.
  • 将用户分配到角色。Assign users to roles.

保护群集的最佳做法Best practices for securing your clusters

始终使用安全群集:Always use a secure cluster:

  • 使用证书实现群集安全性。Implement cluster security by using certificates.
  • 使用 Azure Active Directory (Azure AD) 提供客户端访问权限(管理员访问权限和只读访问权限)。Provide client access (admin and read-only) by using Azure Active Directory (Azure AD).

使用自动部署:Use automated deployments:

  • 使用脚本生成、部署和滚动更新机密。Use scripts to generate, deploy, and roll over the secrets.
  • 将机密存储在 Azure Key Vault 中,并使用 Azure AD 提供其他所有客户端访问权限。Store the secrets in Azure Key Vault and use Azure AD for all other client access.
  • 要求必须经过身份验证,才能读取机密。Require authentication for human access to the secrets.

此外,还请考虑使用以下配置选项:Additionally, consider the following configuration options:

  • 使用 Azure 网络安全组 (NSG) 创建外围网络(亦称为“隔离区 (DMZ)”和“外围子网”)。Create perimeter networks (also known as demilitarized zones, DMZs, and screened subnets) by using Azure Network Security Groups (NSGs).
  • 结合使用跳板机和远程桌面连接,访问群集虚拟机 (VM) 或管理群集。Access cluster virtual machines (VMs) or manage your cluster by using jump servers with Remote Desktop Connection.

必须保护群集,以防未经授权的用户连接到群集,特别是当群集在生产环境中运行时。Your clusters must be secured to prevent unauthorized users from connecting, especially when a cluster is running in production. 尽管可以创建不安全群集,但当群集向公共 Internet 公开管理终结点时,匿名用户就可以与它建立连接。Although it's possible to create an unsecured cluster, anonymous users can connect to your cluster if the cluster exposes management endpoints to the public internet.

使用各种技术实现群集安全性的方案有三种:There are three scenarios for implementing cluster security by using various technologies:

  • 节点到节点安全性:此方案可保护群集中 VM 与计算机之间的通信。Node-to-node security: This scenario secures communication between the VMs and the computers in the cluster. 这种安全性可确保只有已获授权加入群集的计算机,才能在群集中托管应用程序和服务。This form of security ensures that only those computers that are authorized to join the cluster can host applications and services in the cluster. 在此方案中,Azure 上运行的群集或 Windows 上运行的独立群集可以使用证书安全性Windows 安全性(适用于 Windows Server 计算机)。In this scenario, the clusters that run on Azure, or standalone clusters that run on Windows, can use either certificate security or Windows security for Windows Server machines.
  • 客户端到节点安全性:此方案可保护 Service Fabric 客户端与群集中各个节点之间的通信。Client-to-node security: This scenario secures communication between a Service Fabric client and the individual nodes in the cluster.
  • 基于角色的访问控制 (RBAC):此方案对每个访问群集的管理员和用户客户端角色使用独立标识(证书、Azure AD 等)。Role-Based Access Control (RBAC): This scenario uses separate identities (certificates, Azure AD, and so on) for each administrator and user client role that accesses the cluster. 这些角色标识是在创建群集时指定。You specify the role identities when you create the cluster.

备注

适用于 Azure 群集的安全建议: 使用 Azure AD 安全性对客户端进行身份验证,并使用证书实现节点到节点安全性。Security recommendation for Azure clusters: Use Azure AD security to authenticate clients and certificates for node-to-node security.

若要配置 Windows 独立群集,请参阅 Windows 独立群集的配置设置To configure a standalone Windows cluster, see Configure settings for a standalone Windows cluster.

使用 Azure 资源管理器模板和 Service Fabric PowerShell 模块创建安全群集。Use Azure Resource Manager templates and the Service Fabric PowerShell module to create a secure cluster. 有关如何使用 Azure 资源管理器模板创建安全 Service Fabric 群集的分步说明,请参阅创建 Service Fabric 群集For step-by-step instructions to create a secure Service Fabric cluster by using Azure Resource Manager templates, see Creating a Service Fabric cluster.

使用 Azure 资源管理器模板:Use the Azure Resource Manager template:

  • 使用此模板为 VM 虚拟硬盘 (VHD) 配置托管存储,从而自定义群集。Customize your cluster by using the template to configure managed storage for VM virtual hard disks (VHDs).
  • 使用此模板简化配置管理和审核,推动对资源组的更改。Drive changes to your resource group by using the template for easy configuration management and auditing.

将群集配置视为代码:Treat your cluster configuration as code:

  • 仔细检查部署配置。Be thorough when checking your deployment configurations.
  • 避免使用隐式命令直接修改资源。Avoid using implicit commands to directly modify your resources.

可以对 Service Fabric 应用程序生命周期的许多层面进行自动化。Many aspects of the Service Fabric application lifecycle can be automated. Service Fabric PowerShell 模块可自动执行常见任务,包括部署、升级、删除和测试 Azure Service Fabric 应用程序。The Service Fabric PowerShell module automates common tasks for deploying, upgrading, removing, and testing Azure Service Fabric applications. 此外,还提供了托管 API 和 HTTP API,可用于管理应用程序。Managed APIs and HTTP APIs for application management are also available.

使用 X.509 证书Use X.509 certificates

始终使用 X.509 证书或 Windows 安全性保护群集。Always secure your clusters by using X.509 certificates or Windows security. 安全性仅在群集创建时进行配置。Security is only configured at cluster creation time. 无法在群集创建后启用安全性。It's not possible to turn on security after the cluster is created.

若要指定群集证书,请将 ClusterCredentialType 属性的值设置为 X509。To specify a cluster certificate, set the value of the ClusterCredentialType property to X509. 若要为外部连接指定服务器证书,请将 ServerCredentialType 属性的值设置为 X509。To specify a server certificate for outside connections, set the ServerCredentialType property to X509.

此外,还请遵照以下做法:In addition, follow these practices:

  • 使用正确配置的 Windows Server 证书服务为生产群集创建证书。Create the certificates for production clusters by using a correctly configured Windows Server certificate service. 也可以从核准证书颁发机构 (CA) 获取证书。You can also obtain the certificates from an approved certificate authority (CA).
  • 切勿对生产群集使用通过 MakeCert.exe 或类似工具创建的临时或测试证书。Never use a temporary or test certificate for production clusters if the certificate was created by using MakeCert.exe or a similar tool.
  • 对测试群集使用自签名证书,但不要对生产群集使用此类证书。Use a self-signed certificate for test clusters, but not for production clusters.

如果是不安全群集,任何人都可以匿名连接到此群集,并执行管理操作。If the cluster is unsecure, anyone can connect to the cluster anonymously and perform management operations. 鉴于此,请务必使用 X.509 证书或 Windows 安全性保护生产群集。For this reason, always secure production clusters by using X.509 certificates or Windows security.

若要详细了解如何使用 X.509 证书,请参阅添加或删除 Service Fabric 群集的证书To learn more about using X.509 certificates, see Add or remove certificates for a Service Fabric cluster.

配置安全性策略Configure security policies

Service Fabric 还可保护应用程序使用的资源。Service Fabric also secures the resources that are used by applications. 在应用程序部署后,文件、目录和证书等资源都会存储在用户帐户下。Resources like files, directories, and certificates are stored under the user accounts when the application is deployed. 借助此功能,即使在共享的托管环境中,也可加强对运行中应用程序的保护,防止其相互影响。This feature makes running applications more secure from one another, even in a shared hosted environment.

  • 使用 Active Directory 域组或用户:使用 Active Directory 用户或组帐户的凭据运行服务。Use an Active Directory domain group or user: Run the service under the credentials for an Active Directory user or group account. 请务必在域中使用本地 Active Directory,而不是 Azure Active Directory。Be sure to use Active Directory on-premises within your domain and not Azure Active Directory. 使用域用户或组,访问域中已被授予权限的其他资源。Access other resources in the domain that have been granted permissions by using a domain user or group. 例如,文件共享等资源。For example, resources such as file shares.

  • 为 HTTP 和 HTTPS 终结点分配安全访问策略:指定 SecurityAccessPolicy 属性,在服务清单使用 HTTP 协议声明终结点资源时,向服务应用 RunAs 策略。Assign a security access policy for HTTP and HTTPS endpoints: Specify the SecurityAccessPolicy property to apply a RunAs policy to a service when the service manifest declares endpoint resources with HTTP. 分配给 HTTP 终结点的端口是,运行服务所用的 RunAs 用户帐户的正确访问控制列表。Ports allocated to the HTTP endpoints are correctly access-controlled lists for the RunAs user account that the service runs under. 如果未设置此策略,http.sys 将无权访问服务,并且用户也无法从客户端进行调用。When the policy isn't set, http.sys doesn't have access to the service and you can get failures with calls from the client.

若要了解如何在 Service Fabric 群集中使用安全策略,请参阅配置应用程序的安全策略To learn how to use security policies in a Service Fabric cluster, see Configure security policies for your application.

实现 Reliable Actors 安全配置Implement the Reliable Actors security configuration

Service Fabric Reliable Actors 是执行组件设计模式的实现。Service Fabric Reliable Actors is an implementation of the actor design pattern. 与所有软件设计模式一样,决定是否使用特定模式时需要考虑,此模式是否适合解决软件问题。As with any software design pattern, the decision to use a specific pattern is based on whether a software problem fits the pattern.

一般来说,使用执行组件设计模式有助于构建解决方案,从而处理以下软件问题或安全方案:In general, use the actor design pattern to help model solutions for the following software problems or security scenarios:

  • 问题空间包含大量(几千或更多)小型、独立的状态和逻辑单元。Your problem space involves a large number (thousands or more) of small, independent, and isolated units of state and logic.
  • 使用的是单线程对象,无需与外部组件进行大量交互,包括跨一组执行组件查询状态。You're working with single-threaded objects that don't require significant interaction from external components, including querying state across a set of actors.
  • 执行组件实例不会发出 I/O 操作指令阻止遇到不可预测延迟的调用方。Your actor instances don't block callers with unpredictable delays by issuing I/O operations.

在 Service Fabric 中,执行组件是在 Reliable Actors 应用程序框架中实现。In Service Fabric, actors are implemented in the Reliable Actors application framework. 此框架以执行组件模式为依据,在 Service Fabric Reliable Services 的基础之上构建而成。This framework is based on the actor pattern and built on top of Service Fabric Reliable Services. 编写的每个可靠执行组件服务都是一个已分区的有状态可靠服务。Each reliable actor service that you write is a partitioned stateful reliable service.

每个执行组件定义为执行组件类型的一个实例,与 .NET 对象是 .NET 类型的一个实例类同。Every actor is defined as an instance of an actor type, identical to the way a .NET object is an instance of a .NET type. 例如,用于实现计算器功能的执行组件类型可能包含此类型的多个执行组件,这些执行组件跨群集中的各个节点进行分布。For example, an actor type that implements the functionality of a calculator can have many actors of that type that are distributed on various nodes across a cluster. 分布的每个执行组件都通过执行组件标识符进行唯一标识。Each of the distributed actors is uniquely characterized by an actor identifier.

复制器安全配置用于保护在复制过程中使用的信道的安全。Replicator security configurations are used to secure the communication channel that is used during replication. 此配置可阻止服务相互窥探复制流量,并确保可用性很高的数据安全。This configuration prevents services from seeing each other's replication traffic and ensures that highly available data is secure. 默认情况下,空的安全配置节会影响复制安全。By default, an empty security configuration section prevents replication security. 复制器配置用于配置负责使执行组件状态提供程序状态高度可靠的复制器。Replicator configurations configure the replicator that is responsible for making the Actor State Provider state highly reliable.

为 Azure Service Fabric 配置 TLSConfigure TLS for Azure Service Fabric

服务器身份验证流程向管理客户端验证群集管理终结点。The server authentication process authenticates the cluster management endpoints to a management client. 然后,管理客户端确定它在与真正的群集通信。The management client then recognizes that it's talking to the real cluster. 此证书还通过 HTTPS 为 HTTPS 管理 API 和 Service Fabric Explorer 提供 TLSThis certificate also provides a TLS for the HTTPS management API and for Service Fabric Explorer over HTTPS. 必须获取群集的自定义域名。You must obtain a custom domain name for your cluster. 从证书颁发机构请求获取证书时,证书的使用者名称必须与用于群集的自定义域名匹配。When you request a certificate from a certificate authority, the certificate's subject name must match the custom domain name that you use for your cluster.

若要为应用程序配置 TLS,首先需要获取已由 CA 签名的 SSL/TLS 证书。To configure TLS for an application, you first need to obtain an SSL/TLS certificate that has been signed by a CA. CA 是受信任的第三方,负责颁发证书,以提高 TLS 安全性。The CA is a trusted third party that issues certificates for TLS security purposes. 如果尚无 SSL/TLS 证书,需要从销售 SSL/TLS 证书的公司购买一个。If you don't already have an SSL/TLS certificate, you need to obtain one from a company that sells SSL/TLS certificates.

该证书必须满足 Azure 中的以下 SSL/TLS 证书要求:The certificate must meet the following requirements for SSL/TLS certificates in Azure:

  • 证书必须包含私钥。The certificate must contain a private key.

  • 必须创建适用于密钥交换的证书,并且证书必须可导出到个人信息交换 (.pfx) 文件中。The certificate must be created for key exchange and be exportable to a personal information exchange (.pfx) file.

  • 证书的使用者名称必须与用于访问云服务的域名匹配。The certificate's subject name must match the domain name that is used to access your cloud service.

    • 获取用于访问云服务的自定义域名。Acquire a custom domain name to use for accessing your cloud service.
    • 请求从 CA 获取证书,其中使用者名称与服务的自定义域名匹配。Request a certificate from a CA with a subject name that matches your service's custom domain name. 例如,如果自定义域名为 contoso.com,CA 颁发的证书应包含使用者名称 .contoso.com 或 www.contoso.com。For example, if your custom domain name is contoso.com, the certificate from your CA should have the subject name .contoso.com or www.contoso.com.

    备注

    无法从 CA 获取 cloudapp.net 域的 SSL/TLS 证书。You cannot obtain an SSL/TLS certificate from a CA for the cloudapp.net domain.

  • 证书至少必须使用 2,048 位加密。The certificate must use a minimum of 2,048-bit encryption.

HTTP 协议不安全,容易受到窥探攻击威胁。The HTTP protocol is unsecure and subject to eavesdropping attacks. 通过 HTTP 传输的数据在 Web 浏览器到 Web 服务器之间或其他终结点之间作为纯文本发送。Data that is transmitted over HTTP is sent as plain text from the web browser to the web server or between other endpoints. 攻击者可以拦截和查看通过 HTTP 发送的敏感数据,如信用卡详细信息和帐户登录凭据。Attackers can intercept and view sensitive data that is sent via HTTP, such as credit card details and account logins. 如果数据使用 HTTPS 通过浏览器进行发送或发布,SSL 可确保加密和保护敏感信息,防止其被拦截。When data is sent or posted through a browser via HTTPS, SSL ensures that sensitive information is encrypted and secure from interception.

若要详细了解如何使用 SSL/TLS 证书,请参阅为 Azure 中的应用程序配置 TLSTo learn more about using SSL/TLS certificates, see Configuring TLS for an application in Azure.

将 Azure Service Fabric 与网络隔离和安全功能结合使用Use network isolation and security with Azure Service Fabric

Azure 资源管理器模板用作示例,设置 nodetype 属性值为 3 的安全群集。Set up a 3 nodetype secure cluster by using the Azure Resource Manager template as a sample. 使用此模板和网络安全组控制入站和出站网络流量。Control the inbound and outbound network traffic by using the template and Network Security Groups.

此模板为每个虚拟机规模集都提供了一个 NSG,旨在控制规模集的入站和出站流量。The template has an NSG for each of the virtual machine scale sets and is used to control the traffic in and out of the set. 默认情况下,将会把规则配置为允许模板中指定的系统服务和应用程序端口所需的全部流量进出。The rules are configured by default to allow all traffic necessary for the system services and the application ports specified in the template. 请查看这些规则,并根据需要进行任意更改,包括为应用程序添加新规则。Review these rules and make any changes to fit your needs, including adding new rules for your applications.

有关详细信息,请参阅 Azure Service Fabric 的常见网络方案For more information, see Common networking scenarios for Azure Service Fabric.

出于安全考虑,设置 Azure Key VaultSet up Azure Key Vault for security

Service Fabric 使用证书提供身份验证和加密,从而保护群集及其应用程序。Service Fabric uses certificates to provide authentication and encryption for securing a cluster and its applications.

Service Fabric 使用 X.509 证书保护群集,并提供应用程序安全功能。Service Fabric uses X.509 certificates to secure a cluster and to provide application security features. Azure Key Vault 用于管理 Azure 中 Service Fabric 群集的证书You use Azure Key Vault to manage certificates for Service Fabric clusters in Azure. 创建群集的 Azure 资源提供程序从密钥保管库拉取证书。The Azure resource provider that creates the clusters pulls the certificates from a key vault. 然后,当群集在 Azure 上部署时,资源提供程序在 VM 上安装这些证书。The provider then installs the certificates on the VMs when the cluster is deployed on Azure.

Azure Key Vault、Service Fabric 群集与使用这些证书的资源提供程序之间存在证书关系。A certificate relationship exists between Azure Key Vault, the Service Fabric cluster, and the resource provider that uses the certificates. 在群集创建后,证书关系的相关信息会存储在密钥保管库中。When the cluster is created, information about the certificate relationship is stored in a key vault.

设置密钥保管库有两个基本步骤:There are two basic steps to set up a key vault:

  1. 专门为密钥保管库创建一个资源组。Create a resource group specifically for your key vault.

    建议将密钥保管库置于它自己的资源组中。We recommend that you put the key vault in its own resource group. 此操作有助于防止在其他资源组(如存储组、计算组或包含群集的组)遭到删除后丢失密钥和机密。This action helps to prevent the loss of your keys and secrets if other resource groups are removed, such as storage, compute, or the group that contains your cluster. 包含 Key Vault 的资源组必须与正在使用它的群集位于同一区域。The resource group that contains your key vault must be in the same region as the cluster that is using it.

  2. 在新建的资源组中创建密钥保管库。Create a key vault in the new resource group.

    必须启用密钥保管库,才能进行部署。The key vault must be enabled for deployment. 然后,计算资源提供程序可以从保管库获取证书,并将证书安装在 VM 实例上。The compute resource provider can then get the certificates from the vault and install them on the VM instances.

若要详细了解如何设置密钥保管库,请参阅什么是 Azure 密钥保管库?To learn more about how to set up a key vault, see What is Azure Key Vault?.

将用户分配到角色Assign users to roles

创建应用程序以代表群集后,请将用户分配到 Service Fabric 支持的角色,即只读和管理员。可使用 Azure 门户来分配这些角色。After you've created the applications to represent your cluster, assign your users to the roles that are supported by Service Fabric: read-only and admin. You can assign these roles by using the Azure portal.

备注

若要详细了解如何在 Service Fabric 使用角色,请参阅适用于 Service Fabric 客户端的基于角色的访问控制For more information about using roles in Service Fabric, see Role-Based Access Control for Service Fabric clients.

对于连接到 Service Fabric 群集的客户端,Azure Service Fabric 支持两种类型的访问控制:基于管理员和用户的访问控制。Azure Service Fabric supports two access control types for clients that are connected to a Service Fabric cluster: administrator and user. 群集管理员可以使用访问控制,限制各组用户执行特定的群集操作。The cluster administrator can use access control to limit access to certain cluster operations for different groups of users. 访问控制可提高群集安全性。Access control makes the cluster more secure.

后续步骤Next steps