Azure 上 Service Fabric 群集的概述Overview of Service Fabric clusters on Azure

Service Fabric 群集是一组通过网络连接在一起的虚拟机或物理计算机,微服务会在其中部署和管理。A Service Fabric cluster is a network-connected set of virtual or physical machines into which your microservices are deployed and managed. 群集中的计算机或 VM 称为群集节点。A machine or VM that is part of a cluster is called a cluster node. 群集可以扩展到数千个节点。Clusters can scale to thousands of nodes. 如果向群集添加新节点,Service Fabric 会在新增加的节点间重新平衡服务分区副本和实例。If you add new nodes to the cluster, Service Fabric rebalances the service partition replicas and instances across the increased number of nodes. 应用程序总体性能提高,访问内存的争用减少。Overall application performance improves and contention for access to memory decreases. 如果没有高效使用群集中的节点,可以减少群集中节点的数量。If the nodes in the cluster are not being used efficiently, you can decrease the number of nodes in the cluster. Service Fabric 会再次在减少的节点间重新平衡分区副本和实例以更加充分利用每个节点上的硬件。Service Fabric again rebalances the partition replicas and instances across the decreased number of nodes to make better use of the hardware on each node.

节点类型定义群集中一组节点(虚拟机)的大小、数量和属性。A node type defines the size, number, and properties for a set of nodes (virtual machines) in the cluster. 然后,每个节点类型可以独立扩展或缩减、打开不同的端口集,并可以有不同的容量指标。Each node type can then be scaled up or down independently, have different sets of ports open, and can have different capacity metrics. 节点类型用于定义一组群集节点(如“前端”或“后端”)的角色。Node types are used to define roles for a set of cluster nodes, such as "front end" or "back end". 群集可以有多个节点类型,但主节点类型必须至少有 5 个 VM 供群集用于生产(或至少有 3 个 VM 用于测试群集)。Your cluster can have more than one node type, but the primary node type must have at least five VMs for production clusters (or at least three VMs for test clusters). Service Fabric 系统服务位于主节点类型的节点上。Service Fabric system services are placed on the nodes of the primary node type.

群集组件和资源Cluster components and resources

Azure 上的 Service Fabric 群集是一种 Azure 资源,它使用其他 Azure 资源并与之交互:A Service Fabric cluster on Azure is an Azure resource that uses and interacts with other Azure resources:

  • VM 和虚拟网卡VMs and virtual network cards
  • 虚拟机规模集virtual machine scale sets
  • 虚拟网络virtual networks
  • 负载均衡器load balancers
  • 存储帐户storage accounts
  • 公共 IP 地址public IP addresses

Service Fabric 群集

虚拟机Virtual machine

作为群集一部分的虚拟机称为节点,但从技术上讲,群集节点是指 Service Fabric 运行时进程。A virtual machine that's part of a cluster is called a node though, technically, a cluster node is a Service Fabric runtime process. 需为每个节点分配节点名称(字符串)。Each node is assigned a node name (a string). 节点具有各种特征,如放置属性Nodes have characteristics, such as placement properties. 每个计算机或 VM 都有一个自动启动服务 FabricHost.exe,此服务在引导时开始运行,并启动两个可执行文件 Fabric.exeFabricGateway.exe,这两个可执行文件便构成了节点。Each machine or VM has an auto-start service, FabricHost.exe, that starts running at boot time and then starts two executables, Fabric.exe and FabricGateway.exe, which make up the node. 生产部署是每个物理或虚拟机一个节点。A production deployment is one node per physical or virtual machine. 在测试方案中,可以通过运行 Fabric.exeFabricGateway.exe 的多个实例,在单台计算机或 VM 上托管多个节点。For testing scenarios, you can host multiple nodes on a single machine or VM by running multiple instances of Fabric.exe and FabricGateway.exe.

每个 VM 均与虚拟网络接口卡 (NIC) 相关联,并且每个 NIC 均分配有一个专用 IP 地址。Each VM is associated with a virtual network interface card (NIC) and each NIC is assigned a private IP address. VM 通过 NIC 分配给虚拟网络和本地均衡器。A VM is assigned to a virtual network and local balancer through the NIC.

群集中的所有 VM 都放置在虚拟网络中。All VMs in a cluster are placed in a virtual network. 同一节点类型/规模集中的所有节点都放在虚拟网络上的同一子网上。All nodes in the same node type/scale set are placed on the same subnet on the virtual network. 这些节点仅具有专用 IP 地址,并且无法在虚拟网络外直接寻址。These nodes only have private IP addresses and are not directly addressable outside the virtual network. 客户端可以通过 Azure 负载均衡器访问节点上的服务。Clients can access services on the nodes through the Azure load balancer.

规模集/节点类型Scale set/node type

创建群集时,可以定义一个或多个节点类型。When you create a cluster, you define one or more node types. 节点类型中的节点或 VM 具有相同的大小和特征,例如 CPU 数、内存、磁盘数和磁盘 I/O。The nodes, or VMs, in a node type have the same size and characteristics such as number of CPUs, memory, number of disks, and disk I/O. 例如,一个节点类型可能用于具有向 Internet 开放的端口的小型前端 VM,而另一个节点类型可能用于处理数据的大型后端 VM。For example, one node type could be for small, front-end VMs with ports open to the internet while another node type could be for large, back-end VMs that process data. 在 Azure 群集中,每个节点类型都映射到虚拟机规模集In Azure clusters, each node type is mapped to a virtual machine scale set.

可使用规模集以集的形式部署和管理虚拟机集合。You can use scale sets to deploy and manage a collection of virtual machines as a set. Azure Service Fabric 群集中定义的每个节点类型均设置了独立的规模集。Each node type that you define in an Azure Service Fabric cluster sets up a separate scale set. Service Fabric 运行时使用 Azure VM 扩展启动到规模集中的每个虚拟机上。The Service Fabric runtime is bootstrapped onto each virtual machine in the scale set using Azure VM extensions. 可独立增加或减少每个节点类型、更改每个群集节点上运行的 OS SKU、打开不同的端口集,并使用不同的容量指标。You can independently scale each node type up or down, change the OS SKU running on each cluster node, have different sets of ports open, and use different capacity metrics. 一个规模集包含五个升级域和五个容错域,最多可包含 100 个 VM。A scale set has five upgrade domains and five fault domains and can have up to 100 VMs. 可以通过创建多个规模集/节点类型来创建超过 100 个节点的群集。You create clusters of more than 100 nodes by creating multiple scale sets/node types.

重要

选择群集的节点类型数量以及每个节点类型的属性(大小、主节点、面向 Internet、VM 数量等)是一项重要任务。Choosing the number of node types for your cluster and the properties of each of node type (size, primary, internet facing, number of VMs, etc.) is an important task. 有关详细信息,请阅读群集容量规划注意事项For more information, read cluster capacity planning considerations.

有关详细信息,请阅读 Service Fabric 节点类型与虚拟机规模集For more information, read Service Fabric node types and virtual machine scale sets.

Azure 负载均衡器Azure Load Balancer

VM 实例在 Azure 负载均衡器后面联接,该负载均衡器与公共 IP 地址和 DNS 标签相关联。VM instances are joined behind an Azure load balancer, which is associated with a public IP address and DNS label. 使用 <clustername> 预配群集时,DNS 名称 <clustername>.<location>.cloudapp.chinacloudapi.cn 便是与规模集前面的负载均衡器相关联的 DNS 标签。When you provision a cluster with <clustername>, the DNS name, <clustername>.<location>.cloudapp.chinacloudapi.cn is the DNS label associated with the load balancer in front of the scale set.

群集中的 VM 只有专用 IP 地址VMs in a cluster have only private IP addresses. 管理流量和服务流量通过面向公众的负载均衡器进行路由。Management traffic and service traffic are routed through the public facing load balancer. 网络流量通过 NAT 规则(客户端连接到特定节点/实例)或负载均衡规则(流量进入 VM 轮循机制)路由到这些计算机。Network traffic is routed to these machines through NAT rules (clients connect to specific nodes/instances) or load-balancing rules (traffic goes to VMs round robin). 负载均衡器具有关联的公共 IP,其 DNS 名称的格式为: <clustername>.<location>.cloudapp.chinacloudapi.cnA load balancer has an associated public IP with a DNS name in the format: <clustername>.<location>.cloudapp.chinacloudapi.cn. 公共 IP 是资源组中的另一个 Azure 资源。A public IP is another Azure resource in the resource group. 如果在群集中定义多个节点类型,则会为每个节点类型/规模集创建一个负载均衡器。If you define multiple node types in a cluster, a load balancer is created for each node type/scale set. 或者,可以为多个节点类型设置单个负载均衡器。Or, you can setup a single load balancer for multiple node types. 主节点类型具有 DNS 标签 <clustername>.<location>.cloudapp.chinacloudapi.cn,其他节点类型具有 DNS 标签 <clustername>-<nodetype>.<location>.cloudapp.chinacloudapi.cnThe primary node type has the DNS label <clustername>.<location>.cloudapp.chinacloudapi.cn, other node types have the DNS label <clustername>-<nodetype>.<location>.cloudapp.chinacloudapi.cn.

存储帐户Storage accounts

每个群集节点类型均受 Azure 存储帐户和托管磁盘的支持。Each cluster node type is supported by an Azure storage account and managed disks.

群集安全性Cluster security

Service Fabric 群集是你拥有的资源。A Service Fabric cluster is a resource that you own. 你应保护群集,防止未经授权的用户与其连接。It is your responsibility to secure your clusters to help prevent unauthorized users from connecting to them. 当在群集上运行生产工作负荷时,安全的群集环境尤为重要。A secure cluster is especially important when you are running production workloads on the cluster.

节点到节点安全性Node-to-node security

节点到节点安全性可保护群集中 VM 或计算机之间的通信。Node-to-node security secures communication between the VMs or computers in a cluster. 这种安全性方案确保只有已获授权加入群集的计算机可以参与到托管群集中的应用程序和服务。This security scenario ensures that only computers that are authorized to join the cluster can participate in hosting applications and services in the cluster. Service Fabric 使用 X.509 证书保护群集,提供应用程序安全功能。Service Fabric uses X.509 certificates to secure a cluster and provide application security features. 需要使用群集证书来保护群集流量并提供群集和服务器身份验证。A cluster certificate is required to secure cluster traffic and provide cluster and server authentication. 自签名证书可用于测试群集,但在保护生产群集时应使用来自受信任证书颁发机构的证书。Self signed-certificates can be used for test clusters, but a certificate from a trusted certificate authority should be used to secure production clusters.

有关详细信息,请阅读节点到节点安全性For more information, read Node-to-node security

客户端到节点安全性Client-to-node security

客户端到节点安全性对客户端进行身份验证,并保护客户端与群集中单个节点之间的通信。Client-to-node security authenticates clients and helps secure communication between a client and individual nodes in the cluster. 这种类型的安全性确保只有已获授权的用户可以访问群集与群集上部署的应用程序。This type of security helps ensure that only authorized users can access the cluster and the applications that are deployed on the cluster. 客户端通过其 X.509 证书安全凭据进行唯一标识。Clients are uniquely identified through either their X.509 certificate security credentials. 可以使用任意数量的可选客户端证书向群集验证管理员或用户客户端的身份。Any number of optional client certificates can be used to authenticate admin or user clients with the cluster.

除客户端证书外,还可以将 Azure Active Directory 配置为向群集验证客户端身份。In addition to client certificates, Azure Active Directory can also be configured to authenticate clients with the cluster.

有关详细信息,请阅读客户端到节点安全性For more information, read Client-to-node security

基于角色的访问控制Role-Based Access Control

基于角色的访问控制 (RBAC) 允许对 Azure 资源分配细粒度的访问控制。Role-Based Access Control (RBAC) allows you to assign fine-grained access controls on Azure resources. 你可以为订阅、资源组和资源分配不同的访问规则。You can assign different access rules to subscriptions, resource groups, and resources. 除非在较低级别被覆盖,否则将沿资源层次结构继承 RBAC 规则。RBAC rules are inherited along the resource hierarchy unless overridden at a lower level. 可以使用 RBAC 规则在 AAD 上分配任何用户或用户组,以便指定的用户和组可以修改你的群集。You can assign any user or user groups on your AAD with RBAC rules so that designated users and groups can modify your cluster. 有关详细信息,请阅读 Azure RBAC 概述For more information, read the Azure RBAC overview.

Service Fabric 还支持使用访问控制限制对不同用户组的某些群集操作的访问。Service Fabric also supports access control to limit access to certain cluster operations for different groups of users. 这就使得群集更加安全。This helps make the cluster more secure. 连接到群集的客户端支持两种访问控制类型:管理员角色和用户角色。Two access control types are supported for clients that connect to a cluster: Administrator role and User role.

有关详细信息,请阅读 Service Fabric 基于角色的访问控制 (RBAC)For more information, read Service Fabric Role-Based Access Control (RBAC).

网络安全组Network security groups

网络安全组 (NSG) 控制子网、VM 或 特定 NIC 的入站和出站流量。Network security groups (NSGs) control inbound and outbound traffic of a subnet, VM, or specific NIC. 默认情况下,在将多个 VM 放在同一虚拟网络上时,它们可以通过任意端口相互通信。By default, when multiple VMs are put on the same virtual network they can communicate with each other through any port. 如果要限制计算机之间的通信,可以将 NSG 定义为对网络进行分段或将 VM 彼此隔离。If you want to constrain communications among the machines you can define NSGs to segment the network or isolate VMs from each other. 如果群集中有多个节点类型,则可以将 NSG 应用于子网,以防止属于不同节点类型的计算机相互通信。If you have multiple node types in a cluster, you can apply NSGs to subnets to prevent machines belonging to different node types from communicating with each other.

有关详细信息,请阅读安全组For more information, read about security groups

扩展Scaling

应用程序的需求会不断变化。Application demands change over time. 可能需要增加群集资源来满足更多的应用程序工作负荷或网络流量,或者在需求下降时减少群集资源。You may need to increase cluster resources to meet increased application workload or network traffic or decrease cluster resources when demand drops. 创建 Service Fabric 群集后,可以群集横向缩放(更改节点数)或纵向缩放(更改节点资源)该群集。After creating a Service Fabric cluster, you can scale the cluster horizontally (change the number of nodes) or vertically (change the resources of the nodes). 随时可以缩放群集,即使该群集上正在运行工作负荷。You can scale the cluster at any time, even when workloads are running on the cluster. 在缩放群集的同时,应用程序也会随之自动缩放。As the cluster scales, your applications automatically scale as well.

有关详细信息,请阅读缩放 Azure 群集For more information, read Scaling Azure clusters.

正在升级Upgrading

Azure Service Fabric 群集是你拥有的,但部分由 Azure 管理的资源。An Azure Service Fabric cluster is a resource that you own, but is partly managed by Azure. Azure 负责修补基础 OS 并在群集上执行 Service Fabric 运行时升级。Azure is responsible for patching the underlying OS and performing Service Fabric runtime upgrades on your cluster. 当 Azure 发布新版本时,可以将群集设置为接收自动运行时升级,或选择所需的受支持运行时版本。You can set your cluster to receive automatic runtime upgrades, when Azure releases a new version, or choose to select a supported runtime version that you want. 除了运行时升级,还可以更新群集配置(例如证书或应用程序端口)。In addition to runtime upgrades, you can also update cluster configuration such as certificates or application ports.

有关详细信息,请阅读升级群集For more information, read Upgrading clusters.

支持的操作系统Supported operating systems

可以在运行以下操作系统的虚拟机上创建群集:You are able to create clusters on virtual machines running these operating systems:

操作系统Operating system 支持的最低 Service Fabric 版本Earliest supported Service Fabric version
Windows Server 2012 R2Windows Server 2012 R2 所有版本All versions
Windows Server 2016Windows Server 2016 所有版本All versions
Windows Server 1709Windows Server 1709 6.06.0
Windows Server 1803Windows Server 1803 6.46.4
Windows Server 1809Windows Server 1809 6.4.654.95906.4.654.9590
Windows Server 2019Windows Server 2019 6.4.654.95906.4.654.9590
Linux Ubuntu 16.04Linux Ubuntu 16.04 6.06.0
Linux Ubuntu 18.04Linux Ubuntu 18.04 7.17.1

有关其他信息,请参阅 Azure 中支持的群集版本For additional information see Supported Cluster Versions in Azure

备注

如果决定要在 Windows Server 1709 上部署 Service Fabric,请注意,(1) 它不是长期服务分支,因此你可能必须在将来迁移版本 (2) 如果部署容器,基于 Windows Server 2016 构建的容器不适用于 Windows Server 1709,反之亦然(你必须重新生成它们才能对其进行部署)。If you decide to deploy Service Fabric on Windows Server 1709, please note that (1) it is not a long term servicing branch, so you may have to move versions in the future, and (2) if you deploy containers, containers built on Windows Server 2016 do not work on Windows Server 1709, and vice versa (you will have to rebuild them to deploy them).

后续步骤Next steps

详细了解如何保护缩放升级 Azure 群集。Read more about securing, scaling, and upgrading Azure clusters.

了解 Service Fabric 支持选项Learn about Service Fabric support options.