网络Networking

在创建和管理 Azure Service Fabric 群集时,可以为节点和应用程序提供网络连接。As you create and manage Azure Service Fabric clusters, you are providing network connectivity for your nodes and applications. 网络资源包括 IP 地址范围、虚拟网络、负载均衡器和网络安全组。The networking resources include IP address ranges, virtual networks, load balancers, and network security groups. 本文介绍针对这些资源的最佳做法。In this article, you will learn best practices for these resources.

查看 Azure Service Fabric 网络模式,了解如何创建使用以下功能的群集:现有的虚拟网络或子网、静态公共 IP 地址、仅限内部的负载均衡器,或者内部和外部负载均衡器。Review Azure Service Fabric Networking Patterns to learn how to create clusters that use the following features: Existing virtual network or subnet, Static public IP address, Internal-only load balancer, or Internal and external load balancer.

基础结构网络Infrastructure Networking

使用加速网络使虚拟机的性能最大化,方法是:在资源管理器模板中声明 enableAcceleratedNetworking 属性。以下代码片段是关于虚拟机规模集 NetworkInterfaceConfigurations 的,后者可以启用加速网络:Maximize your Virtual Machine's performance with Accelerated Networking, by declaring enableAcceleratedNetworking property in your Resource Manager template, the following snippet is of a Virtual Machine Scale Set NetworkInterfaceConfigurations that enables Accelerated Networking:

"networkInterfaceConfigurations": [
  {
    "name": "[concat(variables('nicName'), '-0')]",
    "properties": {
      "enableAcceleratedNetworking": true,
      "ipConfigurations": [
        {
        <snip>
        }
      ],
      "primary": true
    }
  }
]

可以在使用加速网络的 Linux 上以及使用加速网络的 Windows 上预配 Service Fabric 群集。Service Fabric cluster can be provisioned on Linux with Accelerated Networking, and Windows with Accelerated Networking.

以下 Azure 虚拟机系列 SKU 支持加速网络:D/DSv2、D/DSv3、E/ESv3、F/FS、FSv2 以及 Ms/Mms。Accelerated Networking is supported for Azure Virtual Machine Series SKUs: D/DSv2, D/DSv3, E/ESv3, F/FS, FSv2, and Ms/Mms. 加速网络已使用 Standard_DS8_v3 SKU 在 2019 年 1 月 23 日针对 Service Fabric Windows 群集成功进行测试,以及使用 Standard_DS12_v2 在 2019 年 1 月 29 日针对 Service Fabric Linux 群集成功进行测试。Accelerated Networking was tested successfully using the Standard_DS8_v3 SKU on 01/23/2019 for a Service Fabric Windows Cluster, and using Standard_DS12_v2 on 01/29/2019 for a Service Fabric Linux Cluster.

若要在现有的 Service Fabric 群集上启用加速网络,需要首先通过添加虚拟机规模集来横向扩展 Service Fabric 群集,以便执行以下操作:To enable Accelerated Networking on an existing Service Fabric cluster, you need to first Scale a Service Fabric cluster out by adding a Virtual Machine Scale Set, to perform the following:

  1. 预配已启用加速网络的 NodeTypeProvision a NodeType with Accelerated Networking enabled
  2. 将服务及其状态迁移到已预配并已启用加速网络的 NodeTypeMigrate your services and their state to the provisioned NodeType with Accelerated Networking enabled

若要在现有的群集上启用加速网络,必须横向扩展基础结构,因为就地启用加速网络会导致停机,原因它需要可用性集中的所有虚拟机处于停止和解除分配状态,然后才能在现有 NIC 上启用加速网络Scaling out infrastructure is required to enable Accelerated Networking on an existing cluster, because enabling Accelerated Networking in place would cause downtime, as it requires all virtual machines in an availability set be stop and deallocate before enabling Accelerated networking on any existing NIC.

群集网络Cluster Networking

  • Service Fabric 群集可以部署到现有的虚拟网络中,只需执行 Service Fabric 网络模式中介绍的步骤即可。Service Fabric clusters can be deployed into an existing virtual network by following the steps outlined in Service Fabric networking patterns.

  • 对于限制群集的入站和出站流量的节点类型,建议使用网络安全组 (NSG)。Network security groups (NSGs) are recommended for node types to restrict inbound and outbound traffic to their cluster. 确保在 NSG 中打开所需的端口。Ensure that the necessary ports are opened in the NSG.

  • Service Fabric 系统服务所在的主节点类型不需通过外部负载均衡器公开,可以通过内部负载均衡器公开The primary node type, which contains the Service Fabric system services does not need to be exposed via the external load balancer and can be exposed by an internal load balancer

  • 静态公共 IP 地址用于群集。Use a static public IP address for your cluster.

网络安全规则Network Security Rules

此处的基本规则是 Azure 托管的 Service Fabric 群集的安全锁定的最低要求。The basic rules here are the minimum for a security lockdown of an Azure managed Service Fabric cluster. 如果未能打开以下端口或未能批准 IP/URL,群集的正常操作会被阻止,并且可能不受支持。Failure to open the following ports or approving the IP/URL will prevent proper operation of the cluster and may not be supported. 设置此规则后,严格要求使用自动 OS 映像升级,否则需要打开其他端口。With this rule set it's strictly required to use automatic OS image upgrades, otherwise additional ports will need to be opened.

入站Inbound

优先级Priority 名称Name 端口Port 协议Protocol Source 目标Destination 操作Action
39003900 AzureAzure 1908019080 TCPTCP InternetInternet VirtualNetworkVirtualNetwork 允许Allow
39103910 客户端Client 1900019000 TCPTCP InternetInternet VirtualNetworkVirtualNetwork 允许Allow
39203920 群集Cluster 1025-10271025-1027 TCPTCP VirtualNetworkVirtualNetwork VirtualNetworkVirtualNetwork 允许Allow
39303930 临时Ephemeral 49152-6553449152-65534 TCPTCP VirtualNetworkVirtualNetwork VirtualNetworkVirtualNetwork 允许Allow
39403940 应用程序Application 20000-3000020000-30000 TCPTCP VirtualNetworkVirtualNetwork VirtualNetworkVirtualNetwork 允许Allow
39503950 SMBSMB 445445 TCPTCP VirtualNetworkVirtualNetwork VirtualNetworkVirtualNetwork 允许Allow
39603960 RDPRDP 3389-34883389-3488 TCPTCP InternetInternet VirtualNetworkVirtualNetwork 拒绝Deny
39703970 SSHSSH 2222 TCPTCP InternetInternet VirtualNetworkVirtualNetwork 拒绝Deny
39803980 自定义终结点Custom Endpoint 8080 TCPTCP InternetInternet VirtualNetworkVirtualNetwork 允许Allow
41004100 阻止入站Block Inbound 443443 任意Any 任意Any 任意Any AllowAllow

有关入站安全规则的更多信息:More information about the inbound security rules:

  • AzureAzure. Service Fabric Explorer 使用此端口浏览和管理群集,Service Fabric 资源提供程序也使用此端口查询有关群集的信息,以便在 Azure 管理门户中显示。This port is used by Service Fabric Explorer to browse and manage your cluster, and it is also used by the Service Fabric Resource Provider to query information about your cluster in order to display in the Azure Management Portal. 如果无法从 Service Fabric 资源提供程序访问此端口,你将在 Azure 门户中看到“找不到节点”或“UpgradeServiceNotReachable”等消息,并且节点和应用程序列表将显示为空。If this port is not accessible from the Service Fabric Resource Provider then you will see a message such as 'Nodes Not Found' or 'UpgradeServiceNotReachable' in the Azure portal and your node and application list will appear empty. 这意味着,如果想通过 Azure 管理门户查看群集,负载均衡器必须公开一个公共 IP 地址,而且 NSG 必须允许传入 19080 流量。This means that if you wish to have visibility of your cluster in the Azure Management Portal then your load balancer must expose a public IP address and your NSG must allow incoming 19080 traffic.

  • 客户端。Client. API 的客户端连接终结点,例如 REST/PowerShell/CLI。The client connection endpoint for APIs like REST/PowerShell/CLI.

  • 群集Cluster. 用于节点间通信;绝不应被阻止。Used for inter-node communication; should never be blocked.

  • 临时。Ephemeral. Service Fabric 使用其中的一部分端口作为应用程序端口,剩余的端口供 OS 使用。Service Fabric uses a part of these ports as application ports, and the remaining are available for the OS. 它还会将此范围映射到 OS 中的现有范围,因此,无论出于何种目的,你都可以使用此处示例中指定的范围。It also maps this range to the existing range present in the OS, so for all purposes, you can use the ranges given in the sample here. 确保起始端口与结束端口至少相差 255。Make sure that the difference between the start and the end ports is at least 255. 如果此差过小,可能会遇到冲突,因为此范围与 OS 共享。You might run into conflicts if this difference is too low, because this range is shared with the OS. 若要查看配置的动态端口范围,请运行 netsh int ipv4 show dynamic port tcp。To see the configured dynamic port range, run netsh int ipv4 show dynamic port tcp. Linux 群集不需要这些端口。These ports aren't needed for Linux clusters.

  • 应用程序Application. 应用程序端口范围的大小应足以满足应用程序的终结点要求。The application port range should be large enough to cover the endpoint requirement of your applications. 此范围在计算机上的动态端口范围中应是独占的,即按配置中设置的 ephemeralPorts 范围。This range should be exclusive from the dynamic port range on the machine, that is, the ephemeralPorts range as set in the configuration. 每当需要新端口时,Service Fabric 将使用这些端口,并负责为节点上的这些端口打开防火墙。Service Fabric uses these ports whenever new ports are required and takes care of opening the firewall for these ports on the nodes.

  • SMB。SMB. ImageStore 服务在两个场景中使用 SMB 协议。The SMB protocol is in use by the ImageStore service for two scenarios. 节点需要此端口才能从 ImageStore 下载包,以及在副本之间复制这些包。This port is needed to download the packages from the ImageStore by the nodes as well as to replicate these between the replicas.

  • RDP。RDP. 可选(如果对于 jumpbox 场景,Internet 或 VirtualNetwork 需要 RDP)。Optional, if RDP is required from the Internet or VirtualNetwork for jumpbox scenarios.

  • SSHSSH. 可选(如果对于 jumpbox 场景,Internet 或 VirtualNetwork 需要 SSH)。Optional, if SSH is required from the Internet or VirtualNetwork for jumpbox scenarios.

  • 自定义终结点。Custom endpoint. 应用程序启用可访问 Internet 的终结点的示例。An example for your application to enable an internet accessible endpoint.

出站Outbound

优先级Priority 名称Name 端口Port 协议Protocol Source 目标Destination 操作Action
39003900 网络Network 任意Any TCPTCP VirtualNetworkVirtualNetwork VirtualNetworkVirtualNetwork 允许Allow
39103910 资源提供程序Resource Provider 443443 TCPTCP VirtualNetworkVirtualNetwork ServiceFabricServiceFabric AllowAllow
39203920 升级Upgrade 443443 TCPTCP VirtualNetworkVirtualNetwork InternetInternet 允许Allow
39503950 阻止出站Block Outbound 任意Any 任意Any 任意Any 任意Any 拒绝Deny

有关出站安全规则的更多信息:More information about the outbound security rules:

  • 网络Network. 子网和其他虚拟网络的通信通道。Communication channel for subnets and to another virtual networks.

  • 资源提供程序。Resource Provider. 通过 UpgradeService 进行连接,用于通过 Service Fabric 资源提供程序执行所有 ARM 部署。Connection by the UpgradeService to execute all ARM deployments by the Service Fabric resource provider.

  • 升级Upgrade. 访问地址 download.microsoft.com 以获取位的升级服务,这对于设置、重建映像和运行时升级是必需的。The upgrade service using the address download.microsoft.com to get the bits, this is needed for setup, re-image and runtime upgrades. 该服务使用动态 IP 地址运行。The service operates with dynamic IP addresses. 在“仅内部”负载均衡器的场景中,必须使用允许端口 443 出站流量的规则,将附加的外部负载均衡器添加到模板。In the scenario of an "internal only" load balancer, an additional external load balancer must be added to the template with a rule allowing outbound traffic for port 443. 或者,可以在成功设置后阻止此端口,但在这种情况下,必须将升级包分发到节点,或者该端口必须在短时间内处于打开状态,然后需要手动升级。Optionally, this port can be blocked after an successful setup, but in this case the upgrade package must be distributed to the nodes or the port has to be opened for the short period of time, afterwards a manual upgrade is needed.

将 Azure 防火墙与 NSG 流日志流量分析配合使用,以跟踪与安全锁定有关的问题。Use Azure Firewall with NSG flow log and traffic analytics to track issues with the security lockdown. ARM 模板具有 NSG 的 Service Fabric 是一个良好的着手示例。The ARM template Service Fabric with NSG is a good example to start.

应用程序网络Application Networking

  • 若要运行 Windows 容器工作负荷,请使用开放网络模式,使服务到服务的通信更方便。To run Windows container workloads, use open networking mode to make service-to-service communication easier.

  • 使用反向代理(例如 TraefikService Fabric 反向代理)公开常用的应用程序端口,例如 80 或 443。Use a reverse proxy such as Traefik or the Service Fabric reverse proxy to expose common application ports such as 80 or 443.

  • 对于托管在无法从 Azure 云存储中拉取基本层的气隙计算机上的 Windows 容器,可通过在 Docker 守护程序中使用 --allow-nondistributable-artifacts 标志来重写外部层行为。For Windows Containers hosted on air-gapped machines that can't pull base layers from Azure cloud storage, override the foreign layer behavior, by using the --allow-nondistributable-artifacts flag in the Docker daemon.

后续步骤Next steps