Azure Service Fabric 安全Azure Service Fabric security

有关 Azure 安全性最佳做法的详细信息,请参阅 Azure Service Fabric 安全性最佳做法For more information about Azure Security Best Practices, review Azure Service Fabric security best practices

密钥保管库Key Vault

Azure Key Vault 是建议用于 Azure Service Fabric 应用程序和群集的机密管理服务。Azure Key Vault is the recommended secrets management service for Azure Service Fabric applications and clusters.

备注

如果将 Key Vault 中的证书/机密以虚拟机规模集机密的形式部署到虚拟机规模集,则必须将 Key Vault 和虚拟机规模集并置。If certificates/secrets from a Key Vault are deployed to a Virtual Machine Scale Set as a Virtual Machine Scale Set Secret, then the Key Vault and Virtual Machine Scale Set must be co-located.

创建证书颁发机构颁发的 Service Fabric 证书Create certificate authority issued Service Fabric certificate

可以在 Key Vault 中创建或导入 Azure Key Vault 证书。An Azure Key Vault certificate can be either created or imported into a Key Vault. 创建 Key Vault 证书时,私钥在 Key Vault 中创建且不公开给证书所有者。When a Key Vault certificate is created, the private key is created inside the Key Vault and never exposed to the certificate owner. 下面是在 Key Vault 中创建证书的方法:Here are the ways to create a certificate in Key Vault:

  • 创建自签名证书,以便创建一个公钥-私钥对并将其与证书相关联。Create a self-signed certificate to create a public-private key pair and associate it with a certificate. 证书将通过其自身的密钥签名。The certificate will be signed by its own key.
  • 手动创建新证书,以便创建一个公钥-私钥对并生成 X.509 证书签名请求。Create a new certificate manually to create a public-private key pair and generate an X.509 certificate signing request. 签名请求可以由注册机构或证书颁发机构进行签名。The signing request can be signed by your registration authority or certification authority. 签名的 x509 证书可以与挂起的密钥对合并,以便完成 Key Vault 中的 KV 证书。The signed x509 certificate can be merged with the pending key pair to complete the KV certificate in Key Vault. 虽然此方法需要更多步骤,但其安全性更高,因为私钥是在 Key Vault 中创建的,其范围局限于 Key Vault。Although this method requires more steps, it does provide you with greater security because the private key is created in and restricted to Key Vault. 下图对此进行了说明。This is explained in the diagram below.

如需更多详细信息,请参阅 Azure Keyvault 证书创建方法Review Azure Keyvault Certificate Creation Methods for additional details.

将 Key Vault 证书部署到 Service Fabric 群集虚拟机规模集Deploy Key Vault certificates to Service Fabric cluster virtual machine scale sets

若要将证书从并置的 keyvault 部署到虚拟机规模集,请使用虚拟机规模集 osProfileTo deploy certificates from a co-located keyvault to a Virtual Machine Scale Set, use Virtual Machine Scale Set osProfile. 下面是资源管理器模板属性:The following are the Resource Manager template properties:

"secrets": [
   {
       "sourceVault": {
           "id": "[parameters('sourceVaultValue')]"
       },
       "vaultCertificates": [
          {
              "certificateStore": "[parameters('certificateStoreValue')]",
              "certificateUrl": "[parameters('certificateUrlValue')]"
          }
       ]
   }
]

备注

必须启用保管库才能进行资源管理器模板部署。The vault must be enabled for Resource Manager template deployment.

将访问控制列表 (ACL) 应用到 Service Fabric 群集的证书Apply an Access Control List (ACL) to your certificate for your Service Fabric cluster

虚拟机规模集扩展发布服务器 Microsoft.Azure.ServiceFabric 用于配置节点安全性。Virtual Machine Scale Set extensions publisher Microsoft.Azure.ServiceFabric is used to configure your Nodes Security. 若要将 ACL 应用到 Service Fabric 群集过程的证书,请使用以下资源管理器模板属性:To apply an ACL to your certificates for your Service Fabric Cluster processes, use the following Resource Manager template properties:

"certificate": {
   "commonNames": [
       "[parameters('certificateCommonName')]"
   ],
   "x509StoreName": "[parameters('certificateStoreValue')]"
}

通过公用名保护 Service Fabric 群集证书Secure a Service Fabric cluster certificate by common name

若要通过证书 Common Name 来保护 Service Fabric 群集,请使用资源管理器模板属性 certificateCommonNames,如下所示:To secure your Service Fabric cluster by certificate Common Name, use the Resource Manager template property certificateCommonNames, as follows:

"certificateCommonNames": {
    "commonNames": [
        {
            "certificateCommonName": "[parameters('certificateCommonName')]",
            "certificateIssuerThumbprint": "[parameters('certificateIssuerThumbprint')]"
        }
    ],
    "x509StoreName": "[parameters('certificateStoreValue')]"
}

备注

Service Fabric 群集将使用它在主机的证书存储中找到的第一个有效证书。Service Fabric clusters will use the first valid certificate it finds in your host's certificate store. 在 Windows 上,该证书将是具有最晚到期日期且与公用名和颁发者指纹匹配的证书。On Windows, this will be the certificate with the latest expiring date that matches your Common Name and Issuer thumbprint.

Azure 域(例如 *<YOUR SUBDOMAIN>.cloudapp.chinacloudapi.cn 或 <YOUR SUBDOMAIN>.trafficmanager.cn)由 Microsoft 拥有。Azure domains, such as *<YOUR SUBDOMAIN>.cloudapp.chinacloudapi.cn or <YOUR SUBDOMAIN>.trafficmanager.cn, are owned by Microsoft. 证书颁发机构不会将域的证书颁发给未授权的用户。Certificate Authorities will not issue certificates for domains to unauthorized users. 大多数用户需要从注册机构购买域,或者需要是经授权的域管理员,否则证书颁发机构不会向其颁发具有该公用名的证书。Most users will need to purchase a domain from a registrar, or be an authorized domain admin, for a certificate authority to issue you a certificate with that common name.

若要更详细地确定如何配置 DNS 服务,以便将域解析为 Azure IP 地址,请了解如何配置用于托管域的 Azure DNSFor additional details on how to configure DNS Service to resolve your domain to a Azure IP address, review how to configure Azure DNS to host your domain.

备注

在将域名服务器委托给 Azure DNS 区域名称服务器以后,请将下面的两个记录添加到 DNS 区域:After delegating your domains name servers to your Azure DNS zone name servers, add the following two records to your DNS Zone:

  • 一个适用于域 APEX 的“A”记录,该域不是 Alias record set(对通过解析自定义域得来的所有 IP 地址而言)。An 'A' record for domain APEX that is NOT an Alias record set to all IP Addresses your custom domain will resolve.
  • 一个适用于你所预配的 Azure 子域的“C”记录,这些子域不是 Alias record setA 'C' record for Azure sub domains you provisioned that are NOT an Alias record set. 例如,可以使用流量管理器或负载均衡器的 DNS 名称。For example, you could use your Traffic Manager or Load Balancer's DNS name.

若要更新门户,以便显示 Service Fabric 群集 "managementEndpoint" 的自定义 DNS 名称,请更新以下 Service Fabric 群集资源管理器模板属性:To update your portal to display a custom DNS name for your Service Fabric Cluster "managementEndpoint", update the follow Service Fabric Cluster Resource Manager template properties:

 "managementEndpoint": "[concat('https://<YOUR CUSTOM DOMAIN>:',parameters('nt0fabricHttpGatewayPort'))]",

加密 Service Fabric 包机密值Encrypting Service Fabric package secret values

在 Service Fabric 包中加密的常用值包括:Azure 容器注册表 (ACR) 凭据、环境变量、设置,以及 Azure 卷插件存储帐户密钥。Common values that are encrypted in Service Fabric Packages include Azure Container Registry (ACR) credentials, environment variables, settings, and Azure Volume plugin storage account keys.

若要在 Windows 群集上设置加密证书并对机密进行加密,请执行以下操作:To set up an encryption certificate and encrypt secrets on Windows clusters:

生成用于加密机密的自签名证书:Generate a self-signed certificate for encrypting your secret:

New-SelfSignedCertificate -Type DocumentEncryptionCert -KeyUsage DataEncipherment -Subject mydataenciphermentcert -Provider 'Microsoft Enhanced Cryptographic Provider v1.0'

按照将 Key Vault 证书部署到 Service Fabric 群集虚拟机规模集中的说明操作,将 Key Vault 证书部署到 Service Fabric 群集的虚拟机规模集。Use the instructions in Deploy Key Vault certificates to Service Fabric cluster virtual machine scale sets to deploy Key Vault Certificates to your Service Fabric Cluster's Virtual Machine Scale Sets.

使用以下 PowerShell 命令加密机密,然后使用加密的值更新 Service Fabric 应用程序清单:Encrypt your secret using the following PowerShell command, and then update your Service Fabric application manifest with the encrypted value:

Invoke-ServiceFabricEncryptText -CertStore -CertThumbprint "<thumbprint>" -Text "mysecret" -StoreLocation CurrentUser -StoreName My

若要在 Linux 群集上设置加密证书并对机密进行加密,请执行以下操作:To set up an encryption certificate and encrypt secrets on Linux clusters:

生成用于加密机密的自签名证书:Generate a self-signed certificate for encrypting your secrets:

user@linux:~$ openssl req -newkey rsa:2048 -nodes -keyout TestCert.prv -x509 -days 365 -out TestCert.pem
user@linux:~$ cat TestCert.prv >> TestCert.pem

按照将 Key Vault 证书部署到 Service Fabric 群集虚拟机规模集中的说明操作,将 Key Vault 证书部署到 Service Fabric 群集的虚拟机规模集。Use the instructions in Deploy Key Vault certificates to Service Fabric cluster virtual machine scale sets to your Service Fabric Cluster's Virtual Machine Scale Sets.

使用以下命令加密机密,然后使用加密的值更新 Service Fabric 应用程序清单:Encrypt your secret using the following commands, and then update your Service Fabric Application Manifest with the encrypted value:

user@linux:$ echo "Hello World!" > plaintext.txt
user@linux:$ iconv -f ASCII -t UTF-16LE plaintext.txt -o plaintext_UTF-16.txt
user@linux:$ openssl smime -encrypt -in plaintext_UTF-16.txt -binary -outform der TestCert.pem | base64 > encrypted.txt

在加密受保护的值以后,在 Service Fabric 应用程序中指定加密的机密,并解密服务代码中加密的机密After encrypting your protected values, specify encrypted secrets in Service Fabric Application, and decrypt encrypted secrets from service code.

包括 Service Fabric 应用程序中的证书Include certificate in Service Fabric applications

若要让应用程序访问机密,请包括该证书,方法是:将 SecretsCertificate 元素添加到应用程序清单。To give your application access to secrets, include the certificate by adding a SecretsCertificate element to the application manifest.

<ApplicationManifest … >
  ...
  <Certificates>
    <SecretsCertificate Name="MyCert" X509FindType="FindByThumbprint" X509FindValue="[YourCertThumbrint]"/>
  </Certificates>
</ApplicationManifest>

使用托管服务标识 (MSI) 向 Azure 资源验证 Service Fabric 应用程序Authenticate Service Fabric applications to Azure Resources using Managed Service Identity (MSI)

若要了解 Azure 资源的托管标识,请参阅什么是 Azure 资源的托管标识?To learn about managed identities for Azure resources, see What is managed identities for Azure resources?. Azure Service Fabric 群集托管在虚拟机规模集上,后者支持托管服务标识Azure Service Fabric clusters are hosted on Virtual Machine Scale Sets, which support Managed Service Identity. 若要获取可以使用 MSI 向其进行身份验证的服务的列表,请参阅支持 Azure Active Directory 身份验证的 Azure 服务To get a list of services that MSI can be used to authenticate to, see Azure Services that support Azure Active Directory Authentication.

若要在创建虚拟机规模集期间启用系统分配托管标识,或在现有的虚拟机规模集上这样做,请声明以下 "Microsoft.Compute/virtualMachinesScaleSets" 属性:To enable system assigned managed identity during the creation of a virtual machines scale set or an existing virtual machines scale set, declare the following "Microsoft.Compute/virtualMachinesScaleSets" property:

"identity": { 
    "type": "SystemAssigned"
}

有关详细信息,请参阅什么是 Azure 资源的托管标识?See What is managed identities for Azure resources? for more information.

如果创建了用户分配托管标识,请在模板中声明以下资源,以便将其分配到虚拟机规模集。If you created a user-assigned managed identity, declare the following resource in your template to assign it to your virtual machine scale set. \<USERASSIGNEDIDENTITYNAME\> 替换为你创建的用户分配托管标识的名称:Replace \<USERASSIGNEDIDENTITYNAME\> with the name of the user-assigned managed identity you created:

"identity": {
    "type": "userAssigned",
    "userAssignedIdentities": {
        "[resourceID('Microsoft.ManagedIdentity/userAssignedIdentities/',variables('<USERASSIGNEDIDENTITYNAME>'))]": {}
    }
}

在 Service Fabric 应用程序使用托管标识之前,必须先向该应用程序授予权限,使之能够访问进行身份验证时需要使用的 Azure 资源。Before your Service Fabric application can make use of a managed identity, permissions must be granted to the Azure Resources it needs to authenticate with. 以下命令授予对 Azure 资源的访问权限:The following commands grant access to an Azure Resource:

principalid=$(az resource show --id /subscriptions/<YOUR SUBSCRIPTON>/resourceGroups/<YOUR RG>/providers/Microsoft.Compute/virtualMachineScaleSets/<YOUR SCALE SET> --api-version 2018-06-01 | python -c "import sys, json; print(json.load(sys.stdin)['identity']['principalId'])")

az role assignment create --assignee $principalid --role 'Contributor' --scope "/subscriptions/<YOUR SUBSCRIPTION>/resourceGroups/<YOUR RG>/providers/<PROVIDER NAME>/<RESOURCE TYPE>/<RESOURCE NAME>"

在 Service Fabric 应用程序代码中,通过进行如下所示的 REST 调用获取 Azure 资源管理器的访问令牌In your Service Fabric application code, obtain an access token for Azure Resource Manager by making a REST all similar to the following:

access_token=$(curl 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fmanagement.chinacloudapi.cn%2F' -H Metadata:true | python -c "import sys, json; print json.load(sys.stdin)['access_token']")

然后,Service Fabric 应用就可以使用访问令牌向支持 Active Directory 的 Azure 资源进行身份验证。Your Service Fabric app can then use the access token to authenticate to Azure Resources that support Active Directory. 以下示例介绍如何针对 Cosmos DB 资源执行此操作:The following example shows how to do this for Cosmos DB resource:

cosmos_db_password=$(curl 'https://management.chinacloudapi.cn/subscriptions/<YOUR SUBSCRIPTION>/resourceGroups/<YOUR RG>/providers/Microsoft.DocumentDB/databaseAccounts/<YOUR ACCOUNT>/listKeys?api-version=2016-03-31' -X POST -d "" -H "Authorization: Bearer $access_token" | python -c "import sys, json; print(json.load(sys.stdin)['primaryMasterKey'])")

Windows 安全基线Windows security baselines

我们建议实现广为人知且经过充分测试的业界标准配置,如 Azure 安全基线,而不是自行创建基线;用于在虚拟机规模集上预配这些基线的一个选项是,使用 Azure Desired State Configuration (DSC) 扩展处理程序,以在 VM 处于联机状态时对其进行配置,以便其运行生产软件。We recommend that you implement an industry-standard configuration that is broadly known and well-tested, such as Azure security baselines, as opposed to creating a baseline yourself; an option for provisioning these on your Virtual Machine Scale Sets is to use Azure Desired State Configuration (DSC) extension handler, to configure the VMs as they come online, so they are running the production software.

Azure 防火墙Azure Firewall

Azure 防火墙是托管的基于云的网络安全服务,可保护 Azure 虚拟网络资源。它是一个服务形式的完全有状态防火墙,具有内置的高可用性和不受限制的云可伸缩性。;这样就可以将出站 HTTP/S 流量限制为指定的完全限定域名 (FQDN) 列表,包括通配符域名。Azure Firewall is a managed, cloud-based network security service that protects your Azure Virtual Network resources. It is a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability.; this enables the ability to limit outbound HTTP/S traffic to a specified list of fully qualified domain names (FQDN) including wild cards. 此功能不需要 TLS/SSL 终止。This feature does not require TLS/SSL termination. 建议利用 Windows 更新的 Azure 防火墙 FQDN 标记,并允许到 Microsoft Windows 更新终结点的网络流量流经防火墙。Its recommended that you leverage Azure Firewall FQDN tags for Windows Updates, and to enable network traffic to Microsoft Windows Update endpoints can flow through your firewall. 常用于 Service Fabric 应用程序的防火墙规则是为群集虚拟网络启用以下站点:Firewall rules common to Service Fabric Applications is to allow the following for your clusters virtual network:

  • *download.microsoft.com*download.microsoft.com
  • *servicefabric.cloudapp.chinacloudapi.cn*servicefabric.cloudapp.chinacloudapi.cn
  • *.core.chinacloudapi.cn*.core.chinacloudapi.cn

这些防火墙规则是对允许的出站网络安全组的补充,此类安全组将包括 ServiceFabric 和存储,作为来自虚拟网络的允许目标。These firewall rules complement your allowed outbound Network Security Groups, that would include ServiceFabric and Storage, as allowed destinations from your virtual network.

TLS 1.2TLS 1.2

Azure 建议所有客户迁移到支持传输层安全性 (TLS) 1.2 的解决方案,并确保默认使用 TLS 1.2。Azure Azure recommends all customers complete migration towards solutions that support transport layer security (TLS) 1.2 and to make sure that TLS 1.2 is used by default.

Azure 服务(包括 Service Fabric)已完成工程工作,消除了对 TLS 1.0/1.1 协议的依赖,并为希望将其工作负载配置为仅接受和启动 TLS 1.2 连接的客户提供全面支持。Azure services, including Service Fabric, have completed the engineering work to remove dependency on TLS 1.0/1.1 protocols and provide full support to customers that want to have their workloads configured to accept and initiate only TLS 1.2 connections.

客户应将其 Azure 托管工作负载以及与 Azure 服务交互的本地应用程序配置为默认使用 TLS 1.2。Customers should configure their Azure-hosted workloads and on-premises applications interacting with Azure services to use TLS 1.2 by default. 下面介绍如何配置 Service Fabric 群集节点和应用程序以使用特定 TLS 版本。Here's how to configure Service Fabric cluster nodes and applications to use a specific TLS version.

Windows DefenderWindows Defender

默认情况下,Windows Defender 防病毒安装在 Windows Server 2016 上。By default, Windows Defender antivirus is installed on Windows Server 2016. 有关详细信息,请参阅 Windows Server 2016 上的 Windows Defender 防病毒For details, see Windows Defender Antivirus on Windows Server 2016. 用户界面默认安装在某些 SKU 上,但不是必需的。The user interface is installed by default on some SKUs, but is not required. 若要降低 Windows Defender 引发的性能影响和资源使用开销,在安全策略允许排除开源软件的进程和路径的情况下,请声明以下虚拟机规模集扩展资源管理器模板属性,将 Service Fabric 群集排除在扫描范围外:To reduce any performance impact and resource consumption overhead incurred by Windows Defender, and if your security policies allow you to exclude processes and paths for open-source software, declare the following Virtual Machine Scale Set Extension Resource Manager template properties to exclude your Service Fabric cluster from scans:

 {
    "name": "[concat('VMIaaSAntimalware','_vmNodeType0Name')]",
    "properties": {
        "publisher": "Microsoft.Azure.Security",
        "type": "IaaSAntimalware",
        "typeHandlerVersion": "1.5",
        "settings": {
            "AntimalwareEnabled": "true",
            "Exclusions": {
                "Paths": "[concat(parameters('svcFabData'), ';', parameters('svcFabLogs'), ';', parameters('svcFabRuntime'))]",
                "Processes": "Fabric.exe;FabricHost.exe;FabricInstallerService.exe;FabricSetup.exe;FabricDeployer.exe;ImageBuilder.exe;FabricGateway.exe;FabricDCA.exe;FabricFAS.exe;FabricUOS.exe;FabricRM.exe;FileStoreService.exe"
            },
            "RealtimeProtectionEnabled": "true",
            "ScheduledScanSettings": {
                "isEnabled": "true",
                "scanType": "Quick",
                "day": "7",
                "time": "120"
            }
        },
        "protectedSettings": null
    }
}

备注

如果不使用 Windows Defender,请参阅有关配置规则的反恶意软件文档。Refer to your Antimalware documentation for configuration rules if you are not using Windows Defender. Linux 不支持 Windows Defender。Windows Defender isn't supported on Linux.

平台隔离Platform Isolation

默认情况下,Service Fabric 应用程序会被授予访问 Service Fabric 运行时本身的权限,这本身会通过以下不同形式表明:环境变量(指向对应于应用程序和 Fabric 文件的主机上的文件路径)、进程间通信终结点(接受应用程序特定请求)和客户端证书(Fabric 希望应用程序使用该证书对自身进行身份验证)。By default, Service Fabric applications are granted access to the Service Fabric runtime itself, which manifests itself in different forms: environment variables pointing to file paths on the host corresponding to application and Fabric files, an inter-process communication endpoint which accepts application-specific requests, and the client certificate which Fabric expects the application to use to authenticate itself. 如果服务托管本身不信任的代码,建议禁用此 SF 运行时访问权限,除非明确需要。In the eventuality that the service hosts itself untrusted code, it is advisable to disable this access to the SF runtime - unless explicitly needed. 该运行时的访问权限可使用应用程序清单的“策略”部分中的以下声明来删除:Access to the runtime is removed using the following declaration in the Policies section of the application manifest:

<ServiceManifestImport>
    <Policies>
        <ServiceFabricRuntimeAccessPolicy RemoveServiceFabricRuntimeAccess="true"/>
    </Policies>
</ServiceManifestImport>

后续步骤Next steps