Service Fabric 独立群集概述Overview of Service Fabric Standalone clusters

Service Fabric 群集是一组通过网络连接在一起的虚拟机或物理计算机,微服务会在其中部署和管理。A Service Fabric cluster is a network-connected set of virtual or physical machines into which your microservices are deployed and managed. 群集中的计算机或 VM 称为群集节点。A machine or VM that is part of a cluster is called a cluster node. 群集可以扩展到数千个节点。Clusters can scale to thousands of nodes. 如果向群集添加新节点,Service Fabric 会在新增加的节点间重新平衡服务分区副本和实例。If you add new nodes to the cluster, Service Fabric rebalances the service partition replicas and instances across the increased number of nodes. 应用程序总体性能提高,访问内存的争用减少。Overall application performance improves and contention for access to memory decreases. 如果没有高效使用群集中的节点,可以减少群集中节点的数量。If the nodes in the cluster are not being used efficiently, you can decrease the number of nodes in the cluster. Service Fabric 会再次在减少的节点间重新平衡分区副本和实例以更加充分利用每个节点上的硬件。Service Fabric again rebalances the partition replicas and instances across the decreased number of nodes to make better use of the hardware on each node.

节点类型定义群集中一组节点的大小、数量和属性。A node type defines the size, number, and properties for a set of nodes in the cluster. 然后,每个节点类型可以独立扩展或缩减、打开不同的端口集,并可以有不同的容量指标。Each node type can then be scaled up or down independently, have different sets of ports open, and can have different capacity metrics. 节点类型用于定义一组群集节点(如“前端”或“后端”)的角色。Node types are used to define roles for a set of cluster nodes, such as "front end" or "back end". 群集可以有多个节点类型,但主节点类型必须至少有 5 个 VM 供群集用于生产(或至少有 3 个 VM 用于测试群集)。Your cluster can have more than one node type, but the primary node type must have at least five VMs for production clusters (or at least three VMs for test clusters). Service Fabric 系统服务位于主节点类型的节点上。Service Fabric system services are placed on the nodes of the primary node type.

用于在本地创建 Service Fabric 群集的过程类似于在具有一组 VM 的任何所选云上创建群集的过程。The process for creating a Service Fabric cluster on-premises is similar to the process of creating a cluster on any cloud of your choice with a set of VMs. 预配 VM 的初始步骤由所使用的云提供程序或本地环境进行控制。The initial steps to provision the VMs are governed by the cloud provider or on-premises environment that you are using. 具有一组在它们之间启用了网络连接的 VM 之后,随后用于设置 Service Fabric 包、编辑群集设置以及运行群集创建和管理脚本的步骤相同。Once you have a set of VMs with network connectivity enabled between them, then the steps to set up the Service Fabric package, edit the cluster settings, and run the cluster creation and management scripts are identical. 这可以在选择面向新宿主环境时,确保操作和管理 Service Fabric 群集的知识和经验可以转移。This ensures that your knowledge and experience of operating and managing Service Fabric clusters is transferable when you choose to target new hosting environments.

群集安全性Cluster security

Service Fabric 群集是你拥有的资源。A Service Fabric cluster is a resource that you own. 你应保护群集,防止未经授权的用户与其连接。It is your responsibility to secure your clusters to help prevent unauthorized users from connecting to them. 当在群集上运行生产工作负荷时,安全的群集环境尤为重要。A secure cluster is especially important when you are running production workloads on the cluster.


Windows 身份验证基于 Kerberos。Windows authentication is based on Kerberos. 不支持使用 NTLM 作为身份验证类型。NTLM is not supported as an authentication type.

请尽可能对 Service Fabric 群集使用 X.509 证书身份验证。Whenever possible, use X.509 certificate authentication for Service Fabric clusters.

节点到节点安全性Node-to-node security

节点到节点安全性可保护群集中 VM 或计算机之间的通信。Node-to-node security secures communication between the VMs or computers in a cluster. 这种安全性方案确保只有已获授权加入群集的计算机可以参与到托管群集中的应用程序和服务。This security scenario ensures that only computers that are authorized to join the cluster can participate in hosting applications and services in the cluster. Service Fabric 使用 X.509 证书保护群集,提供应用程序安全功能。Service Fabric uses X.509 certificates to secure a cluster and provide application security features. 需要使用群集证书来保护群集流量并提供群集和服务器身份验证。A cluster certificate is required to secure cluster traffic and provide cluster and server authentication. 自签名证书可用于测试群集,但在保护生产群集时应使用来自受信任证书颁发机构的证书。Self signed-certificates can be used for test clusters, but a certificate from a trusted certificate authority should be used to secure production clusters.

也可为 Windows 独立群集启用 Windows 安全性。Windows security can also be enabled for a Windows standalone cluster. 如果有 Windows Server 2012 R2 和 Windows Active Directory,建议结合使用 Windows 安全性和组托管服务帐户。If you have Windows Server 2012 R2 and Windows Active Directory, we recommend that you use Windows security with group Managed Service Accounts. 否则,可以结合使用 Windows 安全性和 Windows 帐户。Otherwise, use Windows security with Windows accounts.

有关详细信息,请阅读节点到节点安全性For more information, read Node-to-node security

客户端到节点安全性Client-to-node security

客户端到节点安全性对客户端进行身份验证,并保护客户端与群集中单个节点之间的通信。Client-to-node security authenticates clients and helps secure communication between a client and individual nodes in the cluster. 这种类型的安全性确保只有已获授权的用户可以访问群集与群集上部署的应用程序。This type of security helps ensure that only authorized users can access the cluster and the applications that are deployed on the cluster. 客户端通过其 X.509 证书安全凭据进行唯一标识。Clients are uniquely identified through either their X.509 certificate security credentials. 可以使用任意数量的可选客户端证书向群集验证管理员或用户客户端的身份。Any number of optional client certificates can be used to authenticate admin or user clients with the cluster.

除客户端证书外,还可以将 Azure Active Directory 配置为向群集验证客户端身份。In addition to client certificates, Azure Active Directory can also be configured to authenticate clients with the cluster.

有关详细信息,请阅读客户端到节点安全性For more information, read Client-to-node security

Service Fabric 基于角色的访问控制Service Fabric role-based access control

Service Fabric 还支持使用访问控制限制对不同用户组的某些群集操作的访问。Service Fabric also supports access control to limit access to certain cluster operations for different groups of users. 这就使得群集更加安全。This helps make the cluster more secure. 连接到群集的客户端支持两种访问控制类型:管理员角色和用户角色。Two access control types are supported for clients that connect to a cluster: Administrator role and User role.

有关详细信息,请参阅 Service Fabric 基于角色的访问控制For more information, read Service Fabric role-based access control.


应用程序的需求会不断变化。Application demands change over time. 可能需要增加群集资源来满足更多的应用程序工作负荷或网络流量,或者在需求下降时减少群集资源。You may need to increase cluster resources to meet increased application workload or network traffic or decrease cluster resources when demand drops. 创建 Service Fabric 群集后,可以群集横向缩放(更改节点数)或纵向缩放(更改节点资源)该群集。After creating a Service Fabric cluster, you can scale the cluster horizontally (change the number of nodes) or vertically (change the resources of the nodes). 随时可以缩放群集,即使该群集上正在运行工作负荷。You can scale the cluster at any time, even when workloads are running on the cluster. 在缩放群集的同时,应用程序也会随之自动缩放。As the cluster scales, your applications automatically scale as well.

有关详细信息,请阅读缩放独立群集For more information, read Scaling standalone clusters.


独立群集是你完全拥有的资源。A standalone cluster is a resource that you entirely own. 负责修补基础 OS 和启动结构升级。You are responsible for patching the underlying OS and initiating fabric upgrades. 当 Azure 发布新版本时,可以将群集设置为接收自动运行时升级,或选择所需的受支持运行时版本。You can set your cluster to receive automatic runtime upgrades, when Azure releases a new version, or choose to select a supported runtime version that you want. 除了结构升级,还可以修补 OS 和更新群集配置(例如证书或应用程序端口)。In addition to fabric upgrades, you can also patch the OS and update cluster configuration such as certificates or application ports.

有关详细信息,请阅读升级独立群集For more information, read Upgrading standalone clusters.

支持的操作系统Supported operating systems

可以在运行以下操作系统的 VM 或计算机上创建群集(目前尚不支持 Linux):You are able to create clusters on VMs or computers running these operating systems (Linux is not yet supported):

  • Windows Server 2012 R2Windows Server 2012 R2
  • Windows Server 2016Windows Server 2016
  • Windows Server 2019Windows Server 2019

后续步骤Next steps

详细了解如何保护缩放升级独立群集。Read more about securing, scaling, and upgrading standalone clusters.

了解 Service Fabric 支持选项Learn about Service Fabric support options.