教程:将 Service Fabric Windows 群集部署到 Azure 虚拟网络Tutorial: Deploy a Service Fabric Windows cluster into an Azure virtual network

本教程是一个系列中的第一部分。This tutorial is part one of a series. 其中介绍了如何使用 PowerShell 和模板,将运行 Windows 的 Service Fabric 群集部署到 Azure 虚拟网络 (VNET)网络安全组You learn how to deploy a Service Fabric cluster running Windows into an Azure virtual network (VNET) and network security group using PowerShell and a template. 完成本教程后,云中会运行一个可在其中部署应用程序的群集。When you're finished, you have a cluster running in the cloud that you can deploy applications to. 若要使用 Azure CLI 创建 Linux 群集,请参阅在 Azure 上创建安全的 Linux 群集To create a Linux cluster using Azure CLI, see Create a secure Linux cluster on Azure.

本教程介绍一个生产方案。This tutorial describes a production scenario. 若要快速创建一个较小群集用于测试,请参阅创建测试群集If you want to quickly create a smaller cluster for testing purposes, see Create a test cluster.

本教程介绍如何执行下列操作:In this tutorial, you learn how to:

  • 使用 PowerShell 在 Azure 中创建 VNETCreate a VNET in Azure using PowerShell
  • 创建 Key Vault 并上传证书Create a key vault and upload a certificate
  • 设置 Azure Active Directory 身份验证Setup Azure Active Directory authentication
  • 在 Azure PowerShell 中创建安全的 Service Fabric 群集Create a secure Service Fabric cluster in Azure PowerShell
  • 使用 X.509 证书保护群集Secure the cluster with an X.509 certificate
  • 使用 PowerShell 连接到群集Connect to the cluster using PowerShell
  • 删除群集Remove a cluster

在此系列教程中,你会学习如何:In this tutorial series you learn how to:

先决条件Prerequisites

在开始学习本教程之前:Before you begin this tutorial:

以下步骤将创建一个七节点 Service Fabric 群集。The following procedures create a seven-node Service Fabric cluster. 若要计算在 Azure 中运行 Service Fabric 群集的成本,请使用 Azure 定价计算器To calculate cost incurred by running a Service Fabric cluster in Azure use the Azure Pricing Calculator.

下载并浏览模板Download and explore the template

下载以下资源管理器模板文件:Download the following Resource Manager template files:

Note

必须修改从 GitHub 存储库“Azure-Samples”下载或引用的模板,使之适应 Azure 中国云环境。Templates you downloaded or referenced from the GitHub Repo "Azure-Samples" must be modified in order to fit in the Azure China Cloud Environment. 例如,替换某些终结点(将“blob.core.windows.net”替换为“blob.core.chinacloudapi.cn”,将“cloudapp.azure.com”替换为“cloudapp.chinacloudapi.cn”);必要时更改某些不受支持的位置、VM 映像、VM 大小、SKU 以及资源提供程序的 API 版本。For example, replace some endpoints -- "blob.core.windows.net" by "blob.core.chinacloudapi.cn", "cloudapp.azure.com" by "cloudapp.chinacloudapi.cn"; change some unsupported Location, VM images, VM sizes, SKU and resource-provider's API Version when necessary.

Note

对于本文,在成功下载相应的文件后,我们应当替换以下配置来满足 Azure 中国环境:For this articles, we should replace the following configurations to meet Azure China Environment after the corresponding files have been downloaded successfully:

此模板将包含七个虚拟机和三个节点类型的安全群集部署到虚拟网络和网络安全组中。This template deploys a secure cluster of seven virtual machines and three node types into a virtual network and a network security group. 其他示例模板可以在 GitHub 上找到。Other sample templates can be found on GitHub. azuredeploy.json 部署一些资源,包括以下资源。The azuredeploy.json deploys a number resources, including the following.

Deploy to Azure

Service Fabric 群集Service Fabric cluster

Microsoft.ServiceFabric/clusters 资源中,配置了具有以下特征的 Windows 群集:In the Microsoft.ServiceFabric/clusters resource, a Windows cluster is configured with the following characteristics:

  • 三个节点类型three node types
  • 主节点类型包含五个节点(可在模板参数中配置),另外两个节点类型各包含一个节点five nodes in the primary node type (configurable in the template parameters), one node each in the other two node types
  • OS:包含容器的 Windows Server 2016 Datacenter(可在模板参数中配置)OS: Windows Server 2016 Datacenter with Containers (configurable in the template parameters)
  • 证书保护(可在模板参数中配置)certificate secured (configurable in the template parameters)
  • 已启用反向代理reverse proxy is enabled
  • 已启用 DNS 服务DNS service is enabled
  • 铜级持久性级别(可在模板参数中配置)Durability level of Bronze (configurable in the template parameters)
  • 银级可靠性级别(可在模板参数中配置)Reliability level of Silver (configurable in the template parameters)
  • 客户端连接终结点:19000(可在模板参数中配置)client connection endpoint: 19000 (configurable in the template parameters)
  • HTTP 网关终结点:19080(可在模板参数中配置)HTTP gateway endpoint: 19080 (configurable in the template parameters)

Azure 负载均衡器Azure load balancer

Microsoft.Network/loadBalancers 资源中,配置了负载均衡器,并为以下端口设置了探测和规则:In the Microsoft.Network/loadBalancers resource, a load balancer is configured and probes and rules are setup for the following ports:

  • 客户端连接终结点:19000client connection endpoint: 19000
  • HTTP 网关终结点:19080HTTP gateway endpoint: 19080
  • 应用程序端口:80application port: 80
  • 应用程序端口:443application port: 443
  • Service Fabric 反向代理:19081Service Fabric reverse proxy: 19081

如需其他任何应用程序端口,则需要调整 Microsoft.Network/loadBalancers 资源和 Microsoft.Network/networkSecurityGroups 资源,以允许传入流量。If any other application ports are needed, then you will need to adjust the Microsoft.Network/loadBalancers resource and the Microsoft.Network/networkSecurityGroups resource to allow the traffic in.

虚拟网络、子网和网络安全组Virtual network, subnet, and network security group

虚拟网络、子网和网络安全组的名称已在模板参数中声明。The names of the virtual network, subnet, and network security group are declared in the template parameters. 虚拟网络和子网的地址空间也在模板参数中声明,并在 Microsoft.Network/virtualNetworks 资源中配置:Address spaces of the virtual network and subnet are also declared in the template parameters and configured in the Microsoft.Network/virtualNetworks resource:

  • 虚拟网络地址空间:172.16.0.0/20virtual network address space: 172.16.0.0/20
  • Service Fabric 子网地址空间:172.16.2.0/23Service Fabric subnet address space: 172.16.2.0/23

Microsoft.Network/networkSecurityGroups 资源中启用以下入站流量规则。The following inbound traffic rules are enabled in the Microsoft.Network/networkSecurityGroups resource. 可以通过更改模板变量来更改端口值。You can change the port values by changing the template variables.

  • ClientConnectionEndpoint (TCP):19000ClientConnectionEndpoint (TCP): 19000
  • HttpGatewayEndpoint (HTTP/TCP):19080HttpGatewayEndpoint (HTTP/TCP): 19080
  • SMB:445SMB : 445
  • Internodecommunication - 1025、1026、1027Internodecommunication - 1025, 1026, 1027
  • 临时端口范围 - 49152 到 65534(至少需要 256 个端口)Ephemeral port range - 49152 to 65534 (need a min of 256 ports )
  • 应用程序使用的端口:80 和 443Ports for application use: 80 and 443
  • 应用程序端口范围 - 49152 到 65534(用于服务间的通信,但未在负载均衡器上打开)Application port range - 49152 to 65534 (used for service to service communication and unlike are not opened on the Load balancer )
  • 阻止其他所有端口Block all other ports

如需其他任何应用程序端口,则需要调整 Microsoft.Network/loadBalancers 资源和 Microsoft.Network/networkSecurityGroups 资源,以允许传入流量。If any other application ports are needed, then you will need to adjust the Microsoft.Network/loadBalancers resource and the Microsoft.Network/networkSecurityGroups resource to allow the traffic in.

Windows DefenderWindows Defender

默认情况下,Windows Defender 防病毒安装在 Windows Server 2016 上并在其上运行。By default, Windows Defender Antivirus is installed and functional on Windows Server 2016. 用户界面默认安装在某些 SKU 上,但不是必需的。The user interface is installed by default on some SKUs, but is not required. 对于在模板中声明的每个节点类型/VM 规模集,将会使用 Azure VM 防病毒扩展排除 Service Fabric 目录和进程:For each node type/VM scale set declared in the template, the Azure VM Antimalware extension is used to exclude the Service Fabric directories and processes:

{
"name": "[concat('VMIaaSAntimalware','_vmNodeType0Name')]",
"properties": {
        "publisher": "Microsoft.Azure.Security",
        "type": "IaaSAntimalware",
        "typeHandlerVersion": "1.5",
        "settings": {
        "AntimalwareEnabled": "true",
        "Exclusions": {
                "Paths": "D:\\SvcFab;D:\\SvcFab\\Log;C:\\Program Files\\Microsoft Service Fabric",
                "Processes": "Fabric.exe;FabricHost.exe;FabricInstallerService.exe;FabricSetup.exe;FabricDeployer.exe;ImageBuilder.exe;FabricGateway.exe;FabricDCA.exe;FabricFAS.exe;FabricUOS.exe;FabricRM.exe;FileStoreService.exe"
        },
        "RealtimeProtectionEnabled": "true",
        "ScheduledScanSettings": {
                "isEnabled": "true",
                "scanType": "Quick",
                "day": "7",
                "time": "120"
        }
        },
        "protectedSettings": null
}
}

设置模板参数Set template parameters

azuredeploy.parameters.json 参数文件声明用于部署群集和关联资源的多个值。The azuredeploy.parameters.json parameters file declares many values used to deploy the cluster and associated resources. 可能需要使用某些参数来修改部署:Some of the parameters that you might need to modify for your deployment:

参数Parameter 示例值Example value 说明Notes
adminUserNameadminUserName vmadminvmadmin 群集 VM 的管理员用户名。VM 的用户名要求Admin username for the cluster VMs.Username requirements for VM
adminPasswordadminPassword Password#1234Password#1234 群集 VM 的管理员密码。Admin password for the cluster VMs. VM 的密码要求Password requirements for VM
clusterNameclusterName mysfcluster123mysfcluster123 群集的名称。Name of the cluster. 仅可包含字母和数字。Can contain letters and numbers only. 长度可介于 3 到 23 个字符之间。Length can be between 3 and 23 characters.
locationlocation chinaeastchinaeast 群集的位置。Location of the cluster.
certificateThumbprintcertificateThumbprint

如果创建自签名证书或提供证书文件,则值应为空。Value should be empty if creating a self-signed certificate or providing a certificate file.

若要使用之前上传到密钥保管库的现有证书,请填写证书 SHA1 指纹值。To use an existing certificate previously uploaded to a key vault, fill in the certificate SHA1 thumbprint value. 例如“6190390162C988701DB5676EB81083EA608DCCF3”For example, "6190390162C988701DB5676EB81083EA608DCCF3"

.
certificateUrlValuecertificateUrlValue

如果创建自签名证书或提供证书文件,则值应为空。Value should be empty if creating a self-signed certificate or providing a certificate file.

若要使用之前上传到 Key Vault 的现有证书,请填写证书 URL。To use an existing certificate previously uploaded to a key vault, fill in the certificate URL. 例如“https://mykeyvault.vault.azure.cn:443/secrets/mycertificate/02bea722c9ef4009a76c5052bcbf8346”。For example, "https://mykeyvault.vault.azure.cn:443/secrets/mycertificate/02bea722c9ef4009a76c5052bcbf8346".

sourceVaultValuesourceVaultValue

如果创建自签名证书或提供证书文件,则值应为空。Value should be empty if creating a self-signed certificate or providing a certificate file.

若要使用之前上传到 Key Vault 的现有证书,请填写源保管库值。To use an existing certificate previously uploaded to a key vault, fill in the source vault value. 例如“/subscriptions/333cc2c84-12fa-5778-bd71-c71c07bf873f/resourceGroups/MyTestRG/providers/Microsoft.KeyVault/vaults/MYKEYVAULT”。For example, "/subscriptions/333cc2c84-12fa-5778-bd71-c71c07bf873f/resourceGroups/MyTestRG/providers/Microsoft.KeyVault/vaults/MYKEYVAULT".

设置 Azure Active Directory 客户端身份验证Set up Azure Active Directory client authentication

如果将 Service Fabric 群集部署在某个公共网络中,而该网络托管在 Azure 上,则对于客户端到节点型相互身份验证,建议如下:For Service Fabric clusters deployed in a public network hosted on Azure, the recommendation for client-to-node mutual authentication is:

  • 对客户端标识使用 Azure Active DirectoryUse Azure Active Directory for client identity
  • 对服务器标识使用证书,并对 http 通信进行 SSL 加密A certificate for server identity and SSL encryption of http communication

必须在创建群集之前设置 Azure AD,以便针对 Service Fabric 群集对客户端进行身份验证。Setting up Azure AD to authenticate clients for a Service Fabric cluster must be done before creating the cluster. 通过 Azure AD,组织(称为租户)可管理用户对应用程序的访问。Azure AD enables organizations (known as tenants) to manage user access to applications.

Service Fabric 群集提供其管理功能的各种入口点,包括基于 Web 的 Service Fabric ExplorerVisual StudioA Service Fabric cluster offers several entry points to its management functionality, including the web-based Service Fabric Explorer and Visual Studio. 因此,需要创建两个 Azure AD 应用程序来控制对群集的访问:一个 Web 应用程序和一个本机应用程序。As a result, you create two Azure AD applications to control access to the cluster: one web application and one native application. 创建应用程序后,将用户分配到只读和管理员角色。After the applications are created, you assign users to read-only and admin roles.

Note

在创建群集之前,请完成以下步骤。You must complete the following steps before you create the cluster. 因为脚本需要群集名称和终结点,这些值应是规划的值,而不是已创建的值。Because the scripts expect cluster names and endpoints, the values should be planned and not values that you have already created.

本文假设已创建了一个租户。In this article, we assume that you have already created a tenant. 如果未创建,请先阅读如何获取 Azure Active Directory 租户If you have not, start by reading How to get an Azure Active Directory tenant.

为了简化涉及到配置 Azure AD 与 Service Fabric 群集的一些步骤,我们创建了一组 Windows PowerShell 脚本。To simplify some of the steps involved in configuring Azure AD with a Service Fabric cluster, we have created a set of Windows PowerShell scripts. 将脚本下载到计算机。Download the scripts to your computer.

创建 Azure AD 应用程序并为用户分配角色Create Azure AD applications and assign users to roles

创建两个 Azure AD 应用程序来控制对群集的访问:一个 Web 应用程序和一个本机应用程序。Create two Azure AD applications to control access to the cluster: one web application and one native application. 创建用于表示群集的应用程序后,请将用户分配到 Service Fabric 支持的角色:只读和管理员。After you have created the applications to represent your cluster, assign your users to the roles supported by Service Fabric: read-only and admin.

运行 SetupApplications.ps1 并提供租户 ID、群集名称和 Web 应用程序回复 URL 作为参数。Run SetupApplications.ps1, and provide the tenant ID, cluster name, and web application reply URL as parameters. 另请指定用户的用户名和密码。Also specify usernames and passwords for the users. 例如:For example:

$Configobj = .\SetupApplications.ps1 -TenantId '<MyTenantID>' -ClusterName 'mysfcluster123' -WebApplicationReplyUrl 'https://mysfcluster123.chinaeast.cloudapp.chinacloudapi.cn:19080/Explorer/index.html' -Location 'china' -AddResourceAccess
.\SetupUser.ps1 -ConfigObj $Configobj -UserName 'TestUser' -Password 'P@ssword!123'
.\SetupUser.ps1 -ConfigObj $Configobj -UserName 'TestAdmin' -Password 'P@ssword!123' -IsAdmin

Note

对于 Azure 中国云,还应指定 -Location 参数。For Azure China cloud, you should also specify the -Location parameter.

可在 Azure 门户中找到 TenantId 或目录 ID。You can find your TenantId, or directory ID, in the Azure portal. 选择“Azure Active Directory”->“属性”并复制“目录 ID”值。Select Azure Active Directory -> Properties and copy the Directory ID value.

将 ClusterName 用作脚本创建的 Azure AD 应用程序的前缀。ClusterName is used to prefix the Azure AD applications that are created by the script. 它不需要完全匹配实际的群集名称。It does not need to match the actual cluster name exactly. 旨在更加轻松地将 Azure AD 项目映射到其配合使用的 Service Fabric 群集。It is intended only to make it easier to map Azure AD artifacts to the Service Fabric cluster that they're being used with.

WebApplicationReplyUrl 是 Azure AD 在完成登录过程之后返回给用户的默认终结点。WebApplicationReplyUrl is the default endpoint that Azure AD returns to your users after they finish signing in. 将此终结点设置为群集的 Service Fabric Explorer 的终结点,默认值为:Set this endpoint as the Service Fabric Explorer endpoint for your cluster, which by default is:

https://<cluster_domain>:19080/Explorerhttps://<cluster_domain>:19080/Explorer

系统会提示登录到具有 Azure AD 租户管理权限的帐户。You are prompted to sign in to an account that has administrative privileges for the Azure AD tenant. 完成此操作后,脚本会创建 Web 和本机应用程序来代表 Service Fabric 群集。After you sign in, the script creates the web and native applications to represent your Service Fabric cluster. Azure 门户中查看租户的应用程序时,应会看到两个新条目:If you look at the tenant's applications in the Azure portal, you should see two new entries:

  • ClusterName_ClusterClusterName_Cluster
  • ClusterName_ClientClusterName_Client

创建群集时该脚本显示 Azure 资源管理器模板所需的 JSON,因此最好不要关闭 PowerShell 窗口。The script prints the JSON required by the Azure Resource Manager template when you create the cluster, so it's a good idea to keep the PowerShell window open.

"azureActiveDirectory": {
  "tenantId":"<guid>",
  "clusterApplication":"<guid>",
  "clientApplication":"<guid>"
},

添加 Azure AD 配置以使用 Azure AD 访问客户端Add Azure AD configuration to use Azure AD for client access

azuredeploy.jsonMicrosoft.ServiceFabric/clusters 节中配置 Azure AD。In the azuredeploy.json, configure Azure AD in the Microsoft.ServiceFabric/clusters section. 为租户 ID、群集应用程序 ID 和客户端应用程序 ID 添加参数。Add parameters for the tenant ID, cluster application ID, and client application ID.

{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json",
  "contentVersion": "1.0.0.0",
  "parameters": {
    ...

    "aadTenantId": {
      "type": "string",
      "defaultValue": "0e3d2646-78b3-4711-b8be-74a381d9890c"
    },
    "aadClusterApplicationId": {
      "type": "string",
      "defaultValue": "cb147d34-b0b9-4e77-81d6-420fef0c4180"
    },
    "aadClientApplicationId": {
      "type": "string",
      "defaultValue": "7a8f3b37-cc40-45cc-9b8f-57b8919ea461"
    }
  },

...

{
  "apiVersion": "2018-02-01",
  "type": "Microsoft.ServiceFabric/clusters",
  "name": "[parameters('clusterName')]",
  ...
  "properties": {
    ...
    "azureActiveDirectory": {
      "tenantId": "[parameters('aadTenantId')]",
      "clusterApplication": "[parameters('aadClusterApplicationId')]",
      "clientApplication": "[parameters('aadClientApplicationId')]"
    },
    ...
  }
}

azuredeploy.parameters.json 参数文件中添加参数值。Add the parameter values in the azuredeploy.parameters.json parameters file. 例如:For example:

"aadTenantId": {
"value": "0e3d2646-78b3-4711-b8be-74a381d9890c"
},
"aadClusterApplicationId": {
"value": "cb147d34-b0b9-4e77-81d6-420fef0c4180"
},
"aadClientApplicationId": {
"value": "7a8f3b37-cc40-45cc-9b8f-57b8919ea461"
}

部署虚拟网络和群集Deploy the virtual network and cluster

接下来,设置网络拓扑并部署 Service Fabric 群集。Next, set up the network topology and deploy the Service Fabric cluster. azuredeploy.json 资源管理器模板针对 Service Fabric 创建虚拟网络 (VNET)、子网和网络安全组 (NSG)。The azuredeploy.json Resource Manager template creates a virtual network (VNET) and also a subnet and network security group (NSG) for Service Fabric. 该模板还会部署一个已启用证书安全性的群集。The template also deploys a cluster with certificate security enabled. 对于生产群集,请使用证书颁发机构 (CA) 提供的证书作为群集证书。For production clusters, use a certificate from a certificate authority (CA) as the cluster certificate. 可以使用自签名证书来保护测试群集。A self-signed certificate can be used to secure test clusters.

本文中的模板部署一个群集,该群集使用证书指纹来标识群集证书。The template in this article deploys a cluster that uses the certificate thumbprint to identify the cluster certificate. 两个证书不能有相同的指纹,否则会增加证书管理的难度。No two certificates can have the same thumbprint, which makes certificate management more difficult. 将已部署的群集从使用证书指纹切换为使用证书公用名称会使证书管理更加简单。Switching a deployed cluster from using certificate thumbprints to using certificate common names makes certificate management much simpler. 若要了解如何更新群集,以便使用证书公用名称进行证书管理,请阅读将群集更改为使用证书公用名称进行管理To learn how to update the cluster to use certificate common names for certificate management, read change cluster to certificate common name management.

使用现有证书创建群集Create a cluster using an existing certificate

以下脚本使用 New-AzureRmServiceFabricCluster cmdlet 和模板在 Azure 中部署新群集。The following script uses the New-AzureRmServiceFabricCluster cmdlet and a template to deploy a new cluster in Azure. 该 cmdlet 还会在 Azure 中创建新的 Key Vault,并上传证书。The cmdlet also creates a new key vault in Azure and uploads your certificate.

# Variables.
$groupname = "sfclustertutorialgroup"
$clusterloc="chinaeast"  # must match the location parameter in the template
$templatepath="C:\temp\cluster"

$certpwd="q6D7nN%6ck@6" | ConvertTo-SecureString -AsPlainText -Force
$clustername = "mysfcluster123"  # must match the clusterName parameter in the template
$vaultname = "clusterkeyvault123"
$vaultgroupname="clusterkeyvaultgroup123"
$subname="$clustername.$clusterloc.cloudapp.chinacloudapi.cn"

# sign in to your Azure account and select your subscription
Connect-AzureRmAccount -Environment AzureChinaCloud
Get-AzureRmSubscription
Set-AzureRmContext -SubscriptionId <guid>

# Create a new resource group for your deployment and give it a name and a location.
New-AzureRmResourceGroup -Name $groupname -Location $clusterloc

# Create the Service Fabric cluster.
New-AzureRmServiceFabricCluster  -ResourceGroupName $groupname -TemplateFile "$templatepath\azuredeploy.json" `
-ParameterFile "$templatepath\azuredeploy.parameters.json" -CertificatePassword $certpwd `
-KeyVaultName $vaultname -KeyVaultResourceGroupName $vaultgroupname -CertificateFile $certpath

使用新的自签名证书创建群集Create a cluster using a new, self-signed certificate

以下脚本使用 New-AzureRmServiceFabricCluster cmdlet 和模板在 Azure 中部署新群集。The following script uses the New-AzureRmServiceFabricCluster cmdlet and a template to deploy a new cluster in Azure. 该 cmdlet 还会在 Azure 中创建新的 Key Vault、向 Key Vault 添加新的自签名证书,并将证书文件下载到本地。The cmdlet also creates a new key vault in Azure, adds a new self-signed certificate to the key vault, and downloads the certificate file locally.

# Variables.
$groupname = "sfclustertutorialgroup"
$clusterloc="chinaeast"  # must match the location parameter in the template
$templatepath="C:\temp\cluster"

$certpwd="q6D7nN%6ck@6" | ConvertTo-SecureString -AsPlainText -Force
$certfolder="c:\mycertificates\"
$clustername = "mysfcluster123"
$vaultname = "clusterkeyvault123"
$vaultgroupname="clusterkeyvaultgroup123"
$subname="$clustername.$clusterloc.cloudapp.chinacloudapi.cn"

# sign in to your Azure account and select your subscription
Connect-AzureRmAccount -Environment AzureChinaCloud
Get-AzureRmSubscription
Set-AzureRmContext -SubscriptionId <guid>

# Create a new resource group for your deployment and give it a name and a location.
New-AzureRmResourceGroup -Name $groupname -Location $clusterloc

# Create the Service Fabric cluster.
New-AzureRmServiceFabricCluster  -ResourceGroupName $groupname -TemplateFile "$templatepath\azuredeploy.json" `
-ParameterFile "$templatepath\azuredeploy.parameters.json" -CertificatePassword $certpwd `
-CertificateOutputFolder $certfolder -KeyVaultName $vaultname -KeyVaultResourceGroupName $vaultgroupname -CertificateSubjectName $subname

连接到安全群集Connect to the secure cluster

使用连同 Service Fabric SDK 一起安装的 Service Fabric PowerShell 模块连接到群集。Connect to the cluster using the Service Fabric PowerShell module installed with the Service Fabric SDK. 首先,将证书安装到计算机上当前用户的“个人(我的)”存储中。First, install the certificate into the Personal (My) store of the current user on your computer. 运行以下 PowerShell 命令:Run the following PowerShell command:

$certpwd="q6D7nN%6ck@6" | ConvertTo-SecureString -AsPlainText -Force
Import-PfxCertificate -Exportable -CertStoreLocation Cert:\CurrentUser\My `
        -FilePath C:\mycertificates\mysfcluster20170531104310.pfx `
        -Password $certpwd

现在可以连接到安全群集了。You are now ready to connect to your secure cluster.

Service Fabric PowerShell 模块提供许多 cmdlet 用于管理 Service Fabric 群集、应用程序和服务。The Service Fabric PowerShell module provides many cmdlets for managing Service Fabric clusters, applications, and services. 使用 Connect-ServiceFabricCluster cmdlet 连接到安全群集。Use the Connect-ServiceFabricCluster cmdlet to connect to the secure cluster. 可在上一步骤的输出中找到证书 SHA1 指纹和连接终结点详细信息。The certificate SHA1 thumbprint and connection endpoint details are found in the output from the previous step.

如果以前设置过 AAD 客户端身份验证,请运行以下命令:If you previously set up AAD client authentication, run the following:

Connect-ServiceFabricCluster -ConnectionEndpoint mysfcluster123.chinaeast.cloudapp.chinacloudapi.cn:19000 `
        -KeepAliveIntervalInSec 10 `
        -AzureActiveDirectory `
        -ServerCertThumbprint C4C1E541AD512B8065280292A8BA6079C3F26F10

如果没有设置过 AAD 客户端身份验证,请运行以下命令:If you did not setup AAD client authentication, run the following:

Connect-ServiceFabricCluster -ConnectionEndpoint mysfcluster123.chinaeast.cloudapp.chinacloudapi.cn:19000 `
          -KeepAliveIntervalInSec 10 `
          -X509Credential -ServerCertThumbprint C4C1E541AD512B8065280292A8BA6079C3F26F10 `
          -FindType FindByThumbprint -FindValue C4C1E541AD512B8065280292A8BA6079C3F26F10 `
          -StoreLocation CurrentUser -StoreName My

使用 Get-ServiceFabricClusterHealth cmdlet 检查是否已建立连接并且群集正常。Check that you are connected and the cluster is healthy using the Get-ServiceFabricClusterHealth cmdlet.

Get-ServiceFabricClusterHealth

清理资源Clean up resources

本教程系列中的其他文章将使用刚才创建的群集。The other articles in this tutorial series use the cluster you just created. 如果不立即转到下一篇文章,可能需要删除该群集,以避免产生费用。If you're not immediately moving on to the next article, you might want to delete the cluster to avoid incurring charges.

后续步骤Next steps

本教程介绍了以下操作:In this tutorial, you learned how to:

  • 使用 PowerShell 在 Azure 中创建 VNETCreate a VNET in Azure using PowerShell
  • 创建 Key Vault 并上传证书Create a key vault and upload a certificate
  • 设置 Azure Active Directory 身份验证Setup Azure Active Directory authentication
  • 使用 PowerShell 在 Azure 中创建安全的 Service Fabric 群集Create a secure Service Fabric cluster in Azure using PowerShell
  • 使用 X.509 证书保护群集Secure the cluster with an X.509 certificate
  • 使用 PowerShell 连接到群集Connect to the cluster using PowerShell
  • 删除群集Remove a cluster

接下来,请转到以下教程了解如何缩放群集。Next, advance to the following tutorial to learn how to scale your cluster.