从 Visual Studio 配置与 Service Fabric 群集的安全连接Configure secure connections to a Service Fabric cluster from Visual Studio

了解如何使用 Visual Studio 安全访问已配置访问控制策略的 Azure Service Fabric 群集。Learn how to use Visual Studio to securely access an Azure Service Fabric cluster with access control policies configured.

群集连接类型Cluster connection types

Azure Service Fabric 群集支持两种连接:不安全连接和基于 x509 证书的安全连接 。Two types of connections are supported by the Azure Service Fabric cluster: non-secure connections and x509 certificate-based secure connections. (对于托管在本地环境的 Service Fabric 群集,还支持 Windows 和 dSTS 身份验证 。)创建群集时,必须配置群集连接类型。(For Service Fabric clusters hosted on-premises, Windows and dSTS authentications are also supported.) You have to configure the cluster connection type when the cluster is being created. 创建后,无法更改连接类型。Once it's created, the connection type can't be changed.

Visual Studio Service Fabric 工具支持所有用于连接到群集来进行发布的身份验证类型。The Visual Studio Service Fabric tools support all authentication types for connecting to a cluster for publishing. 有关如何设置安全 Service Fabric 群集的说明,请参阅从 Azure 门户设置 Service Fabric 群集See Setting up a Service Fabric cluster from the Azure portal for instructions on how to set up a secure Service Fabric cluster.

在发布配置文件中配置群集连接Configure cluster connections in publish profiles

如果从 Visual Studio 发布 Service Fabric 项目,请使用“发布 Service Fabric 应用程序”对话框来选择 Azure Service Fabric 群集 。If you publish a Service Fabric project from Visual Studio, use the Publish Service Fabric Application dialog box to choose an Azure Service Fabric cluster. 在“连接终结点”下,选择订阅下的现有群集 。Under Connection endpoint, select an existing cluster under your subscription.

“发布 Service Fabric 应用程序”对话框用于配置 Service Fabric 连接。

“发布 Service Fabric 应用程序”对话框会自动验证群集连接 。The Publish Service Fabric Application dialog box automatically validates the cluster connection. 如果出现系统提示,请登录到 Azure 帐户。If prompted, sign in to your Azure account. 如果通过了验证,则表示系统已安装正确的证书,可安全连接到群集。否则即表示群集不安全。If validation passes, it means that your system has the correct certificates installed to connect to the cluster securely, or your cluster is non-secure. 验证失败的原因可能是网络问题,或者系统尚未正确配置为连接到安全群集。Validation failures can be caused by network issues or by not having your system correctly configured to connect to a secure cluster.

“发布 Service Fabric 应用程序”对话框将验证现有的已正确配置的 Service Fabric 群集连接。

连接到安全群集To connect to a secure cluster

  1. 请确保可以访问目标群集所信任的某个客户端证书。Make sure you can access one of the client certificates that the destination cluster trusts. 证书通常以个人信息交换 (.pfx) 文件的形式共享。The certificate is usually shared as a Personal Information Exchange (.pfx) file. 有关如何配置服务器以授予客户端访问权限,请参阅从 Azure 门户设置 Service Fabric 群集See Setting up a Service Fabric cluster from the Azure portal for how to configure the server to grant access to a client.

  2. 安装受信任的证书。Install the trusted certificate. 为此,请双击 .pfx 文件,或使用 PowerShell 脚本 Import-PfxCertificate 来导入证书。To do this, double-click the .pfx file, or use the PowerShell script Import-PfxCertificate to import the certificates. 将证书安装到 Cert:\LocalMachine\My 。Install the certificate to Cert:\LocalMachine\My. 导入证书时,可以接受所有默认设置。It's OK to accept all default settings while importing the certificate.

  3. 在项目的快捷菜单上选择“发布...”命令,打开“发布 Azure 应用程序”对话框,然后选择目标群集 。Choose the Publish... command on the shortcut menu of the project to open the Publish Azure Application dialog box and then select the target cluster. 该工具将自动解析连接,并将安全连接参数保存在发布配置文件中。The tool automatically resolves the connection and saves the secure connection parameters in the publish profile.

  4. 可选:可以编辑发布配置文件以指定安全群集连接。Optional: You can edit the publish profile to specify a secure cluster connection.

    由于此时正在手动编辑“发布配置文件”XML 文件以指定证书信息,因此请务必记下证书存储名称、存储位置以及证书指纹。Since you're manually editing the Publish Profile XML file to specify the certificate information, be sure to note the certificate store name, store location, and certificate thumbprint. 稍后需要为证书的存储名称和存储位置提供这些值。You'll need to provide these values for the certificate's store name and store location. 请参阅如何:检索证书的指纹,了解详细信息。See How to: Retrieve the Thumbprint of a Certificate for more information.

    可以使用 ClusterConnectionParameters 参数指定连接到 Service Fabric 群集时要使用的 PowerShell 参数 。You can use the ClusterConnectionParameters parameters to specify the PowerShell parameters to use when connecting to the Service Fabric cluster. Connect-ServiceFabricCluster cmdlet 所接受的任何参数均为有效参数。Valid parameters are any that are accepted by the Connect-ServiceFabricCluster cmdlet. 有关可用参数的列表,请参阅 Connect-ServiceFabricClusterSee Connect-ServiceFabricCluster for a list of available parameters.

    如果要发布到远程群集,需要指定该特定群集的相应参数。If you're publishing to a remote cluster, you need to specify the appropriate parameters for that specific cluster. 下面是连接到不安全群集的示例:The following is an example of connecting to a non-secure cluster:

    <ClusterConnectionParameters ConnectionEndpoint="mycluster.chinanorth.cloudapp.chinacloudapi.cn:19000" />

    下面是一个示例,用于连接到基于 x509 证书的安全群集:Here's an example for connecting to an x509 certificate-based secure cluster:

    <ClusterConnectionParameters
    ConnectionEndpoint="mycluster.chinanorth.cloudapp.chinacloudapi.cn:19000"
    X509Credential="true"
    ServerCertThumbprint="0123456789012345678901234567890123456789"
    FindType="FindByThumbprint"
    FindValue="9876543210987654321098765432109876543210"
    StoreLocation="CurrentUser"
    StoreName="My" />
    
  5. 编辑其他任何所需的设置(例如升级参数和应用程序参数文件位置),然后从 Visual Studio 中的“发布 Service Fabric 应用程序”对话框发布应用程序 。Edit any other necessary settings, such as upgrade parameters and Application Parameter file location, and then publish your application from the Publish Service Fabric Application dialog box in Visual Studio.

后续步骤Next steps

有关访问 Service Fabric 群集的详细信息,请参阅使用 Service Fabric Explorer 可视化群集For more information about accessing Service Fabric clusters, see Visualizing your cluster by using Service Fabric Explorer.