Guide: A Step-by-Step Guide to Setup Service Fabric Cluster in Azure

Posted by Nilay Parikh and last modified on Tue Jun 12, 2018.

As an Azure Computing enthusiast, I am following the Service Fabric since the platform was available for private preview. The Service Fabric is a distributed platform that addresses significant challenges in managing cloud applications. i.e. Microservices, High-Density Web Services or self-host applications. The Azure Service Fabric avoids complex logistical problems around the infrastructure and service management. It mainly focuses on implementing critical, high-volume workload that is scalable, fault-tolerant, self-healing, stateless or stateful, fast deployable, resource balancing, self-optimising and manageable.

There are mainly two ways to provision the Service Fabric clusters,

Create Service Fabric Cluster using the Azure Portal

Creating Service Fabric Cluster using Azure Portal is simple, though there are some tricky steps involved while setting up security and certificates. We would highlight them as we go along. Azure Portal is a useful tool especially if you are configuring for quick proof of concept or early environment. For production use (at Enterprise Scale), I would recommend Azure Resource Manager Templates.

Basic Configuration

Basic configuration would require Cluster Name, Operating System, Default VM Credentials, Subscription, Resource Group and Data Center Location. It is not a good idea to have the same username and password for all the VMs from a security perspective. However, it is fine for testing or development purposes.

Key configuration elements would be Operating System and Data Center Location.

Service Fabric Basic Configuration in Azure Portal

Cluster Configuration & Node Types

Node Type configuration is one of the key decision points for your Service Fabric Cluster. Service Fabric Provisioning Orchestration would create some the VM Scale Set as equal to node types. At node type configuration, you can specify Node Type Name, Durability Tier, Machine Size, Reliability Tier and Initial VM Scale Set Capacity.

Durability Tier

The Durability Tier determines the minimum size of VM. I relate Durability term in this context as Up-Scaling your computing nodes, as well as there is an element of availability, too. Gold durability can be enabled on VM Size like D15_*, G5+ or equivalent, the similar constraint for Silver, too. The use case of the services should be the main driver for deciding durability tier.

Reliability Tier

The reliability tier configuration is more relevant to the High Availability requirement; the configuration value would run the system services with a count of target replica set. The configuration value would also determine the minimum number of nodes. However, bear in mind that there is no ceiling on numbers of VM (Azure limitation would apply).

I see them, as proper valuation as the minimal system should be in place. However, we can always scale-up or scale-out.

Service Fabric Cluster Configuration - Primary Node Configuration in Azure Portal
Secondary or Additional Node Types

Node Types provides a physical segmentation within Service Fabric Cluster, you can consider separate node type for various drivers. i.e. Business Domain, Front-End Service Layer, Composite Service Layer, Core Service Layer, Back-End Service Layer, Service Profiling (High Throughput), Stateless Services (with lighter but higher more machines), Stateful (or Actor with High I/O but a smaller number of machines).

In a nutshell, it would provide much-needed flexibility to manage different enterprise services. The configuration parameters are same as Primary Node Type.

Service Fabric Cluster Configuration - Secondary Node Configuration in Azure Portal

Custom Fabric Settings

You can configure runtime configuration values here, for more detail refer Customize Service Fabric cluster settings and Fabric Upgrade policy .

Service Fabric Custom Setting - Runtime Settings

Upgrade and Fabric Version

You can configure automatic Fabric Runtime upgrade or leave it for manual upgrade. A Azure Service Fabric cluster is a shared responsibility (as PaaS), you can choose a preferred update mode using Resource Manager template or the Azure Portal. For more information, please see Upgrade an Azure Service Fabric cluster .

Service Fabric Upgrade and Runtime Version Setting

Security

Security is key for any Public Cloud deployment. Service Fabric provides different configuration options i.e. Node-to-Node or Node-to-Client. You can consider some of the following,

  • X.509 Certificate Security (using Azure Key Vault) Recommended
  • X.509 Certificate Security (uploading .pfx directly and configuring through CD/CI pipeline to individual node)
  • Windows Security (Azure Active Directory)

By click Show advanced setting link to expand other options available to the configuration. i.e. Secondary Certificate, Windows AD configuration. Secondary Certificate is necessary as it would make Key Rotation easier and straightforward. Refer add a secondary cluster certificate using the portal for more detail.

Service Fabric Node-to-Node Security Configuration

$ResouceGroup = "blog.nilayparikh.com"
$VName = "XXXX"
$SubID = "0000000-0000-0000-0000-000000000000"
$locationRegion = "southuk"
$newCertName = "npblogdemosfcertificate"
$dnsName = "xxxxxxxx.uksouth.cloudapp.azure.com" #The certificate's subject name must match the domain used to access the Service Fabric cluster.
$localCertPath = "D:\MyCertificates" # location where you want the .PFX to be stored

Invoke-AddCertToKeyVault -SubscriptionId $SubID -ResourceGroupName $ResouceGroup -Location $locationRegion -VaultName $VName -CertificateName $newCertName -CreateSelfSignedCertificate -DnsName $dnsName -OutputPath $localCertPath

/* Output */
Name  : CertificateThumbprint
Value : 7D96DC096AXX98DCXXXXX85178AECD2AXXXX889

Name  : SourceVault
Value : /subscriptions/0000000-0000-0000-0000-000000000000/resourceGroups/blog.nilayparikh.com/providers/Microsoft.KeyVault/vaults/XXXX

Name  : CertificateURL
Value : https://XXXX.vault.azure.net:443/secrets/npblogdemosfcertificate/0000000000000000000000000000000

If you are considering deploying X.509 certificate through the Azure Key Vault then you need to tick Enable access to Azure Virtual Machine for deployment option on Advance Access Policies.

Service Fabric Advance Access Policies

Quick hack for creating self-signed certificate for non-production use,

Review and Create Service Fabric Cluster

Review the summary and click on Create, it may take long to provision a cluster. The Azure Portal will provision following,

  • Load Balancer (per Node Type)
  • Subnet (per Node Type)
  • Public IP
  • Virtual Network (optional with Resource Manager Template)
  • Virtual Scale Sets (per Node Type)
  • Virtual Machines (per Durability, Reliability and Cluster Configuration)
  • Storage (per configuration, i.e. Logs)
Service Fabric Summary

That is it; it could take several minutes while Microsoft Azure provision you all the artefact that make Service Fabric Cluster.

Provision the Azure Service Fabric Cluster through Resource Manager Template

I have created a minimalistic Service Fabric Azure RM template.

You can find Resource Manager Template and relevant scripts at JSON Template & PowerShell Script and Github/NilayParikh/AzureTemplates repository.

Disclaimer

Any views or opinions expressed are solely those of the author and do not represent any other person or organisation. THE ARTICLE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND. IN NO EVENT SHALL THE AUTHOR(S) OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY.

References