What’s Service Fabric?
If you are aware about the concept of micro services and keep yourself up-to-date with latest technologies, it is highly probable that you would have heard about Service Fabric. When you break your monolith applications into micro services or design brand new micro services, you would like to have an orchestrator that can manage service reliability, lifetime, scaling, upgrade mechanism, versioning, service discovery etc. Service Fabric is an orchestrator for micro services (and containers) developed by Microsoft. As per Microsoft, Service fabric is not new, it already powers many of existing highly scalable Azure services. This blog post is not about what service fabric is, but what it takes to secure your service fabric cluster (environment). One last thing, Service Fabric cluster is a collection of nodes that are used to host your services. Let’s see how to secure your cluster.
When you create your cluster your should be aware available security options. Most of the advance things that are essential for security are not doable from Azure Portal (at-least they were not when I last checked) and can only be done via ARM scripts. Best time to do these things is during initial provisioning of the cluster.
When you create your cluster there is always a scare that random nodes can join your cluster. To prevent this to happen we can use X509 certificates. Certificates are added to all valid nodes during provisioning and Service Fabric is made aware of this certificate. Only nodes with the certificate are allowed to communicate with each other and are accepted as being part of cluster. At the end I’ll provide a simple ARM script to provision a secure cluster.
You can connect to cluster from multiple clients like Visual studio, Powershell or Cloud Explorer. When you connect you have to provide your cluster endpoint, for example: https://mycluster.com:19000/. You can push binaries, secrets etc. using clients to your cluster. What about getting some guarantee that you are actually communicating to the real cluster that you indented to connect? During provisioning of the cluster you can define a server authentication certificate and while connecting you can provide thumbprint of that certificate. Service Fabric will make sure the cluster you are trying to connect has certificate (pfx) with same thumbprint. If not then connection will be declined.
Role Based Access
Azure Active Directory is used to secure access to the service fabric cluster management endpoints. A Service Fabric cluster offers several entry points to its management functionality, including the web-based Service Fabric Explorer and Visual Studio. Thus, we create two AAD applications to control access to the cluster, one web app and one native application. For fine grained authorization, web app registered in AAD will have 2 app roles; ADMIN and READONLY.
Two SGs will be created in AAD tenant, one for cluster admins and other one for read only access to cluster. These SGs will be added to AAD application roles as follows:
- ReadOnly security group should be added to READONLY app role
- Admin security group will be added to ADMIN app role
To check more details around RBAC for service fabric cluster please check service fabric documentation. You can use script available at – http://servicefabricsdkstorage.blob.core.windows.net/publicrelease/MicrosoftAzureServiceFabric-AADHelpers.zip to create these AAD applications. if executed correctly with proper parameters, you will get following output that can be used in cluster creation ARM script.
Reverse Proxy, SSL and Service Fabric explorer.
- While provisioning your cluster you should be aware of reverse proxy concept. If you enable reverse proxy on your cluster (say on port 19088), you should know that all services hosted on your cluster can be accessed from outside by browsing https://mycluster.com:19088/service/api/operation. This means, service might be running on some random port (say 2000) and you would think that as port 2000 is blocked on firewall, your service is hidden. If you have enabled reverse proxy and reverse proxy port is open on firewall then all you services are free to be browsed from outside. Scary… is it not?
- Always use SSL to host your services
- Management endpoint that is exposed by default on port 19080 should not be exposed to public internet. You can use jump box and only allow access to management endpoint (service fabric explorer) via jump box. This means, if anyone wants to browse service fabric explorer to manage your cluster, they will have to first remote desktop into jump box and access the explorer.
Microsoft has some good documentation on cluster security. Take some time and check that as well. In next post I’ll share a cluster ARM script using which you can manage majority of above mentioned steps.
Currently listening to – ALL THE STARS [KENDRICK]