Menu
So I have a Web Api hosted on Azure Service Fabric which I would like to expose through https.
First question: is there actually a default certificate for *.cloudapp.azure.com provided by Microsoft similar to the App Service?
If there isn't, how can I have a valid certificate (issued by a well known CA) for a domain I do not own?
In case it is somehow possible I suppose I would need to upload this certificate to the Azure Vault and reference its thumbprint in the service manifest right?
Am I supposed to use the same certificate for securing the cluster and exposing SSL endpoints?
Thanks!
752
js) calling onto stateless and stateful business middle-tier services. The apps and services are all deployed in the same Service Fabric cluster through the Service Fabric deployment commands. Each of these services is independent with regard to scale, reliability, and resource usage.
That's a core difference between stateless and stateful reliable services: with stateless services, all instances can serve requests (as they don't share state, or at least not within the Service Fabric) whereas with stateful services, only the primary replica is “active” (by default).
Stateful services keep track of sessions or transactions and react differently to the same inputs based on that history. Stateless services rely on clients to maintain sessions and center around operations that manipulate resources, rather than the state.
There are two main types of services you can build with Service Fabric: Stateless Services - no state is maintained in the service. Longer term state is stored in an external database. This is your typical application/data layer approach to building services that you are already likely familiar with.
There is no wildcard cert for *.cloudapp.azure.com like there is for *.azurewebsites.net. For SSL you'll have to register your own domain and either CNAME it to your cluster domain (e.g., mycluster.westus.cloudapp.azure.com), or get a static public IP for your load balancer VIP and point your A record to that (more on public IPs in Azure here). Then buy a certificate for that domain from your favorite CA.
Once you have a cert, yes you'll store that in Key Vault (make sure you set -EnabledForDeployment when you create your Key Vault!) and put that in your cluster ARM template (to get it installed on your nodes).
To use HTTPS, first set up a cert reference in ApplicationManifest.xml:
<Certificates>
<EndpointCertificate X509FindValue="<Your Certificate Thumbprint>" Name="Cert1" />
</Certificates>
Then set up an EndpointBindindPolicy in the ServiceManifestImport section of Application Manifest:
<ServiceManifestImport>
...
<Policies>
<EndpointBindingPolicy EndpointRef="ServiceEndpoint" CertificateRef="Cert1" />
</Policies>
</ServiceManifestImport>
And finally, reference the cert in your Endpoint config in ServiceManifest.xml:
<Endpoints>
<Endpoint Name="ServiceEndpoint" Type="Input" Protocol="https" Port="443" CertificateRef="Cert1"/>
</Endpoints>
You can use the same cert to secure your cluster and provide SSL to users, but I would recommend a different cert so that you're not handing out your server cert to clients for cluster authentication.
EDIT: One could also use Azure Application Gateway which supports SSL Offloading. Then it would handle the HTTPS aspects and talk HTTP back to the cluster
98
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
