How does azure load balancer support dynamic ports for service fabric cluster?

0
votes

In the endpoint configuration for a service in ServiceManifest.xml file, visual studio typically creates following information:

<Resources>
 <Endpoints>
  <Endpoint Protocol="http" Name="ServiceEndpointHttp" Type="Input" Port="8304" />
 </Endpoints>
</Resources>

If I remove Port attribute and its value (as shown below), 

<Resources>
 <Endpoints>
  <Endpoint Protocol="http" Name="ServiceEndpointHttp" Type="Input" />
 </Endpoints>
</Resources>

the service fabric run time will assign a dynamic port to this service.

Since all ports are automatically blocked by the related load balancer, how do I configure the load balancer so that service can be accessed from outside?

2
azureazure-service-fabric

2 Answers

2
votes

You could update the Azure Load Balancer for every service, but as the ports are dynamic, that's not a good idea.

It better to use a Reverse Proxy, e.g. the built in reverse proxy for that. It will receive all incoming calls (on a fixed port, like 80) and forward them to HTTP endpoints within the cluster.

Because endpoints are registered internally with the Naming Service, the built in Reverse Proxy can find them.

You can also build a proxy yourself and use FabricClient.QueryManager to resolve service endpoints.

1
votes

According to Microsoft the built-in reverse proxy is not secure. It exposes all endpoints even system services. There is a warning in their documentation. https://docs.microsoft.com/en-us/azure/service-fabric/service-fabric-reverseproxy

We have been developing .Net Core stateless service as guest executable and the the problem that we are facing now is security. It was advised by Microsoft consultants not to use built in Reverse Proxy. We are now writing our own proxy now that will expose only the endpoint that we want to be exposed.

We have written an ARM template that provisions Azure Application Gateway with public IP and the Azure Service Fabric cluster. For each Web API we configure a Azure Traffic Manager profile. The incoming call is routed from TM to APP gateway and them through the load balancer to VM Scale Set.