Azure API Managment NSG setup when configuring with Service Fabric

0
votes

My Azure API Management and Service Fabric are in same Vnet but is 2 different subnet.

They both have the same NSG. API management need to contact Service Fabric in port 19080

service-fabric-backend (0.038 ms)
{
    "message": "Resolving partition",
    "resourceId": "https://dev-myservicefabric-sf.ukwest.cloudapp.azure.com:19080",
    "managementEndpoint": [
        "https://dev-myservicefabric-sf.ukwest.cloudapp.azure.com:19080"
    ],
    "serviceName": {},
    "partitionKey": {
        "kind": "Singleton"
    }
}

This is the NSG Rule I have set. But when I set this i am not able to communicate with the service fabric. What is the correct rule configuration other than putting Any (*). enter image description here

1
azureazure-service-fabricazure-api-management

1 Answers

0
votes

The SF NSG must be configured to allow access to the default ports used by Service Fabric, not only 19080.

In your cluster configuration these values are defined like below:

"nodeTypes": [{ "name": "NodeType0", "clientConnectionEndpointPort": "19000", "clusterConnectionEndpointPort": "19001", "leaseDriverEndpointPort": "19002" "serviceConnectionEndpointPort": "19003", "httpGatewayEndpointPort": "19080", "reverseProxyEndpointPort": "19081", "applicationPorts": { "startPort": "20575", "endPort": "20605" }, "ephemeralPorts": { "startPort": "20606", "endPort": "20861" }, "isPrimary": true }]

In the cluster configuration tutorial, it explains they used a pre-configured NSG: https://docs.microsoft.com/en-us/azure/service-fabric/service-fabric-tutorial-create-vnet-and-windows-cluster#virtual-network-subnet-and-network-security-group

Based on your settings, you have to open ports 19000, 19080, to publish new applications and manage the cluster. Also these ports must be accessible from source * (internet) or from your company IP, Not just API Mgmt IPs