云服务到 Service Fabric 身份验证?
[英]Cloud Service to Service Fabric authentication?
问题描述
What's the recommended way to authorize service-to-service traffic in Service Fabric?
在 Service Fabric 中授权服务到服务流量的推荐方法是什么?
I have a Classic Cloud Service that I'd like to have call a Web API endpoint in a service fabric service.我有一个经典云服务,我想在服务结构服务中调用 Web API 端点。 Is there a way to open up specific ports to specific IPs in a service fabric cluster?有没有办法向服务结构集群中的特定 IP 开放特定端口? Or is there a better way to make sure my service fabric endpoints can not be called from the outside internet?或者是否有更好的方法来确保无法从外部 Internet 调用我的服务结构端点?
Thanks!谢谢!
1 个解决方案
解决方案1
2 2016-08-01 12:41:28
There are two key areas that you need to think about.您需要考虑两个关键领域。
The first is securing your cluster and the management API / capabilities.首先是保护您的集群和管理 API/功能。 This can be achieved using certificates . 这可以使用证书来实现。 I know this is a link-only-answer but it's too much to paste in and rewrite.我知道这是一个仅链接的答案,但粘贴和重写太多了。 You should secure your communication between nodes with a cert and then the client (read only admin) and admin "interfaces" with additional certs (don't re-use the same one you used for your cluster).您应该使用证书保护节点之间的通信,然后使用其他证书保护客户端(只读管理员)和管理员“接口”(不要重复使用您用于集群的相同证书)。
Once you have done this you can be confident in the security of your cluster .完成此操作后,您就可以对集群的安全性充满信心。 Now you want to host a WebAPI on your cluster and have it talk to an existing Cloud Service.现在您想在集群上托管一个 WebAPI 并让它与现有的云服务通信。 The requirement here is to secure your application .这里的要求是保护您的应用程序。
The standard WebAPI security options are now available to you.您现在可以使用标准的 WebAPI 安全选项。 I would recommend shared key security via HMAC for it's simplicity and non-reliance on any further infrastructure bar you having to securely store your keys.我建议通过 HMAC 共享密钥安全性,因为它简单且不依赖任何其他基础设施,您必须安全地存储密钥。 Two legged OAuth is also an option if you have OAuth infrastructure in place.如果您有 OAuth 基础设施, 两条腿的 OAuth也是一种选择。 Of course you should run you API over TLS.当然,您应该通过 TLS 运行 API。
In short, focus separately on securing your cluster "infrastructure" and your application.简而言之,分别关注保护您的集群“基础设施”和您的应用程序。
I found the following useful list here: 我在这里找到了以下有用的列表:
- Expose all the Web APIs over HTTPS by using an Application Gateway使用应用程序网关通过 HTTPS 公开所有 Web API
- Apply IP Filters, so only services from the corporate network can call the Web APIs, we will do this by applying Network Security Groups.应用 IP 过滤器,因此只有来自企业网络的服务才能调用 Web API,我们将通过应用网络安全组来实现这一点。
- Secure the Service Fabric Nodes, so they don't expose RDP endpoints.保护 Service Fabric 节点,使其不公开 RDP 终结点。 Only a Jumpbox VM will be accessible by RDP. RDP 只能访问 Jumpbox VM。
- Add Web Application Firewalls to apply more advanced and granular threat / intrusion detection.添加 Web 应用程序防火墙以应用更高级和更精细的威胁/入侵检测。
These requirements can be applied by leveraging Azure Infrastructure related capabilities (Application Gateway, Network Security Groups, Web Application Firewalls and Security Centre).可以通过利用 Azure 基础结构相关功能(应用程序网关、网络安全组、Web 应用程序防火墙和安全中心)来应用这些要求。 In addition to these requirements, you will very likely want to:除了这些要求之外,您很可能还想:
- Add authentication / authorization capabilities to your Web APIS.向您的 Web APIS 添加身份验证/授权功能。
- Manage Data in a secure way, potentially you might need to encrypt the data (actors and collections).以安全的方式管理数据,您可能需要加密数据(参与者和集合)。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.