使用Service Fabric配置时的Azure API管理NSG设置

Question

My Azure API Management and Service Fabric are in same Vnet but is 2 different subnet.

They both have the same NSG. API management need to contact Service Fabric in port 19080

service-fabric-backend (0.038 ms)
{
    "message": "Resolving partition",
    "resourceId": "https://dev-myservicefabric-sf.ukwest.cloudapp.azure.com:19080",
    "managementEndpoint": [
        "https://dev-myservicefabric-sf.ukwest.cloudapp.azure.com:19080"
    ],
    "serviceName": {},
    "partitionKey": {
        "kind": "Singleton"
    }
}

This is the NSG Rule I have set. But when I set this i am not able to communicate with the service fabric. What is the correct rule configuration other than putting Any (*).

Answer 1

The SF NSG must be configured to allow access to the default ports used by Service Fabric, not only 19080.

In your cluster configuration these values are defined like below:

"nodeTypes": [{ "name": "NodeType0", "clientConnectionEndpointPort": "19000", "clusterConnectionEndpointPort": "19001", "leaseDriverEndpointPort": "19002" "serviceConnectionEndpointPort": "19003", "httpGatewayEndpointPort": "19080", "reverseProxyEndpointPort": "19081", "applicationPorts": { "startPort": "20575", "endPort": "20605" }, "ephemeralPorts": { "startPort": "20606", "endPort": "20861" }, "isPrimary": true }]

In the cluster configuration tutorial, it explains they used a pre-configured NSG: https://docs.microsoft.com/en-us/azure/service-fabric/service-fabric-tutorial-create-vnet-and-windows-cluster#virtual-network-subnet-and-network-security-group

Based on your settings, you have to open ports 19000, 19080, to publish new applications and manage the cluster. Also these ports must be accessible from source * (internet) or from your company IP, Not just API Mgmt IPs