Cloud Service to Service Fabric authentication?

Question

What's the recommended way to authorize service-to-service traffic in Service Fabric?

I have a Classic Cloud Service that I'd like to have call a Web API endpoint in a service fabric service. Is there a way to open up specific ports to specific IPs in a service fabric cluster? Or is there a better way to make sure my service fabric endpoints can not be called from the outside internet?

Thanks!

Answer 1

There are two key areas that you need to think about.

The first is securing your cluster and the management API / capabilities. This can be achieved using certificates . I know this is a link-only-answer but it's too much to paste in and rewrite. You should secure your communication between nodes with a cert and then the client (read only admin) and admin "interfaces" with additional certs (don't re-use the same one you used for your cluster).

Once you have done this you can be confident in the security of your cluster . Now you want to host a WebAPI on your cluster and have it talk to an existing Cloud Service. The requirement here is to secure your application .

The standard WebAPI security options are now available to you. I would recommend shared key security via HMAC for it's simplicity and non-reliance on any further infrastructure bar you having to securely store your keys. Two legged OAuth is also an option if you have OAuth infrastructure in place. Of course you should run you API over TLS.

In short, focus separately on securing your cluster "infrastructure" and your application.

I found the following useful list here:

1. Expose all the Web APIs over HTTPS by using an Application Gateway
2. Apply IP Filters, so only services from the corporate network can call the Web APIs, we will do this by applying Network Security Groups.
3. Secure the Service Fabric Nodes, so they don't expose RDP endpoints. Only a Jumpbox VM will be accessible by RDP.
4. Add Web Application Firewalls to apply more advanced and granular threat / intrusion detection.

These requirements can be applied by leveraging Azure Infrastructure related capabilities (Application Gateway, Network Security Groups, Web Application Firewalls and Security Centre). In addition to these requirements, you will very likely want to:

1. Add authentication / authorization capabilities to your Web APIS.
2. Manage Data in a secure way, potentially you might need to encrypt the data (actors and collections).