Join Chander Dhall for an in-depth discussion in this video Finalize cluster creation, part of Microservices and Azure Service Fabric Basics for Developers.
- [Instructor] As we discussed earlier, Service Fabric, in order to secure a cluster, uses X.509 certificates. It's really the key vault that manages the security certificates. And now we have the Azure Resource Provider that's responsible to create service fabric cluster. When a cluster is deployed, the resource provider gets certificate from the key vault and installs them on the cluster VMs. Now we're going to set up the key vault.
First things first, we need to login to our Azure account, and we're going to use Powershell for it. So when I type the command, login-AzureRMAccount, you should see a browser window pop up. It needs my username and password. So once I successfully enter my password and username, I can see the current subscription, which is in my contacts. What happens if you have more than one subscriptions? There's a command, Get-AzureRmSubscription, and it shoul list all the subscription we have under that account.
And we can manually go and set the context to the subscription we want to use. In this case, it's going to be subscription Id, and Id is going to be this Id. So once I highlight this, and the right-click twice, I should be able to copy and paste it. You want to make sure there is a space here, and hit Enter. The next thing we need to do is create a resource group. We can also use the resource group we just created, but if you have to use Powershell, what you'll do is, New-AzureRmResourceGroup, with a name, and in this case we can call it sample resource group, and then give it location.
It's going to be West US. Once I hit Enter, you can see that I was able to successfully create a resource group. Next, we need to create the key vault. You can see the commands are very similar. Everything starts with New-AzureRm, and then it's really the name of what we're creating. So it was resource group, now it's the vault name. And then we have the vault name, which is the parameter, and then I'm going to call it my vault or anything else I want to call it. So for example, sample key vault.
And then we have the resource group name, which we just created, that happens to be sample resource group, and then the location which is going to be West US, and I want to make sure that it's enabled for deployment. This is very important. So if you're using a name that's already been used, you'll get an error like that. So you have to make sure that the name is unique. So, I'm going to try to use ChanderkeyV, and now this one worked.
Key vault can use the .pfx files as it is, however Azure Resource Provider has a different requirement. For the keys to work with the Resource Provider, they need to be stored in a special JSON format. This format requires the .pfx to be a base 64 encoded string, and also needs private key password. The good news is that there's already an existing Powershell module on GetHub that can be used to format certificates to satisfy the needs of the Azure Resource Provider.
In order to use that, all you need to do is go to Service Fabric, and then download the entire folder. Once you have this, you want to make sure that you extract it. And we need to import the module in our Powershell window. The module to be imported is under Service-FabricRPHelpers and is a Powershell module.
I'm going to copy this address, as it is, and then go back to Powershell. Back to Powershell, we're going to import the module, give it a fully qualified path. Keep in mind that, if it doesn't work for you, for some reason then, all you need to do is go to the module, right-click on the file, and then make sure you unlock it, because for some reasons, Windows might block it, just because it's downloaded from Internet. Next, we need to do invoke-AddCertToKeyVault.
Now this will require a PFX file and a full file path. We don't have that yet, so we're going to create one. So back to the Certificate console, we're going to right-click, All Tasks, Export, and when the Certificate Export Wizard comes up, we're going to do Next, and then we will export the private key, and hit Next again. Make sure you do check these two options, and then add in a password. I'm just going to call it A-B-C-D.
This password is required by Azure, so please make sure that you have a password. Hit Next, and then the filename. You can call it finalcert, and then save it in our downloads folder. When I hit Finish, export was successful. So then we need the subscription ID. I've already copied it right here. And then we need the resource group name that we just created. In our case, this is going to be samplerg, and then we need the key vault that we just created, before that, we'll need the location, and then the certificate name, which was samplecoursecert, password is A-B-C-D, and then use existing certificate, another parameter called ExistingPfxFilePath, and then the full path to the certificate.
Now that we have the command, we're going to hit Enter. And that's successful. So you can see, we have the certificate thumbprint, and then we have the source vault, and we also have the certificate URL. Now these are the three things that are actually needed while we are creating the cluster. So going back to our browser, we have the Security mode. You can see that we have the Source key vault, and it also tells you how it looks. It's got subscription, and then the subscription Id, and then we have resource groups, and then the resource group name, and then the providers, and then the key vault, and then the vault name.
So you want to copy all these values and use them in the Azure portal. So this is a Source key vault, and you can see that the value is in a certain format, and then when I push it in, it also checks for me automatically. So, for example, you were in a different subscription ID, for the cluster, and you had a different subscription ID for the key vault, it will actually give you an error right here. So this is really good utility when you are developing, especially when you have multiple subscriptions. Then you would need the certificate URL, which refers to the URL in your key vault, where the certificate was uploaded, and then the certificate thumbprint.
As you can see we have three check marks, so we're good to go, and I'm going to hit Okay. And the validation has passed, and when I click here, that's exactly when the cluster would be created. You can see, it's samplecoursecluster. And one thing to keep in mind is that if you create your clusters and you leave it open, you will still be charged for it. So you might want to be careful when you are playing with it for test purposes, or development purposes, you might want to kill your clusters later on. So the cluster has been created and if you need to pin it to the Dashboard, you can click here, and you can also copy the address, if you'd like to.
And then if you close this, you can see it on your dashboard.
- Reviewing microservices vs. monolithic architecture
- Reviewing microservices and Azure Service Fabric basics
- Programming model architecture
- Creating a stateless service and a stateful service
- Creating a cluster in Azure
- Adding security to a cluster
- Finalizing cluster creation
- Deploying to an Azure cluster
- Debugging an application remotely