Use Entra ID authentication with Service Fabric clusters

Security · Service Fabric · Rule · 2021_03 · Critical

Use Entra ID client authentication for Service Fabric clusters.

Description

When deploying Service Fabric clusters on Azure, Entra ID (previously known as Azure AD) can optionally be used to secure management endpoints. If configured, client authentication (client-to-node security) uses Entra ID. Additionally Azure Role-based Access Control (RBAC) can be used to delegate cluster access.

For Service Fabric clusters running on Azure, Entra ID is recommended to secure access to management endpoints.

Recommendation

Consider enabling Entra ID client authentication for Service Fabric clusters.

Notes

For Linux clusters, Entra ID authentication must be configured at cluster creation time. Windows cluster can be updated to support Entra ID authentication after initial deployment.

Links

• SE:05 Identity and access management
• Security recommendations
• Set up Microsoft Entra ID for client authentication
• Configure Azure Active Directory Authentication for Existing Cluster
• Azure deployment reference

Comments