Skip to content

Use Entra ID authentication with Service Fabric clusters#

Security · Service Fabric · Rule · 2021_03 · Critical

Use Entra ID client authentication for Service Fabric clusters.

Description#

When deploying Service Fabric clusters on Azure, Entra ID (previously known as Azure AD) can optionally be used to secure management endpoints. If configured, client authentication (client-to-node security) uses Entra ID. Additionally Azure Role-based Access Control (RBAC) can be used to delegate cluster access.

For Service Fabric clusters running on Azure, Entra ID is recommended to secure access to management endpoints.

Recommendation#

Consider enabling Entra ID client authentication for Service Fabric clusters.

Examples#

Configure with Bicep#

To deploy clusters that pass this rule:

  • steps

For example:

Azure Bicep snippet
resource cluster 'Microsoft.ServiceFabric/clusters@2023-11-01-preview' = {
  name: name
  location: location
  properties: {
    azureActiveDirectory: {
      clientApplication: clientApplication
      clusterApplication: clusterApplication
      tenantId: tenantId
    }
    certificate: {
      thumbprint: certificateThumbprint
      x509StoreName: 'My'
    }
    diagnosticsStorageAccountConfig: {
      blobEndpoint: storageAccount.properties.primaryEndpoints.blob
      protectedAccountKeyName: 'StorageAccountKey1'
      queueEndpoint: storageAccount.properties.primaryEndpoints.queue
      storageAccountName: storageAccount.name
      tableEndpoint: storageAccount.properties.primaryEndpoints.table
    }
    fabricSettings: [
      {
        parameters: [
          {
            name: 'ClusterProtectionLevel'
            value: 'EncryptAndSign'
          }
        ]
        name: 'Security'
      }
    ]
    managementEndpoint: endpointUri
    nodeTypes: []
    reliabilityLevel: 'Silver'
    upgradeMode: 'Automatic'
    vmImage: 'Windows'
  }
}

Configure with Azure template#

To deploy clusters that pass this rule:

  • steps

For example:

Azure Template snippet
{
  "type": "Microsoft.ServiceFabric/clusters",
  "apiVersion": "2023-11-01-preview",
  "name": "[parameters('name')]",
  "location": "[parameters('location')]",
  "properties": {
    "azureActiveDirectory": {
      "clientApplication": "[parameters('clientApplication')]",
      "clusterApplication": "[parameters('clusterApplication')]",
      "tenantId": "[parameters('tenantId')]"
    },
    "certificate": {
      "thumbprint": "[parameters('certificateThumbprint')]",
      "x509StoreName": "My"
    },
    "diagnosticsStorageAccountConfig": {
      "blobEndpoint": "[reference(resourceId('Microsoft.Storage/storageAccounts', 'storage1'), '2021-01-01').primaryEndpoints.blob]",
      "protectedAccountKeyName": "StorageAccountKey1",
      "queueEndpoint": "[reference(resourceId('Microsoft.Storage/storageAccounts', 'storage1'), '2021-01-01').primaryEndpoints.queue]",
      "storageAccountName": "storage1",
      "tableEndpoint": "[reference(resourceId('Microsoft.Storage/storageAccounts', 'storage1'), '2021-01-01').primaryEndpoints.table]"
    },
    "fabricSettings": [
      {
        "parameters": [
          {
            "name": "ClusterProtectionLevel",
            "value": "EncryptAndSign"
          }
        ],
        "name": "Security"
      }
    ],
    "managementEndpoint": "[parameters('endpointUri')]",
    "nodeTypes": [],
    "reliabilityLevel": "Silver",
    "upgradeMode": "Automatic",
    "vmImage": "Windows"
  }
}

Notes#

For Linux clusters, Entra ID authentication must be configured at cluster creation time. Windows cluster can be updated to support Entra ID authentication after initial deployment.

Comments