Skip to content

Service Fabric Cluster allows unencrypted node to node communication#

Security · Service Fabric · Rule · 2025_06 · Important

Node to node communication that is not signed and encrypted may be susceptible to man-in-the-middle attacks.

Description#

Service Fabric provides three levels of protection (None, Sign, and EncryptAndSign) for node-to-node communication. When configured for signing and encryption the primary cluster certificate is used to sign and encrypt all node-to-node messages. Node-to-node security helps secure communication between the VMs or computers in a cluster.

Recommendation#

Consider configuring the cluster protection level to encrypt and sign all node-to-node communication.

Examples#

Configure with Bicep#

To deploy clusters that pass this rule:

  • Add the Security fabric setting to the properties.fabricSettings property.
  • Set the ClusterProtectionLevel parameter to EncryptAndSign.

For example:

Azure Bicep snippet
resource cluster 'Microsoft.ServiceFabric/clusters@2023-11-01-preview' = {
  name: name
  location: location
  properties: {
    azureActiveDirectory: {
      clientApplication: clientApplication
      clusterApplication: clusterApplication
      tenantId: tenantId
    }
    certificate: {
      thumbprint: certificateThumbprint
      x509StoreName: 'My'
    }
    diagnosticsStorageAccountConfig: {
      blobEndpoint: storageAccount.properties.primaryEndpoints.blob
      protectedAccountKeyName: 'StorageAccountKey1'
      queueEndpoint: storageAccount.properties.primaryEndpoints.queue
      storageAccountName: storageAccount.name
      tableEndpoint: storageAccount.properties.primaryEndpoints.table
    }
    fabricSettings: [
      {
        parameters: [
          {
            name: 'ClusterProtectionLevel'
            value: 'EncryptAndSign'
          }
        ]
        name: 'Security'
      }
    ]
    managementEndpoint: endpointUri
    nodeTypes: []
    reliabilityLevel: 'Silver'
    upgradeMode: 'Automatic'
    vmImage: 'Windows'
  }
}

Configure with Azure template#

To deploy clusters that pass this rule:

  • Add the Security fabric setting to the properties.fabricSettings property.
  • Set the ClusterProtectionLevel parameter to EncryptAndSign.

For example:

Azure Template snippet
{
  "type": "Microsoft.ServiceFabric/clusters",
  "apiVersion": "2023-11-01-preview",
  "name": "[parameters('name')]",
  "location": "[parameters('location')]",
  "properties": {
    "azureActiveDirectory": {
      "clientApplication": "[parameters('clientApplication')]",
      "clusterApplication": "[parameters('clusterApplication')]",
      "tenantId": "[parameters('tenantId')]"
    },
    "certificate": {
      "thumbprint": "[parameters('certificateThumbprint')]",
      "x509StoreName": "My"
    },
    "diagnosticsStorageAccountConfig": {
      "blobEndpoint": "[reference(resourceId('Microsoft.Storage/storageAccounts', 'storage1'), '2021-01-01').primaryEndpoints.blob]",
      "protectedAccountKeyName": "StorageAccountKey1",
      "queueEndpoint": "[reference(resourceId('Microsoft.Storage/storageAccounts', 'storage1'), '2021-01-01').primaryEndpoints.queue]",
      "storageAccountName": "storage1",
      "tableEndpoint": "[reference(resourceId('Microsoft.Storage/storageAccounts', 'storage1'), '2021-01-01').primaryEndpoints.table]"
    },
    "fabricSettings": [
      {
        "parameters": [
          {
            "name": "ClusterProtectionLevel",
            "value": "EncryptAndSign"
          }
        ],
        "name": "Security"
      }
    ],
    "managementEndpoint": "[parameters('endpointUri')]",
    "nodeTypes": [],
    "reliabilityLevel": "Silver",
    "upgradeMode": "Automatic",
    "vmImage": "Windows"
  }
}

Comments