Service Fabric cluster endpoints & Azure load balancer

, 6 minutes to read

Reach­ing ex­ter­nal re­sources from a Ser­vice Fab­ric clus­ter is triv­ial whereas reach­ing the clus­ter from the in­ter­net re­quires some con­fig­u­ra­tion. The vir­tual ma­chine scale set, ser­vice end­point and load bal­ancer comes into play. On the first sight, it could be seen as a com­pli­cated as do­ing a puz­zle, but un­der­s­tand­ing of mech­a­nisms un­der the hood helps to re­al­ize that whole pro­cesses is easy.

Cluster setup

Let’s make a sim­ple Ser­vice Fab­ric ser­vice which is reach­able from a web browser and re­ports some in­for­ma­tion about state of its com­pu­ta­tion. To do this it’s nec­es­sary to fill in the port num­ber 80 (which is the port of the HTTP pro­to­col) to cus­tom end­points in the node type con­fig­u­ra­tion of the Ser­vice Fab­ric clus­ter.

At this time, we will choose State­less Web API. (This may not be the right choose for a com­pu­ta­tion ser­vice, but the fo­cus of this ex­am­ple is on net­work­ing.) There are many con­fig­u­ra­tion XML files in the so­lu­tion. The most im­por­tant of them (at this time) is Ser­vice­Man­i­fest.xml.

Don’t make any changes, de­bug the ap­pli­ca­tion first and load the ad­dress http://lo­cal­host:19080/. You will see a Ser­vice Fab­ric Ex­plorer. Then pub­lish your app to the clus­ter and open the ad­dress http://<name>.<re­gion>.clou­dapp.azure.com:19080. You will see a Ser­vice Fab­ric Ex­plorer. How to deny an ac­cess to this ad­min­is­tra­tion in­ter­face to ev­ery­one?

Service Fabric Explorer visibility

The Load bal­ancer has a set­t­ings called Load bal­anc­ing rules.

There are two rules that for­wards TCP ports 19000 and 19080 to all nodes of the Test node type. If you delete those rules, the Ser­vice Fab­ric Ex­plorer will not be ac­ces­si­ble from the in­ter­net. But it also causes that the Azure Por­tal will not be able to show clus­ter state.

This means that if you wish to have vis­i­bil­ity of your clus­ter via the Azure Por­tal then your load bal­ancer must ex­pose a public IP ad­dress and your Net­work Se­cu­rity Group must al­low in­com­ing traf­fic on port 19080. This is tem­po­rary lim­i­ta­tion. Con­figuration of the publicly inac­ces­si­ble clus­ter without any loss of man­age­ment por­tal func­tion­al­ity will be pos­si­ble in the up­com­ing months.

Health probes & Load balancing rules

The fol­low­ing im­age de­scribes net­work scheme of the clus­ter.

The clus­ter con­tains only one node type (called Test). Ev­ery node type is de facto a sep­arate vir­tual ma­chine scale set. Load bal­ancer dis­tributes the traf­fic to par­tic­u­lar node in­s­tances in ac­cor­dance with Round-robin al­gorithm. When some node or ap­pli­ca­tion turns into un­healthy state, the load bal­ancer stops send traf­fic there. The load bal­ancer is tak­ing ad­van­tage of health probes. Health probes ac­tively checks in­di­vid­ual end­points and in­forms the load bal­ancer about avai­l­able health end­points. When all in­s­tances are un­healthy the con­nec­tion is timed out. This is why set­t­ing up all end­points cor­rectly is just not enough. All probes must be set up and run­n­ing as well.

First, look up the Ser­vice­Man­i­fest.xml file in the Pack­age­Root folder in the We­bApi1 project and find the ser­vice end­point (Ser­vice­Man­i­fest / Re­sources / End­points). There is the port num­ber of the HTTP pro­to­col, which is in this case 8210.

Sec­ond, con­fig­ure the load bal­ancer in your Ser­vice Fab­ric clus­ter. It is un­reach­able from the clus­ter panel. You must list all re­sources in the re­source group and find load bal­ancer there. In the load bal­ancer panel, se­lect Health probes and con­fig­ure the App­Port­Probe1 probe. Set pro­to­col to HTTP, change port to the num­ber found in the Ser­vice­Man­i­fest.xml file and set up cor­rect path. The path is an URL which is called by the probe. If your ap­pli­ca­tion re­sponses by HTTP 404 sta­tus code to the probe’s re­quest, the ap­pli­ca­tion will be con­sidered as un­healthy re­gard­less its ac­tual state. Lastly, click Save.

Third, se­lect Load bal­ancer rules on the load bal­ancer panel and con­fig­ure the App­PortL­BRule1 rule. Change the back­end port to the num­ber found in the Ser­vice­Man­i­fest.xml file and click Save.

Fi­nally, open the URL of your Ser­vice Fab­ric clus­ter (http://<name>.<re­gion>.clou­dapp.azure.com/api/val­ues) in the browser. You will be con­nected via load bal­ancer to one of 3 in­s­tances of your We­bAPI1 ser­vice. The ser­vice re­sponds ac­cord­ing to logic coded in the Val­uesCon­troller class.

The path called by load bal­ancer’s probe should not re­spond any data, but re­turn a suc­cess or er­ror sta­tus code only. Probe’s in­ter­val must be short in or­der to let re­act load bal­ancer on ap­pli­ca­tion fail­ure quickly. The ap­pli­ca­tion can­not be stressed just by probe calls.

This ar­ti­cle has covered load bal­ancer set­t­ings for state­less re­li­able ser­vice par­ti­tioned as a sin­gle­ton (one pri­mary replica). Par­ti­tioned or repli­cated ser­vices re­lies on Ser­vice Fab­ric Nam­ing Ser­vice. This topic will be covered by an­other ar­ti­cle.