Microservices is the today’s buzzword and the new world drivers such as Mobile Apps, Single Page Apps and IoT have proven a case for Microservices Architecture. Microservices are highly scalable and independently deployable services; it is an approach to developing an application as a cluster of services.
I have followed Azure Service Fabric curiously since it was in a private preview, Azure Service Fabric provides more granular control, distributed-state process (cache or data is co-located with the service process and distributed across all the nodes.). The Service Fabric provides agility and flexibility around complex and distributed enterprise scale Microservices implementation.
Azure Service Fabric is designed to give you more power, flexibility and granular control for every implementation stage.
- Faster deployment, application packages and extensions can be deployed to cluster very quickly.
- High-density hosting, deliver better computomatics by lowering overall cost and effect use of resources.
- Distributed Application Management simplifies the overall architecture and engineering efforts.
- Service Discovery Mechanism (Naming Service) for resolving endpoint address of services.
Cloud Architecture Pattern: Azure Service Fabric and Microservices in this series of blog posts, we would journey from basic to advance aspects of microservices architecture around Azure Service Fabric and Microsoft Azure. This article (Part-1) has already given you an overview, and the coming sections would discuss physical architecture design in detail. The second and third part of the series would cover best practices with Service Fabric Microservice (i.e. Logical or Solution Architecture) and Security & Service Management respectively.
New !dea
In engineering, we use technology stack scaffolding or a starter kit. It helps to keep engineering practices align and improve productivity. I am trying to employ the same for Architecture Designs, and will share all the Microsoft Visio diagram and scaffolding starter kit.
Physical/Infrastructure Architecture Design
The physical architecture of Microservices usually includes some other PaaS dependencies, such as Internal Load Balancer. There are some other Azure PaaS services are highly recommended for security, business continuity and scalability i.e. Application Gateway, Azure Key Vault, Network Subnet and VNet, Azure AD and VM Scale Sets.
Service Fabric Cluster
Azure Service Fabric is a distributed system platform (SaaS), it focuses on scalability, reliability and manageability at core. Please follow Service Fabric Overview , if you are new to Azure Service Fabric.
Adoption to Azure Service Fabric is a transition from “monolithic giants” to “agile minions”. In above, representational diagram you can see how logical application services break down into the flexible and scalable deployment of six Service Fabric nodes.
Significance in a proposed architecture design
- Flexible deployment model, services are hosted based on optimised resource grouping,
- Every individual service ensuring availability.
- Services are providing custom HTTP/TCP probe to Internal Load Balancer, that would guarantee any unhealthy node would go offline and ILB would ensure that all incoming requests are routed to healthy nodes.
- Service Fabric deployment model ensure 100% availability* while patching or upgrading your Microservices (*subject to application design)
Internal Load Balancer
Azure Internal Load Balancer (ILB) directs the traffic to resources inside the Cloud Service, from a security perspective it is an important to feature. The Azure infrastructure restricts access to Azure ILB to load balanced VIPs (Virtual IPs) of a cloud service. Therefore, it would provide service isolation and would never get exposed to the Internet. For more information on Internal Load Balancer, you can follow the Microsoft Documentation .
You can find detail implementation guide here .
Significance in a proposed architecture design
- Provides load balancing capabilities in front of service fabric nodes.
- HTTP/TCP custom health probe supports for High Availability.
Virtual Network (VNet), Network Subnets and Network Security Group
An Azure Virtual Network (VNet) represent an isolated representation of your network in the cloud. It provides an organisation and IT full control over IP Address Blocks, DNS, Security Policy, Firewall Rules, Route Table with the VNet. The further segmentation of the VNet follows the same principles of on-premise network, subnets and perimeter firewall can provide further logical isolation between resource groups or assets.
From security’s (and some compliances’) perspective, it is essential to maintain such network level isolation. VNet or Subnet are not critical to Service Fabric and Microservice architecture, but it is an overall good practice to isolate Service Fabric Clusters from direct external access. Azure Network Security Group (NSG) contains a list of ACL rules (or firewall rules) that allow or deny incoming/outgoing network traffic to your Service Fabric Nodes. NSG can be associated with either subnet or individual Service Fabric Node.
For advance security scenarios, refer to Azure Marketplace Virtual Appliances .
Significance in a proposed architecture design
- Network segmentation.
- Access Control List rules for bi-directional network traffic.
- Provide a layer of security by restricting unauthorised access and direct internet access.
- Enabled secure network tunnelling between trusted zones. i.e. Azure Express Route (on premise), cross-regional VNets peering (for High Availability).
Application Gateway and Web Application Firewall
Microsoft Azure Application Gateway offers layer 7 load balancing capabilities, SSL offloading, layer-7 routeing, cookie based session affinity, URL routeing and able to host multiple web application. Application Gateway also offers Web Application Firewall (WAF) that protects your Microservices against OWASP Top 10 vulnerabilities, WAF is still in preview.
Note
Azure Application Gateway requires its subnet. When creating a virtual network, ensure that you leave enough address space to have multiple subnets. Once you deploy an application gateway to a subnet, only additional application gateways can be added to the subnet.
Significance in a proposed architecture design
- Provides secure channel access for incoming and outgoing traffic from/to Service Fabric Clusters.
- SSL offloading and SSL wildcard support. [Update: Microsoft Azure Networking Team has recently added the feature, it was not supported prior to 2017. Reference: Azure Feedback Portal ]
- Web Application Firewall protection against OWASP Top 10 .
Alternative to design
- Application Gateway and Web Application Firewall are not mandatory prerequisites or requirement for Service Fabric Microservices.
- Azure Internet Load Balancer can replace the component and associated network subnet.
VM Scale Set
VM Scale Sets are an Azure Compute Resource that can be used to deploy and manage a collection of service fabric nodes as a set. Every node type that is defined in a Service Fabric cluster is set up as a separate VM Scale Set, and specific node type can be scaled up or down.
VM Scale Sets support rule base auto-scaling (in or out) feature as well programmatically. VM Scale Sets are an optional component, and a fully functional microservices can be delivered without VM Scale Sets. It is recommended to configure a quick turnaround when computing resource is stretching out, and scale-out is essential, or another way around when demand is far less the provisioned computing resource.
Significance in a proposed architecture design
- Auto-scaling is economical, and right set of rules can improve computing efficiency.
- Scale-out/in is supported either by programmatically or by setting up rules .
We would be discussing other aspects i.e. application security, perimeter security, service fabric none-to-node security of the architectural pattern in coming posts.