Search code examples
c#.netazurevisual-studio-2017azure-service-fabric

How to route all traffic through https?

Service Fabric allows you to specify what endpoints it will listen on, and each service can expose different protocols like so:

            protected override IEnumerable<ServiceInstanceListener> CreateServiceInstanceListeners()
        {
            return new[]
            {
                new ServiceInstanceListener(serviceContext => new OwinCommunicationListener(Startup.ConfigureApp,
                    serviceContext, ServiceEventSource.Current, "ServiceEndpointHttps")),

                 //you can add another one here like so:
new ServiceInstanceListener(serviceContext => new OwinCommunicationListener(Startup.ConfigureApp,
                    serviceContext, ServiceEventSource.Current, "ServiceEndpointUnSecured"))
            };
        }

In the ServiceManifest.xml file, we can specify these two endpoints:

<Endpoints>
        <Endpoint Protocol="http" Name="ServiceEndpointUnsecured" Type="Input" />
  <Endpoint Protocol="https" Name="ServiceEndpointHttps" Type="Input" />
</Endpoints>

We have 100 microservices, and we want to have only 1, central location where we configure whether the services are running through http or https.

Is it possible to change this setup so that we would have only 1 location that would be responsible for routing http or https for ALL services?

Solution

  • Depending on whether you are talking about communication between services within the cluster or from outside the cluster there are a few different approaches.

    For service to service communication inside the cluster, it's all up to the client (e.g. the other service making the call). The reverse proxy, as Rogala mentions, would be the central solution. You can call the reverse proxy and it will use the Service Fabric naming service to route to the exposed endpoint. If you only expose https, it will be https, you can also configure the reverse proxy to always use https://learn.microsoft.com/en-us/azure/service-fabric/service-fabric-reverseproxy-configure-secure-communication

    For ingress to the cluster, a similar concept, having everything going through a gateway service inside the cluster, is the common pattern. The gateway service would then use the reverse proxy and thus the pattern described above: https://learn.microsoft.com/en-us/azure/service-fabric/service-fabric-connect-and-communicate-with-services#connections-from-external-clients