Reputation: 1382
Is it possible to isolate applications from one another in Service Fabric?
When running a Service Fabric cluster, it would make sense to have multiple applications running in it, but those applications might not be dependant on each other in any way. For example, I can have a CustomerApp in there, and a WikiApp.
Now from a security standpoint, it would be great if the WikiApp could be isolated from the CustomerApp, as a Wiki clearly should not be able to connect to services from an App that is holding customer data. I could put authentication into the services of the CustomerApp itself to allow only calls from authenticated services, but in addition, it would be even better if the WikiApp would not even be able to connect or see the other App and not able to resolve an endpoint adress from the naming service.
So is there a way to really isolate applications from each other in Service Fabric with a platform feature? I could not find anything about it in the documentation, and I also doubt it's possible the way Service Fabric works, but it would be very useful.
And to be clear, I'm really talking about isolating applications (ApplicationTypes) from each other, not services within a single application.
Upvotes: 4
Views: 712
Answers (1)
Reputation: 9050
There are some levels of isolation built in:
- Application instances have process-level isolation, in that each application instance runs in its own process.
- Node isolation is possible, using placement constraints, to "isolate" services from each other by constraining them to run on different nodes.
- Container support will be available in the future, where applications and services can run inside containers for further environment and resource isolation.
- Services can run under unique user accounts, which you can use to perform authentication yourself at the application level.
But unfortunately there is no fine-grained role-based access mechanism built in to the platform today. So, for example, system-wide operations like running queries to get a list of applications or services or resolving endpoints using the naming service doesn't have any role-based access built in.
Upvotes: 4
Related Questions
- API gateway/proxy pattern for microservices deployed using Azure Service Fabric
- Removing application from service fabric cluster
- Azure Service Fabric vs Azure Container Services
- What is the scenario for deploying multiple applications in service fabric?
- Service fabric. Deploy multiple applications with different configurations
- Azure Mobile App on Service Fabric
- Custome developer environment variables for local service fabric clusters?
- Azure Service Fabric and Scheduled Tasks
- Communication between Service Fabric Applications
- using Service Fabric CommunicationClient and servicePartitionClient from outside of fabric?