Service Fabric Cluster allows unencrypted node to node communication
June 1, 2025 ยท View on GitHub
SYNOPSIS
Node to node communication that is not signed and encrypted may be susceptible to man-in-the-middle attacks.
DESCRIPTION
Service Fabric provides three levels of protection (None, Sign, and EncryptAndSign) for node-to-node communication. When configured for signing and encryption the primary cluster certificate is used to sign and encrypt all node-to-node messages. Node-to-node security helps secure communication between the VMs or computers in a cluster.
RECOMMENDATION
Consider configuring the cluster protection level to encrypt and sign all node-to-node communication.
EXAMPLES
Configure with Bicep
To deploy clusters that pass this rule:
- Add the
Securityfabric setting to theproperties.fabricSettingsproperty. - Set the
ClusterProtectionLevelparameter toEncryptAndSign.
For example:
resource cluster 'Microsoft.ServiceFabric/clusters@2023-11-01-preview' = {
name: name
location: location
properties: {
azureActiveDirectory: {
clientApplication: clientApplication
clusterApplication: clusterApplication
tenantId: tenantId
}
certificate: {
thumbprint: certificateThumbprint
x509StoreName: 'My'
}
diagnosticsStorageAccountConfig: {
blobEndpoint: storageAccount.properties.primaryEndpoints.blob
protectedAccountKeyName: 'StorageAccountKey1'
queueEndpoint: storageAccount.properties.primaryEndpoints.queue
storageAccountName: storageAccount.name
tableEndpoint: storageAccount.properties.primaryEndpoints.table
}
fabricSettings: [
{
parameters: [
{
name: 'ClusterProtectionLevel'
value: 'EncryptAndSign'
}
]
name: 'Security'
}
]
managementEndpoint: endpointUri
nodeTypes: []
reliabilityLevel: 'Silver'
upgradeMode: 'Automatic'
vmImage: 'Windows'
}
}
Configure with Azure template
To deploy clusters that pass this rule:
- Add the
Securityfabric setting to theproperties.fabricSettingsproperty. - Set the
ClusterProtectionLevelparameter toEncryptAndSign.
For example:
{
"type": "Microsoft.ServiceFabric/clusters",
"apiVersion": "2023-11-01-preview",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"properties": {
"azureActiveDirectory": {
"clientApplication": "[parameters('clientApplication')]",
"clusterApplication": "[parameters('clusterApplication')]",
"tenantId": "[parameters('tenantId')]"
},
"certificate": {
"thumbprint": "[parameters('certificateThumbprint')]",
"x509StoreName": "My"
},
"diagnosticsStorageAccountConfig": {
"blobEndpoint": "[reference(resourceId('Microsoft.Storage/storageAccounts', 'storage1'), '2021-01-01').primaryEndpoints.blob]",
"protectedAccountKeyName": "StorageAccountKey1",
"queueEndpoint": "[reference(resourceId('Microsoft.Storage/storageAccounts', 'storage1'), '2021-01-01').primaryEndpoints.queue]",
"storageAccountName": "storage1",
"tableEndpoint": "[reference(resourceId('Microsoft.Storage/storageAccounts', 'storage1'), '2021-01-01').primaryEndpoints.table]"
},
"fabricSettings": [
{
"parameters": [
{
"name": "ClusterProtectionLevel",
"value": "EncryptAndSign"
}
],
"name": "Security"
}
],
"managementEndpoint": "[parameters('endpointUri')]",
"nodeTypes": [],
"reliabilityLevel": "Silver",
"upgradeMode": "Automatic",
"vmImage": "Windows"
}
}