How to configure the management endpoint of a service fabric cluster with a custom domain

Use case scenario:

This is useful in a scenario where you need to configure your own custom domain on the management endpoint of a SF cluster. With this, you’ll be able to make management operation using this custom domain with PowerShell, Service Fabric Explorer etc.

Pre-requisite/Recommendation:

It’s recommended to get a CA signed certificate for your custom domain and upload it to Azure KeyVault so that it can be associated with the SF cluster. You can use this common name-based certificate as cluster certificate instead of cert thumbprint approach to make the certificate roll-over process easier.

Please find more details here: https://docs.microsoft.com/en-us/azure/service-fabric/service-fabric-create-cluster-using-cert-cn

Steps:

1. You need to use the ARM template deployment to make this change, hence while making the deployment, you need to update the SF cluster resource’s management endpoint parameter i.e. managementEndpoint to the custom domain name specifying 19080 port as follows:

         "managementEndpoint": "https://xxxxxmicrosoft.in:19080"

Attaching my ARM template of Cluster resource only for reference, please don’t copy and paste as it is.

<ARM template>

{
            "type": "Microsoft.ServiceFabric/clusters",
            "apiVersion": "2018-02-01",
            "name": "[parameters('clusterName')]",
            "location": "[parameters('clusterLocation')]",
            "dependsOn": [
                "[concat('Microsoft.Storage/storageAccounts/', parameters('supportLogStorageAccountName'))]"
            ],
            "tags": {
                "resourceType": "Service Fabric",
                "clusterName": "[parameters('clusterName')]"
            },
            "properties": {
                "addonFeatures": [
                    "DnsService"
                ],
                "certificate": {
                    "thumbprint": "[parameters('certificateThumbprint')]",
                    "x509StoreName": "[parameters('certificateStoreValue')]"
                },
                "clientCertificateCommonNames": [],
                "clientCertificateThumbprints": [],
                "clusterState": "Default",
                "diagnosticsStorageAccountConfig": {
                    "blobEndpoint": "[reference(concat('Microsoft.Storage/storageAccounts/', parameters('supportLogStorageAccountName')), variables('storageApiVersion')).primaryEndpoints.blob]",
                    "protectedAccountKeyName": "StorageAccountKey1",
                    "queueEndpoint": "[reference(concat('Microsoft.Storage/storageAccounts/', parameters('supportLogStorageAccountName')), variables('storageApiVersion')).primaryEndpoints.queue]",
                    "storageAccountName": "[parameters('supportLogStorageAccountName')]",
                    "tableEndpoint": "[reference(concat('Microsoft.Storage/storageAccounts/', parameters('supportLogStorageAccountName')), variables('storageApiVersion')).primaryEndpoints.table]"
                },
                "fabricSettings": [
                    {
                        "parameters": [
                            {
                                "name": "ClusterProtectionLevel",
                                "value": "[parameters('clusterProtectionLevel')]"
                            }
                        ],
                        "name": "Security"
                    }
                ],
                "managementEndpoint": "https://xxxxxmicrosoft.in:19080",
                "nodeTypes": [
                    {
                        "name": "[parameters('vmNodeType0Name')]",
                        "applicationPorts": {
                            "endPort": "[parameters('nt0applicationEndPort')]",
                            "startPort": "[parameters('nt0applicationStartPort')]"
                        },
                        "clientConnectionEndpointPort": "[parameters('nt0fabricTcpGatewayPort')]",
                        "durabilityLevel": "Bronze",
                        "ephemeralPorts": {
                            "endPort": "[parameters('nt0ephemeralEndPort')]",
                            "startPort": "[parameters('nt0ephemeralStartPort')]"
                        },
                        "httpGatewayEndpointPort": "[parameters('nt0fabricHttpGatewayPort')]",
                        "isPrimary": true,
                        "reverseProxyEndpointPort": "[parameters('nt0reverseProxyEndpointPort')]",
                        "vmInstanceCount": "[parameters('nt0InstanceCount')]"
                    }
                ],
                "provisioningState": "Default",
                "reliabilityLevel": "Bronze",
                "upgradeMode": "Automatic",
                "vmImage": "Windows"
            }
        }

</ARM template>

2. Update certificate details on the ARM template if you have a CA signed certificate for the custom domain and it’s uploaded to key vault.
   
   While the auto-generated self-signed certificate would work (in case a CA signed certificate details is not specified explicitly in the ARM template), but it would give warning of hostname mismatch while accessing the management endpoint over SSL/https.
   
   
3. Deploy the ARM template with above changes
   
   
4. Update the custom domain's DNS setting point to the respective service fabric load balancer’s public/internal IP address.

After the SF cluster gets created and DNS mapping gets propagated successfully, you would be able to access the SF cluster using the custom domain management endpoint.