I wonder if it is possible to set up an unsecured Service Fabric Cluster that will only be accessible via a VPN Gateway (and not to the public internet).
We currently have an unsecured on-premises cluster that we want to move into the cloud.
A new resource set for the cluster is created with a load balancer that has a public IP address that cannot be changed. Is there a way to create the cluster with a load balancer with a non-public ip?
This can be achieved with an internal load balancer. You can't do it from the portal. You have to tweak your ARM template to create an internal load balancer instead of a public load balancer. Also, at the moment you can't assign Virtual machine scalesets to a Load balancer backend address pool. But this can be achieved with ARM template as well.
Example to link your VMSS with internal load balancer - https://github.com/Azure/azure-quickstart-templates/blob/master/201-vmss-internal-loadbalancer/azuredeploy.json (line 322). Once the normal Service Fabric template creates the backend address pool, this example can be used to create an internal load balancer and assign the VMSS backend pool to internal load balancer.
And then this internal loadbalancer's IP can be used for all the communication to Service fabric Cluster.
I believe you can accomplish this by using NSG. Using the 'VIRTUAL_NETWORK' tag. Inspiration to be found here and here.
This default tag denotes all of your network address space. It includes the virtual network address space (CIDR ranges defined in Azure) as well as all connected on-premises address spaces and connected Azure VNets (local networks).
来源:https://stackoverflow.com/questions/39617775/a-service-fabric-cluster-in-azure-that-is-only-accessible-through-a-vpn-gateway