Maestro Service Fabric Explorer is unreachable

dotnet / arcade-services

Arcade Engineering Services

MIT License

54 stars 74 forks source link

Maestro Service Fabric Explorer is unreachable #3131

Open dkurepa opened 9 months ago

dkurepa commented 9 months ago

All traffic currently reaches Maestro through the Application Gateway, which only listens on few selected ports, 443 and 80, and then sends all traffic to port 8088. This breaks:

The Service Fabric Explorer, which is reachable through https://maestro-int.westus2.cloudapp.azure.com:19080/Explorer
The Client connection endpoint, which is reachable through maestro-int.westus2.cloudapp.azure.com:19000

For both of these, we will need to create Listeners, Rules and Http settings that will allow these ports

tkapin commented 9 months ago

Any update on this? Is the port blocked by some S360 rule that is blocking this? Have we checked with the Redmond folks?

dkurepa commented 9 months ago

All of my attempts were unsuccessful, I will need to ask for some help once people are back from holidays. One thing to note is that the Helix cluster is still using the Load Balancer to handle the SF Explorer requests, any idea why @riarenas?

riarenas commented 9 months ago

One thing to note is that the Helix cluster is still using the Load Balancer to handle the SF Explorer requests, any idea why @riarenas?

Nope.

Are we sure it's a supported scenario to have the cluster explorer under a gateway?

garath commented 9 months ago

Be aware that there is corporate policy preventing Service Fabric explorer from being publicly accessible (these ports are considered high risk). It is programmatically enforced, so that may have impacted your experiments. I suggest talking to the NetIso team to get the latest info on this scenario.

tkapin commented 9 months ago

That's an interesting piece of information Stu! Do you have any details on the policy (link, etc.) by any chance? Also, can you remind me how's the setup of the Helix Services SF Explorer form this perspective?

garath commented 9 months ago

Also, can you remind me how's the setup of the Helix Services SF Explorer form this perspective?

I only took a quick glance but it does look like the load balancer is the trick for Helix's support.

I tried but unfortunately could not find any info on the policy. IIRC this came up for us about two years ago, and a former team member was tasked with figuring out how to comply.

The NetIso team holds office hours and has been pretty good to work with. If I were the one with this task, I'd start fresh by going to their office hours, describing the scenario and asking for resources and advice. I wouldn't be surprised if there are changes to be made even with Helix's setup.

garath commented 9 months ago

dotnet/core-eng#15313 is where this originally came up.

dkurepa commented 9 months ago

thanks for the info @garath!