arcade-services icon indicating copy to clipboard operation
arcade-services copied to clipboard

Published 20 hours ago verified publisher icon dotnet

Maestro Service Fabric Explorer is unreachable

Open dkurepa opened this issue 1 year ago • 8 comments

All traffic currently reaches Maestro through the Application Gateway, which only listens on few selected ports, 443 and 80, and then sends all traffic to port 8088. This breaks:

  • The Service Fabric Explorer, which is reachable through https://maestro-int.westus2.cloudapp.azure.com:19080/Explorer
  • The Client connection endpoint, which is reachable through maestro-int.westus2.cloudapp.azure.com:19000

For both of these, we will need to create Listeners, Rules and Http settings that will allow these ports

dkurepa avatar Dec 13 '23 17:12 dkurepa

Any update on this? Is the port blocked by some S360 rule that is blocking this? Have we checked with the Redmond folks?

tkapin avatar Dec 19 '23 09:12 tkapin

All of my attempts were unsuccessful, I will need to ask for some help once people are back from holidays. One thing to note is that the Helix cluster is still using the Load Balancer to handle the SF Explorer requests, any idea why @riarenas?

dkurepa avatar Dec 20 '23 09:12 dkurepa

One thing to note is that the Helix cluster is still using the Load Balancer to handle the SF Explorer requests, any idea why @riarenas?

Nope.

Are we sure it's a supported scenario to have the cluster explorer under a gateway?

riarenas avatar Jan 02 '24 17:01 riarenas

Be aware that there is corporate policy preventing Service Fabric explorer from being publicly accessible (these ports are considered high risk). It is programmatically enforced, so that may have impacted your experiments. I suggest talking to the NetIso team to get the latest info on this scenario.

garath avatar Jan 02 '24 19:01 garath

That's an interesting piece of information Stu! Do you have any details on the policy (link, etc.) by any chance? Also, can you remind me how's the setup of the Helix Services SF Explorer form this perspective?

tkapin avatar Jan 02 '24 19:01 tkapin

Also, can you remind me how's the setup of the Helix Services SF Explorer form this perspective?

I only took a quick glance but it does look like the load balancer is the trick for Helix's support.

I tried but unfortunately could not find any info on the policy. IIRC this came up for us about two years ago, and a former team member was tasked with figuring out how to comply.

The NetIso team holds office hours and has been pretty good to work with. If I were the one with this task, I'd start fresh by going to their office hours, describing the scenario and asking for resources and advice. I wouldn't be surprised if there are changes to be made even with Helix's setup.

garath avatar Jan 02 '24 19:01 garath

dotnet/core-eng#15313 is where this originally came up.

garath avatar Jan 02 '24 20:01 garath

thanks for the info @garath!

dkurepa avatar Jan 03 '24 10:01 dkurepa