The Service Fabric cluster does not enforce authenticated and protected inter-node communication. The azurerm_service_fabric_cluster resource is missing a fabric_settings block with a Security section that sets ClusterProtectionLevel to EncryptAndSign. Without this setting, cluster traffic may not be sufficiently encrypted, signed, or authenticated between communicating nodes. This can allow an attacker with access to the network path to impersonate trusted entities, intercept sensitive data, or tamper with messages exchanged inside the cluster. As a result, the system may rely on encryption without adequately verifying the identity and integrity of the entities participating in communication.

Remediation

Configure the Service Fabric cluster security settings to explicitly set ClusterProtectionLevel to EncryptAndSign. This ensures inter-node communication is encrypted and signed, helping protect against interception, spoofing, and message tampering. Security tests should verify that the cluster defines a fabric_settings block with a Security section and that ClusterProtectionLevel is set to EncryptAndSign.