Azure Payment HSM solution design

This article identifies topologies and constraints for Azure Payment HSM.

Supported topologies

The following table describes the network topologies supported by each network features configuration of Azure Payment HSM.

Topology Basic network features
Connectivity to a payment HSM in a local virtual network Yes
Connectivity to a payment HSM in a peered virtual network (Same region) Yes
Connectivity to a payment HSM in a peered virtual network (Cross region or global peering) No
Connectivity to a payment HSM over ExpressRoute gateway Yes
ExpressRoute (ER) FastPath No
Connectivity from on-premises to a payment HSM in a spoke virtual network over ExpressRoute gateway and virtual network peering with gateway transit Yes
Connectivity from on-premises to a payment HSM in a spoke virtual network over VPN gateway Yes
Connectivity from on-premises to a payment HSM in a spoke virtual network over VPN gateway and virtual network peering with gateway transit Yes
Connectivity over Active/Passive VPN gateways Yes
Connectivity over Active/Active VPN gateways No
Connectivity over Active/Active Zone Redundant gateways No
Connectivity over Virtual WAN (VWAN) No

Constraints

The following table describes what is supported for each network features configuration:

Features Basic network features
Delegated subnet per virtual network 1
Network Security Groups on payment HSMs on Azure-delegated subnets No
User-defined routes (UDRs) on payment HSMs on Azure-delegated subnets No
Connectivity to private endpoints No
Load balancers for payment HSMs on Azure traffic No
Dual stack (IPv4 and IPv6) virtual network IPv4 only supported

Next steps