Tutorial: Create a payment HSM with host and management port in different virtual networks using ARM template
Azure Payment HSM is a "BareMetal" service delivered using Thales payShield 10K payment hardware security modules (HSM) to provide cryptographic key operations for real-time, critical payment transactions in the Azure cloud. Azure Payment HSM is designed specifically to help a service provider and an individual financial institution accelerate their payment system's digital transformation strategy and adopt the public cloud. For more information, see Azure Payment HSM: Overview.
This tutorial describes how to create a payment HSM with the host and management port in different virtual networks, using Azure CLI or Azure PowerShell. You can instead:
- Create a payment HSM with the host and management port in the same virtual network using Azure CLI or PowerShell
- Create a payment HSM with the host and management port in the same virtual network using an ARM template
- Create a payment HSM with the host and management port in different virtual networks using an ARM template
- Create HSM resource with host and management port with IP addresses in different virtual networks using ARM template
An Azure Resource Manager template is a JavaScript Object Notation (JSON) file that defines the infrastructure and configuration for your project. The template uses declarative syntax. You describe your intended deployment without writing the sequence of programming commands to create the deployment.
Prerequisites
Important
Azure Payment HSM is a specialized service. To qualify for onboarding and use of Azure Payment HSM, customers must have an assigned Microsoft Account Manager and have a Cloud Service Architect (CSA).
To inquire about the service, start the qualification process, and prepare the prerequisites before on-boarding, ask your Microsoft account manager and CSA to send a request via email.
You must register the "Microsoft.HardwareSecurityModules" and "Microsoft.Network" resource providers, as well as the Azure Payment HSM features. Steps for doing so are at Register the Azure Payment HSM resource provider and resource provider features.
To quickly ascertain if the resource providers and features are already registered, use the Azure CLI az provider show command. (The output of this command is more readable when displayed in table-format.)
az provider show --namespace "Microsoft.HardwareSecurityModules" -o table az provider show --namespace "Microsoft.Network" -o table az feature registration show -n "FastPathEnabled" --provider-namespace "Microsoft.Network" -o table az feature registration show -n "AzureDedicatedHsm" --provider-namespace "Microsoft.HardwareSecurityModules" -o tableYou can continue with this quick start if all four of these commands return "Registered".
You must have an Azure subscription. You can create a free account if you don't have one.
Use the Bash environment in Azure Cloud Shell. For more information, see Quickstart for Bash in Azure Cloud Shell.
If you prefer to run CLI reference commands locally, install the Azure CLI. If you're running on Windows or macOS, consider running Azure CLI in a Docker container. For more information, see How to run the Azure CLI in a Docker container.
If you're using a local installation, sign in to the Azure CLI by using the az login command. To finish the authentication process, follow the steps displayed in your terminal. For other sign-in options, see Sign in with the Azure CLI.
When you're prompted, install the Azure CLI extension on first use. For more information about extensions, see Use extensions with the Azure CLI.
Run az version to find the version and dependent libraries that are installed. To upgrade to the latest version, run az upgrade.
Create a resource group
A resource group is a logical container into which Azure resources are deployed and managed. Use the az group create command to create a resource group named myResourceGroup in the eastus location.
az group create --name "myResourceGroup" --location "EastUS"
Create virtual networks and subnets
Before creating a payment HSM, you must first create a virtual network / subnet for the host, and a different virtual network / subnet for the management port.
First, use the Azure CLI az network vnet create command to create the virtual network for the host:
az network vnet create -g "myResourceGroup" -n "myVNet" --address-prefixes "10.0.0.0/16" --tags "fastpathenabled=True" --subnet-name "myPHSMSubnet" --subnet-prefix "10.0.0.0/24"
Afterward, use the Azure CLI az network vnet subnet update command to update the subnet and give it a delegation of "Microsoft.HardwareSecurityModules/dedicatedHSMs":
az network vnet subnet update -g "myResourceGroup" --vnet-name "myVNet" -n "myPHSMSubnet" --delegations "Microsoft.HardwareSecurityModules/dedicatedHSMs"
To verify that the VNet and subnet were created correctly, use the Azure CLI az network vnet subnet show command:
az network vnet subnet show -g "myResourceGroup" --vnet-name "myVNet" -n myPHSMSubnet
Make note of the host's subnet ID, which is used when creating the payment HSM. The ID of the subnet ends with the name of the subnet:
"id": "/subscriptions/<subscriptionID>/resourceGroups/myResourceGroup/providers/Microsoft.Network/virtualNetworks/myVNet/subnets/myPHSMSubnet",
Now create another virtual network and subnet for the management port:
az network vnet create -g "myResourceGroup" -n "myManagementVNet" --address-prefixes "10.1.0.0/16" --tags "fastpathenabled=True" --subnet-name "myManagementSubnet" --subnet-prefix "10.1.0.0/24"
Again, use the Azure CLI az network vnet subnet update command to update the subnet and give it a delegation of "Microsoft.HardwareSecurityModules/dedicatedHSMs":
az network vnet subnet update -g "myResourceGroup" --vnet-name "myManagementVNet" -n "myManagementSubnet" --delegations "Microsoft.HardwareSecurityModules/dedicatedHSMs"
To verify that the management VNet and subnet were created correctly, use the Azure CLI az network vnet subnet show command:
az network vnet subnet show -g "myResourceGroup" --vnet-name "myManagementVNet" -n "myManagementSubnet"
You also need the management's subnet ID when creating the payment HSM.
Create a payment HSM
Create with dynamic hosts
To create a payment HSM with dynamic hosts, use the az dedicated-hsm create command. The following example creates a payment HSM named myPaymentHSM in the eastus region, myResourceGroup resource group, and specified subscription, virtual network, and subnet:
az dedicated-hsm create \
--resource-group "myResourceGroup" \
--name "myPaymentHSM" \
--location "EastUS" \
--subnet id="<host-subnet-id>" \
--stamp-id "stamp1" \
--sku "payShield10K_LMK1_CPS60" \
--mgmt-network-subnet id="<management-subnet-id>"
To see the newly created network interfaces, use the az network nic list command, providing the resource group:
az network nic list -g myResourceGroup -o table
In the output, host 1 and host 2 are listed, as well as a management interface:
... Name NicType Primary ProvisioningState ResourceGroup ...
--- ------------------------ --------- --------- ------------------- --------------- ---
... myPaymentHSM_HSMHost1Nic Standard True Succeeded myResourceGroup ...
... myPaymentHSM_HSMHost2Nic Standard True Succeeded myResourceGroup ...
... myPaymentHSM_HSMMgmtNic Standard True Succeeded myResourceGroup ...
To see the newly created network interfaces, use the az network nic show command, providing the resource group and name of the network interface:
az network nic show -g myresourcegroup -n myPaymentHSM_HSMHost1Nic
The output contains this line:
"privateIPAllocationMethod": "Dynamic",
Create with static hosts
To create a payment HSM with static hosts, use the az dedicated-hsm create command. The following example creates a payment HSM named myPaymentHSM in the eastus region, myResourceGroup resource group, and specified subscription, virtual network, and subnet:
az dedicated-hsm create \
--resource-group "myResourceGroup" \
--name "myPaymentHSM" \
--location "EastUS" \
--subnet id="<subnet-id>" \
--stamp-id "stamp1" \
--sku "payShield10K_LMK1_CPS60" \
--mgmt-network-subnet id="<management-subnet-id>"
--network-interfaces private-ip-address='("10.0.0.5", "10.0.0.6")
If you wish to also specify a static IP for the management host, you can add:
--mgmt-network-interfaces private-ip-address="10.0.0.7"
To see the newly created network interfaces, use the az network nic list command, providing the resource group:
az network nic list -g myResourceGroup -o table
In the output, host 1 and host 2 are listed, as well as the management interface:
... Name NicType Primary ProvisioningState ResourceGroup ...
--- ------------------------ --------- --------- ------------------- --------------- ---
... myPaymentHSM_HSMHost1Nic Standard True Succeeded myResourceGroup ...
... myPaymentHSM_HSMHost2Nic Standard True Succeeded myResourceGroup ...
... myPaymentHSM_HSMMgmtNic Standard True Succeeded myResourceGroup ...
To view the properties of a network interface, use the az network nic show command, providing the resource group and name of the network interface:
az network nic show -g myresourcegroup -n myPaymentHSM_HSMHost1Nic
The output contains this line:
"privateIPAllocationMethod": "Static",
Next steps
Advance to the next article to learn how to view your payment HSM.
Additional information:
- Read an Overview of Payment HSM
- Find out how to get started with Azure Payment HSM
- See some common deployment scenarios
- Learn about Certification and compliance
- Read the frequently asked questions
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for