Tutorial: Create a payment HSM

Article
08/10/2023

Azure Payment HSM is a "BareMetal" service delivered using Thales payShield 10K payment hardware security modules (HSM) to provide cryptographic key operations for real-time, critical payment transactions in the Azure cloud. Azure Payment HSM is designed specifically to help a service provider and an individual financial institution accelerate their payment system's digital transformation strategy and adopt the public cloud. For more information, see Azure Payment HSM: Overview.

This tutorial describes how to create an Azure Payment HSM with the host and management port in same virtual network. You can instead:

Note

If you wish to reuse an existing VNet, verify that you have met all of the Prerequisites and then read How to reuse an existing virtual network.

Prerequisites

Important

Azure Payment HSM is a specialized service. To qualify for onboarding and use of Azure Payment HSM, customers must have an assigned Microsoft Account Manager and have a Cloud Service Architect (CSA).

To inquire about the service, start the qualification process, and prepare the prerequisites before on-boarding, ask your Microsoft account manager and CSA to send a request via email.

Azure CLI
Azure PowerShell

You must register the "Microsoft.HardwareSecurityModules" and "Microsoft.Network" resource providers, as well as the Azure Payment HSM features. Steps for doing so are at Register the Azure Payment HSM resource provider and resource provider features.

Warning

You must apply the "FastPathEnabled" feature flag to every subscription ID, and add the "fastpathenabled" tag to every virtual network. For more information, see Fastpathenabled.

To quickly ascertain if the resource providers and features are already registered, use the Azure CLI az provider show command. (The output of this command is more readable when displayed in table-format.)
```
az provider show --namespace "Microsoft.HardwareSecurityModules" -o table

az provider show --namespace "Microsoft.Network" -o table

az feature registration show -n "FastPathEnabled"  --provider-namespace "Microsoft.Network" -o table

az feature registration show -n "AzureDedicatedHsm"  --provider-namespace "Microsoft.HardwareSecurityModules" -o table
```
You can continue with this quick start if all four of these commands return "Registered".
You must have an Azure subscription. You can create a free account if you don't have one.

Use the Bash environment in Azure Cloud Shell. For more information, see Quickstart for Bash in Azure Cloud Shell.
If you prefer to run CLI reference commands locally, install the Azure CLI. If you're running on Windows or macOS, consider running Azure CLI in a Docker container. For more information, see How to run the Azure CLI in a Docker container.
- If you're using a local installation, sign in to the Azure CLI by using the az login command. To finish the authentication process, follow the steps displayed in your terminal. For other sign-in options, see Sign in with the Azure CLI.
- When you're prompted, install the Azure CLI extension on first use. For more information about extensions, see Use extensions with the Azure CLI.
- Run az version to find the version and dependent libraries that are installed. To upgrade to the latest version, run az upgrade.

You must register the "Microsoft.HardwareSecurityModules" and "Microsoft.Network" resource providers, as well as the Azure Payment HSM features. Steps for doing so are at Register the Azure Payment HSM resource provider and resource provider features.

Warning

You must apply the "FastPathEnabled" feature flag to every subscription ID, and add the "fastpathenabled" tag to every virtual network. For more information, see Fastpathenabled.

To quickly ascertain if the resource providers and features are already registered, use the Azure PowerShell Get-AzProviderFeature cmdlet:

Get-AzProviderFeature -FeatureName "AzureDedicatedHsm" -ProviderNamespace Microsoft.HardwareSecurityModules

Get-AzProviderFeature -FeatureName "FastPathEnabled" -ProviderNamespace Microsoft.Network

You can continue with this quick start if the "RegistrationState" of both commands returns "Registered".

You must have an Azure subscription. You can create a free account if you don't have one.

* If you choose to use Azure PowerShell locally: * Install the latest version of the Az PowerShell module. * Connect to your Azure account using the Connect-AzAccount cmdlet. * If you choose to use Azure Cloud Shell: * See Overview of Azure Cloud Shell for more information.\

You must install the Az.DedicatedHsm PowerShell module:
```
Install-Module -Name Az.DedicatedHsm
```

A resource group is a logical container into which Azure resources are deployed and managed. Use the az group create command to create a resource group named myResourceGroup in the eastus location.

az group create --name "myResourceGroup" --location "EastUS"

A resource group is a logical container into which Azure resources are deployed and managed. Use the Azure PowerShell New-AzResourceGroup cmdlet to create a resource group named myResourceGroup in the eastus location.

New-AzResourceGroup -Name "myResourceGroup" -Location "EastUS"

Create a virtual network and subnet

Azure CLI
Azure PowerShell

Before creating a payment HSM, you must first create a virtual network and a subnet. To do so, use the Azure CLI az network vnet create command:

az network vnet create -g "myResourceGroup" -n "myVNet" --address-prefixes "10.0.0.0/16" --tags "fastpathenabled=True" --subnet-name "myPHSMSubnet" --subnet-prefix "10.0.0.0/24"

Afterward, use the Azure CLI az network vnet subnet update command to update the subnet and give it a delegation of "Microsoft.HardwareSecurityModules/dedicatedHSMs":

az network vnet subnet update -g "myResourceGroup" --vnet-name "myVNet" -n "myPHSMSubnet" --delegations "Microsoft.HardwareSecurityModules/dedicatedHSMs"

To verify that the VNet and subnet were created correctly, use the Azure CLI az network vnet subnet show command:

az network vnet subnet show -g "myResourceGroup" --vnet-name "myVNet" -n myPHSMSubnet

Make note of the subnet's ID, as you need it for the next step. The ID of the subnet ends with the name of the subnet:

"id": "/subscriptions/<subscriptionID>/resourceGroups/myResourceGroup/providers/Microsoft.Network/virtualNetworks/myVNet/subnets/myPHSMSubnet",

Before creating a payment HSM, you must first create a virtual network and a subnet.

First, set some variables for use in the subsequent operations:

$VNetAddressPrefix = @("10.0.0.0/16")
$SubnetAddressPrefix = "10.0.0.0/24"
$tags = @{fastpathenabled="true"}

Use the Azure PowerShell New-AzDelegation cmdlet to create a service delegation to be added to your subnet, and save the output to the $myDelegation variable:

$myDelegation = New-AzDelegation -Name "myHSMDelegation" -ServiceName "Microsoft.HardwareSecurityModules/dedicatedHSMs"

Use the Azure PowerShell New-AzVirtualNetworkSubnetConfig cmdlet to create a virtual network subnet configuration, and save the output to the $myPHSMSubnet variable:

$myPHSMSubnetConfig = New-AzVirtualNetworkSubnetConfig -Name "myPHSMSubnet" -AddressPrefix $SubnetAddressPrefix -Delegation $myDelegation

Note

The New-AzVirtualNetworkSubnetConfig cmdlet will generate a warning, which you can safely ignore.

To create an Azure Virtual Network, use the Azure PowerShell New-AzVirtualNetwork cmdlet:

New-AzVirtualNetwork -Name "myVNet" -ResourceGroupName "myResourceGroup" -Location "EastUS" -Tag $tags -AddressPrefix $VNetAddressPrefix -Subnet $myPHSMSubnetConfig

To verify that the VNet was created correctly, use the Azure PowerShell Get-AzVirtualNetwork cmdlet:

Get-AzVirtualNetwork -Name "myVNet" -ResourceGroupName "myResourceGroup"

Make note of the subnet's ID, which is used in the next step. The ID of the subnet ends with the name of the subnet:

"Id": "/subscriptions/<subscriptionID>/resourceGroups/myResourceGroup/providers/Microsoft.Network/virtualNetworks/myVNet/subnets/myPHSMSubnet",

Create a payment HSM

Important

If you create two payment HSMs in the same region, you must allocate one to "stamp1" and the other to "stamp2". For more information, see Deployment scenarios: High-availablity deployment.

Create with dynamic hosts

Azure CLI
Azure PowerShell

To create a payment HSM with dynamic hosts, use the az dedicated-hsm create command. The following example creates a payment HSM named myPaymentHSM in the eastus region, myResourceGroup resource group, and specified subscription, virtual network, and subnet:

az dedicated-hsm create \
   --resource-group "myResourceGroup" \
   --name "myPaymentHSM" \
   --location "EastUS" \
   --subnet id="<subnet-id>" \
   --stamp-id "stamp1" \
   --sku "payShield10K_LMK1_CPS60"

To see the newly created network interfaces, use the az network nic list command, providing the resource group:

az network nic list -g myResourceGroup -o table

In the output, host 1 and host 2 are listed, as well as a management interface:

...  Name                      NicType    Primary    ProvisioningState    ResourceGroup    ...
---  ------------------------  ---------  ---------  -------------------  ---------------  ---
...  myPaymentHSM_HSMHost1Nic  Standard   True       Succeeded            myResourceGroup  ...
...  myPaymentHSM_HSMHost2Nic  Standard   True       Succeeded            myResourceGroup  ...
...  myPaymentHSM_HSMMgmtNic   Standard   True       Succeeded            myResourceGroup  ...

To see the details of a newly created network interface, use the az network nic show command, providing the resource group and name of the network interface:

az network nic show -g myresourcegroup -n myPaymentHSM_HSMHost1Nic

The output contains this line:

  "privateIPAllocationMethod": "Dynamic",

To create a payment HSM with dynamic hosts, use the New-AzDedicatedHsm cmdlet and the VNet ID from the previous step:

New-AzDedicatedHsm -Name "myPaymentHSM" -ResourceGroupName "myResourceGroup" -Location "East US" -Sku "payShield10K_LMK1_CPS60" -StampId "stamp1" -SubnetId "<subnet-id>"

The output of the payment HSM creation looks like this:

Name  Provisioning State SKU                     Location
----  ------------------ ---                     --------
myHSM Succeeded          payShield10K_LMK1_CPS60 East US

To see the newly created network interfaces, use the Get-AzNetworkInterface cmdlet, providing the resource group:

Get-AzNetworkInterface -ResourceGroupName myResourceGroup | Format-Table

In the output, host 1 and host 2 are listed, as well as the management interface:

ResourceGroupName Name                     Location ...
----------------- ----                     -------- ---
myResourceGroup   myPaymentHSM_HSMHost1Nic eastus   ...
myResourceGroup   myPaymentHSM_HSMHost2Nic eastus   ...
myResourceGroup   myPaymentHSM_HSMMgmtNic  eastus   ...

In the Azure portal, the "Private IP allocation method" is "Dynamic":

Create with static hosts

Azure CLI
Azure PowerShell

To create a payment HSM with static hosts, use the az dedicated-hsm create command. The following example creates a payment HSM named myPaymentHSM in the eastus region, myResourceGroup resource group, and specified subscription, virtual network, and subnet:

az dedicated-hsm create \
  --resource-group "myResourceGroup" \
  --name "myPaymentHSM" \
  --location "EastUS" \
  --subnet id="<subnet-id>" \
  --stamp-id "stamp1" \
  --sku "payShield10K_LMK1_CPS60" \
  --network-interfaces private-ip-address='("10.0.0.5", "10.0.0.6")

If you wish to also specify a static IP for the management host, you can add:

  --mgmt-network-interfaces private-ip-address="10.0.0.7" \
  --mgmt-network-subnet="<subnet-id>"

To see the newly created network interfaces, use the az network nic list command, providing the resource group:

az network nic list -g myResourceGroup -o table

In the output, host 1 and host 2 are listed, as well as the management interface:

...  Name                      NicType    Primary    ProvisioningState    ResourceGroup    ...
---  ------------------------  ---------  ---------  -------------------  ---------------  ---
...  myPaymentHSM_HSMHost1Nic  Standard   True       Succeeded            myResourceGroup  ...
...  myPaymentHSM_HSMHost2Nic  Standard   True       Succeeded            myResourceGroup  ...
...  myPaymentHSM_HSMMgmtNic   Standard   True       Succeeded            myResourceGroup  ...

To view the properties of a network interface, use the az network nic show command, providing the resource group and name of the network interface:

 az network nic show -g myresourcegroup -n myPaymentHSM_HSMHost1Nic

The output contains this line:

  "privateIPAllocationMethod": "Static",

To create a payment HSM with static hosts, use the New-AzDedicatedHsm cmdlet and the VNet ID from the previous step:

New-AzDedicatedHsm -Name "myPaymentHSM" -ResourceGroupName "myResourceGroup" -Location "East US" -Sku "payShield10K_LMK1_CPS60" -StampId "stamp1" -SubnetId "<subnet-id>" -NetworkInterface (@{PrivateIPAddress = '10.0.0.5'}, @{PrivateIPAddress = '10.0.0.6'})

If you wish to also specify a static IP for the management host, you can add:

-ManagementNetworkInterface @{PrivateIPAddress = '10.0.07'} -ManagementSubnetId "<subnetId>"

The output of the payment HSM creation looks like this:

Name  Provisioning State SKU                     Location
----  ------------------ ---                     --------
myHSM Succeeded          payShield10K_LMK1_CPS60 East US

To see the newly created network interfaces, use the Get-AzNetworkInterface cmdlet, providing the resource group:

Get-AzNetworkInterface -ResourceGroupName myResourceGroup | Format-Table

In the output, host 1 and host 2 are listed, as well as the management interface:

ResourceGroupName Name                     Location ...
----------------- ----                     -------- ---
myResourceGroup   myPaymentHSM_HSMHost1Nic eastus   ...
myResourceGroup   myPaymentHSM_HSMHost2Nic eastus   ...
myResourceGroup   myPaymentHSM_HSMMgmtNic  eastus   ...

The Azure portal shows the "Private IP allocation method" as "Dynamic":