Tutorial: Create a payment HSM
Azure Payment HSM Service is a "BareMetal" service delivered using Thales payShield 10K payment hardware security modules (HSM) to provide cryptographic key operations for real-time, critical payment transactions in the Azure cloud. This article describes how to create an Azure Payment HSM with the host and management port in same virtual network.
In this tutorial, you learn how to:
- Create a resource group
- Create a virtual network and subnet for your payment HSM
- Create a payment HSM
- Retrieve information about your payment HSM
Note
If you wish to reuse an existing VNet, verify that you have met all of the Prerequisites and then read How to reuse an existing virtual network.
Prerequisites
Important
Azure Payment HSM is a specialized service. To qualify for onboarding and use of Azure Payment HSM, customers must have an assigned Microsoft Account Manager, have a CSA, and meet the monetary requirement of five million ($5M) USD or greater in overall committed Azure revenue annually.
To inquire about the service, start the qualification process, and prepare the prerequisites before on-boarding, ask your Microsoft account manager and CSA to send a request via email.
You must register the "Microsoft.HardwareSecurityModules" and "Microsoft.Network" resource providers, as well as the Azure Payment HSM features. Steps for doing so are at Register the Azure Payment HSM resource provider and resource provider features.
To quickly ascertain if the resource providers and features are already registered, use the Azure CLI az provider show command. (You will find the output of this command more readable if you display it in table-format.)
az provider show --namespace "Microsoft.HardwareSecurityModules" -o table az provider show --namespace "Microsoft.Network" -o table az feature registration show -n "FastPathEnabled" --provider-namespace "Microsoft.Network" -o table az feature registration show -n "AzureDedicatedHsm" --provider-namespace "Microsoft.HardwareSecurityModules" -o table
You can continue with this quick start if all four of these commands return "Registered".
You must have an Azure subscription. You can create a free account if you don't have one.
Use the Bash environment in Azure Cloud Shell. For more information, see Quickstart for Bash in Azure Cloud Shell.
If you prefer to run CLI reference commands locally, install the Azure CLI. If you're running on Windows or macOS, consider running Azure CLI in a Docker container. For more information, see How to run the Azure CLI in a Docker container.
If you're using a local installation, sign in to the Azure CLI by using the az login command. To finish the authentication process, follow the steps displayed in your terminal. For other sign-in options, see Sign in with the Azure CLI.
When you're prompted, install the Azure CLI extension on first use. For more information about extensions, see Use extensions with the Azure CLI.
Run az version to find the version and dependent libraries that are installed. To upgrade to the latest version, run az upgrade.
Create a resource group
A resource group is a logical container into which Azure resources are deployed and managed. Use the az group create command to create a resource group named myResourceGroup in the eastus location.
az group create --name "myResourceGroup" --location "EastUS"
Create a virtual network and subnet
Before creating a payment HSM, you must first create a virtual network and a subnet. To do so, use the Azure CLI az network vnet create command:
az network vnet create -g "myResourceGroup" -n "myVNet" --address-prefixes "10.0.0.0/16" --tags "fastpathenabled=True" --subnet-name "myPHSMSubnet" --subnet-prefix "10.0.0.0/24"
Afterward, use the Azure CLI az network vnet subnet update command to update the subnet and give it a delegation of "Microsoft.HardwareSecurityModules/dedicatedHSMs":
az network vnet subnet update -g "myResourceGroup" --vnet-name "myVNet" -n "myPHSMSubnet" --delegations "Microsoft.HardwareSecurityModules/dedicatedHSMs"
To verify that the VNet and subnet were created correctly, use the Azure CLI az network vnet subnet show command:
az network vnet subnet show -g "myResourceGroup" --vnet-name "myVNet" -n myPHSMSubnet
Make note of the subnet's ID, as you will need it for the next step. The ID of the subnet will end with the name of the subnet:
"id": "/subscriptions/<subscriptionID>/resourceGroups/myResourceGroup/providers/Microsoft.Network/virtualNetworks/myVNet/subnets/myPHSMSubnet",
Create a payment HSM
To create a payment HSM, use the az dedicated-hsm create command. The following example creates a payment HSM named myPaymentHSM
in the eastus
region, myResourceGroup
resource group, and specified subscription, virtual network, and subnet:
az dedicated-hsm create \
--resource-group "myResourceGroup" \
--name "myPaymentHSM" \
--location "EastUS" \
--subnet id="<subnet-id>" \
--stamp-id "stamp1" \
--sku "payShield10K_LMK1_CPS60"
View your payment HSM
To see your payment HSM and its properties, use the Azure CLI az dedicated-hsm show command.
az dedicated-hsm show --resource-group "myResourceGroup" --name "myPaymentHSM"
To list all of your payment HSMs, use the az dedicated-hsm list command. (You will find the output of this command more readable if you display it in table-format.)
az dedicated-hsm list --resource-group "myResourceGroup" -o table
Next steps
Advance to the next article to learn how to access the payShield manager for your payment HSM
Additional information:
- Read an Overview of Payment HSM
- Find out how to get started with Azure Payment HSM
- See some common deployment scenarios
- Learn about Certification and compliance
- Read the frequently asked questions
Feedback
Submit and view feedback for