Azure Payment HSM solution design

This article identifies topologies and constraints for Azure Payment HSM.

Supported topologies

The following table describes the network topologies supported by each network features configuration of Azure Payment HSM.

Topology	Basic network features
Connectivity to a payment HSM in a local virtual network	Yes
Connectivity to a payment HSM in a peered virtual network (Same region)	Yes
Connectivity to a payment HSM in a peered virtual network (Cross region or global peering)	No
Connectivity to a payment HSM over ExpressRoute gateway	Yes
ExpressRoute (ER) FastPath	No
Connectivity from on-premises to a payment HSM in a spoke virtual network over ExpressRoute gateway and virtual network peering with gateway transit	Yes
Connectivity from on-premises to a payment HSM in a spoke virtual network over VPN gateway	Yes
Connectivity from on-premises to a payment HSM in a spoke virtual network over VPN gateway and virtual network peering with gateway transit	Yes
Connectivity over Active/Passive VPN gateways	Yes
Connectivity over Active/Active VPN gateways	No
Connectivity over Active/Active Zone Redundant gateways	No
Connectivity over Virtual WAN (VWAN)	No

Constraints

The following table describes what is supported for each network features configuration:

Features	Basic network features
Delegated subnet per virtual network	1
Network Security Groups on payment HSMs on Azure-delegated subnets	No
User-defined routes (UDRs) on payment HSMs on Azure-delegated subnets	No
Connectivity to private endpoints	No
Load balancers for payment HSMs on Azure traffic	No
Dual stack (IPv4 and IPv6) virtual network	IPv4 only supported

Next steps

• What is Azure Payment HSM?
• Azure Payment HSM deployment scenarios
• Azure Payment HSM traffic inspection
• Get started with Azure Payment HSM
• Create a payment HSM
• Frequently asked questions