Quickstart: Create an Azure Payment HSM with Azure PowerShell

Azure Payment HSM is a "BareMetal" service delivered using Thales payShield 10K payment hardware security modules (HSM) to provide cryptographic key operations for real-time, critical payment transactions in the Azure cloud. Azure Payment HSM is designed specifically to help a service provider and an individual financial institution accelerate their payment system's digital transformation strategy and adopt the public cloud. For more information, see Azure Payment HSM: Overview.

This quickstart describes how you can create an Azure Payment HSM using the Az.DedicatedHsm PowerShell module.

Prerequisites

Important

Azure Payment HSM is a specialized service. To qualify for onboarding and use of Azure Payment HSM, customers must have an assigned Microsoft Account Manager and have a Cloud Service Architect (CSA).

To inquire about the service, start the qualification process, and prepare the prerequisites before on-boarding, ask your Microsoft account manager and CSA to send a request via email.

• You must register the "Microsoft.HardwareSecurityModules" and "Microsoft.Network" resource providers, as well as the Azure Payment HSM features. Steps for doing so are at Register the Azure Payment HSM resource provider and resource provider features.

  Warning

  You must apply the "FastPathEnabled" feature flag to every subscription ID, and add the "fastpathenabled" tag to every virtual network. For more information, see Fastpathenabled.

  To quickly ascertain if the resource providers and features are already registered, use the Azure PowerShell Get-AzProviderFeature cmdlet:

Get-AzProviderFeature -FeatureName "AzureDedicatedHsm" -ProviderNamespace Microsoft.HardwareSecurityModules

Get-AzProviderFeature -FeatureName "FastPathEnabled" -ProviderNamespace Microsoft.Network

You can continue with this quick start if the "RegistrationState" of both commands returns "Registered".

• You must have an Azure subscription. You can create a free account if you don't have one.

  If you have more than one Azure subscription, set the subscription to use for billing with the Azure PowerShell Set-AzContext cmdlet.

  Set-AzContext -Subscription "<subscription-id>"
  

• If you choose to use Azure PowerShell locally:
  • Install the latest version of the Az PowerShell module.
  • Connect to your Azure account using the Connect-AzAccount cmdlet.
• If you choose to use Azure Cloud Shell:
  • See Overview of Azure Cloud Shell for more information.

• You must install the Az.DedicatedHsm PowerShell module:

  Install-Module -Name Az.DedicatedHsm
  

Create a resource group

A resource group is a logical container into which Azure resources are deployed and managed. Use the Azure PowerShell New-AzResourceGroup cmdlet to create a resource group named myResourceGroup in the eastus location.

New-AzResourceGroup -Name "myResourceGroup" -Location "EastUS"

Create a virtual network and subnet

Before creating a payment HSM, you must first create a virtual network and a subnet.

First, set some variables for use in the subsequent operations:

$VNetAddressPrefix = @("10.0.0.0/16")
$SubnetAddressPrefix = "10.0.0.0/24"
$tags = @{fastpathenabled="true"}

Use the Azure PowerShell New-AzDelegation cmdlet to create a service delegation to be added to your subnet, and save the output to the $myDelegation variable:

$myDelegation = New-AzDelegation -Name "myHSMDelegation" -ServiceName "Microsoft.HardwareSecurityModules/dedicatedHSMs"

Use the Azure PowerShell New-AzVirtualNetworkSubnetConfig cmdlet to create a virtual network subnet configuration, and save the output to the $myPHSMSubnet variable:

$myPHSMSubnetConfig = New-AzVirtualNetworkSubnetConfig -Name "myPHSMSubnet" -AddressPrefix $SubnetAddressPrefix -Delegation $myDelegation

Note

The New-AzVirtualNetworkSubnetConfig cmdlet will generate a warning, which you can safely ignore.

To create an Azure Virtual Network, use the Azure PowerShell New-AzVirtualNetwork cmdlet:

New-AzVirtualNetwork -Name "myVNet" -ResourceGroupName "myResourceGroup" -Location "EastUS" -Tag $tags -AddressPrefix $VNetAddressPrefix -Subnet $myPHSMSubnetConfig

To verify that the virtual network was created correctly, use the Azure PowerShell Get-AzVirtualNetwork cmdlet:

Get-AzVirtualNetwork -Name "myVNet" -ResourceGroupName "myResourceGroup"

Make note of the value returned as Id, as it is used in the next step. The Id is in the format:

"Id": "/subscriptions/<subscriptionID>/resourceGroups/myResourceGroup/providers/Microsoft.Network/virtualNetworks/myVNet/subnets/myPHSMSubnet",

Create a payment HSM

To create a payment HSM, use the New-AzDedicatedHsm cmdlet and the VNet ID from the previous step:

New-AzDedicatedHsm -Name "myPaymentHSM" -ResourceGroupName "myResourceGroup" -Location "East US" -Sku "payShield10K_LMK1_CPS60" -StampId "stamp1" -SubnetId "<subnet-id>"

The output of payment HSM creation looks like this:

Name  Provisioning State SKU                     Location
----  ------------------ ---                     --------
myHSM Succeeded          payShield10K_LMK1_CPS60 East US

Get a payment HSM

To see your payment HSM and its properties, use the Azure PowerShell Get-AzDedicatedHsm cmdlet.

Get-AzDedicatedHsm -Name "myPaymentHSM" -ResourceGroup "myResourceGroup"

To list all of your payment HSMs, use the Get-AzDedicatedHsm cmdlet with no parameters.

To get more information on your payment HSM, you can use the Get-AzResource cmdlet, specifying the resource group, and "Microsoft.HardwareSecurityModules/dedicatedHSMs" as the resource type:

Get-AzResource -ResourceGroupName "myResourceGroup" -ResourceType "Microsoft.HardwareSecurityModules/dedicatedHSMs"

Remove a payment HSM

To remove your payment HSM, use the Azure PowerShell Remove-AzDedicatedHsm cmdlet. The following example deletes the myPaymentHSM payment HSM from the myResourceGroup resource group:

Remove-AzDedicatedHsm -Name "myPaymentHSM" -ResourceGroupName "myResourceGroup"

Delete the resource group

Other quickstarts and tutorials in this collection build upon this quickstart. If you plan to continue on to work with other quickstarts and tutorials, you may want to leave these resources in place.

When no longer needed, you can use the Azure PowerShell Remove-AzResourceGroup cmdlet to remove the resource group and all related resources.

Remove-AzResourceGroup -Name "myResourceGroup"

Next steps

In this quickstart, you created a payment HSM, viewed and updated its properties, and deleted it. To learn more about Payment HSM and how to integrate it with your applications, continue on to these articles.

• Read an Overview of Payment HSM
• Find out how to get started with Azure Payment HSM
• See some common deployment scenarios
• Learn about Certification and compliance
• Read the frequently asked questions