The azure-native:hardwaresecuritymodules:DedicatedHsm resource, part of the Pulumi Azure Native provider, provisions dedicated HSM appliances in Azure VNets for hardware-backed cryptographic operations. This guide focuses on three capabilities: SafeNet Luna and PayShield HSM deployment, VNet integration with private IP addressing, and management network separation.
HSMs deploy into existing VNets and subnets. The examples reference hardcoded resource IDs that must be replaced with your own infrastructure. The examples are intentionally small. Combine them with your own VNet configuration and client application integration.
Deploy a SafeNet Luna HSM in a VNet subnet
Organizations requiring FIPS 140-2 Level 3 validated cryptographic operations deploy dedicated HSMs into their Azure virtual networks for hardware-backed key storage and cryptographic processing.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const dedicatedHsm = new azure_native.hardwaresecuritymodules.DedicatedHsm("dedicatedHsm", {
location: "westus",
name: "hsm1",
networkProfile: {
networkInterfaces: [{
privateIpAddress: "1.0.0.1",
}],
subnet: {
resourceId: "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/hsm-group/providers/Microsoft.Network/virtualNetworks/stamp01/subnets/stamp01",
},
},
resourceGroupName: "hsm-group",
sku: {
name: azure_native.hardwaresecuritymodules.SkuName.SafeNet_Luna_Network_HSM_A790,
},
stampId: "stamp01",
tags: {
Dept: "hsm",
Environment: "dogfood",
},
});
import pulumi
import pulumi_azure_native as azure_native
dedicated_hsm = azure_native.hardwaresecuritymodules.DedicatedHsm("dedicatedHsm",
location="westus",
name="hsm1",
network_profile={
"network_interfaces": [{
"private_ip_address": "1.0.0.1",
}],
"subnet": {
"resource_id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/hsm-group/providers/Microsoft.Network/virtualNetworks/stamp01/subnets/stamp01",
},
},
resource_group_name="hsm-group",
sku={
"name": azure_native.hardwaresecuritymodules.SkuName.SAFE_NET_LUNA_NETWORK_HS_M_A790,
},
stamp_id="stamp01",
tags={
"Dept": "hsm",
"Environment": "dogfood",
})
package main
import (
hardwaresecuritymodules "github.com/pulumi/pulumi-azure-native-sdk/hardwaresecuritymodules/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := hardwaresecuritymodules.NewDedicatedHsm(ctx, "dedicatedHsm", &hardwaresecuritymodules.DedicatedHsmArgs{
Location: pulumi.String("westus"),
Name: pulumi.String("hsm1"),
NetworkProfile: &hardwaresecuritymodules.NetworkProfileArgs{
NetworkInterfaces: hardwaresecuritymodules.NetworkInterfaceArray{
&hardwaresecuritymodules.NetworkInterfaceArgs{
PrivateIpAddress: pulumi.String("1.0.0.1"),
},
},
Subnet: &hardwaresecuritymodules.ApiEntityReferenceArgs{
ResourceId: pulumi.String("/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/hsm-group/providers/Microsoft.Network/virtualNetworks/stamp01/subnets/stamp01"),
},
},
ResourceGroupName: pulumi.String("hsm-group"),
Sku: &hardwaresecuritymodules.SkuArgs{
Name: pulumi.String(hardwaresecuritymodules.SkuName_SafeNet_Luna_Network_HSM_A790),
},
StampId: pulumi.String("stamp01"),
Tags: pulumi.StringMap{
"Dept": pulumi.String("hsm"),
"Environment": pulumi.String("dogfood"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var dedicatedHsm = new AzureNative.HardwareSecurityModules.DedicatedHsm("dedicatedHsm", new()
{
Location = "westus",
Name = "hsm1",
NetworkProfile = new AzureNative.HardwareSecurityModules.Inputs.NetworkProfileArgs
{
NetworkInterfaces = new[]
{
new AzureNative.HardwareSecurityModules.Inputs.NetworkInterfaceArgs
{
PrivateIpAddress = "1.0.0.1",
},
},
Subnet = new AzureNative.HardwareSecurityModules.Inputs.ApiEntityReferenceArgs
{
ResourceId = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/hsm-group/providers/Microsoft.Network/virtualNetworks/stamp01/subnets/stamp01",
},
},
ResourceGroupName = "hsm-group",
Sku = new AzureNative.HardwareSecurityModules.Inputs.SkuArgs
{
Name = AzureNative.HardwareSecurityModules.SkuName.SafeNet_Luna_Network_HSM_A790,
},
StampId = "stamp01",
Tags =
{
{ "Dept", "hsm" },
{ "Environment", "dogfood" },
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.hardwaresecuritymodules.DedicatedHsm;
import com.pulumi.azurenative.hardwaresecuritymodules.DedicatedHsmArgs;
import com.pulumi.azurenative.hardwaresecuritymodules.inputs.NetworkProfileArgs;
import com.pulumi.azurenative.hardwaresecuritymodules.inputs.ApiEntityReferenceArgs;
import com.pulumi.azurenative.hardwaresecuritymodules.inputs.SkuArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var dedicatedHsm = new DedicatedHsm("dedicatedHsm", DedicatedHsmArgs.builder()
.location("westus")
.name("hsm1")
.networkProfile(NetworkProfileArgs.builder()
.networkInterfaces(NetworkInterfaceArgs.builder()
.privateIpAddress("1.0.0.1")
.build())
.subnet(ApiEntityReferenceArgs.builder()
.resourceId("/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/hsm-group/providers/Microsoft.Network/virtualNetworks/stamp01/subnets/stamp01")
.build())
.build())
.resourceGroupName("hsm-group")
.sku(SkuArgs.builder()
.name("SafeNet Luna Network HSM A790")
.build())
.stampId("stamp01")
.tags(Map.ofEntries(
Map.entry("Dept", "hsm"),
Map.entry("Environment", "dogfood")
))
.build());
}
}
resources:
dedicatedHsm:
type: azure-native:hardwaresecuritymodules:DedicatedHsm
properties:
location: westus
name: hsm1
networkProfile:
networkInterfaces:
- privateIpAddress: 1.0.0.1
subnet:
resourceId: /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/hsm-group/providers/Microsoft.Network/virtualNetworks/stamp01/subnets/stamp01
resourceGroupName: hsm-group
sku:
name: SafeNet Luna Network HSM A790
stampId: stamp01
tags:
Dept: hsm
Environment: dogfood
The sku property selects the HSM model; SafeNet Luna Network HSM A790 provides general-purpose cryptographic operations. The networkProfile places the HSM in your VNet by specifying a subnet resource ID and assigning a private IP address. The stampId identifies the Azure datacenter stamp where the physical HSM will be provisioned. You must replace the hardcoded subscription, resource group, VNet, and subnet IDs with your own infrastructure references.
Deploy a PayShield HSM for payment processing
Payment processing workloads require PCI DSS-compliant HSMs that handle PIN translation, card verification, and key management.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const dedicatedHsm = new azure_native.hardwaresecuritymodules.DedicatedHsm("dedicatedHsm", {
location: "westus",
name: "hsm1",
networkProfile: {
networkInterfaces: [{
privateIpAddress: "1.0.0.1",
}],
subnet: {
resourceId: "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/hsm-group/providers/Microsoft.Network/virtualNetworks/stamp01/subnets/stamp01",
},
},
resourceGroupName: "hsm-group",
sku: {
name: azure_native.hardwaresecuritymodules.SkuName.PayShield10K_LMK1_CPS60,
},
stampId: "stamp01",
tags: {
Dept: "hsm",
Environment: "dogfood",
},
});
import pulumi
import pulumi_azure_native as azure_native
dedicated_hsm = azure_native.hardwaresecuritymodules.DedicatedHsm("dedicatedHsm",
location="westus",
name="hsm1",
network_profile={
"network_interfaces": [{
"private_ip_address": "1.0.0.1",
}],
"subnet": {
"resource_id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/hsm-group/providers/Microsoft.Network/virtualNetworks/stamp01/subnets/stamp01",
},
},
resource_group_name="hsm-group",
sku={
"name": azure_native.hardwaresecuritymodules.SkuName.PAY_SHIELD10_K_LMK1_CPS60,
},
stamp_id="stamp01",
tags={
"Dept": "hsm",
"Environment": "dogfood",
})
package main
import (
hardwaresecuritymodules "github.com/pulumi/pulumi-azure-native-sdk/hardwaresecuritymodules/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := hardwaresecuritymodules.NewDedicatedHsm(ctx, "dedicatedHsm", &hardwaresecuritymodules.DedicatedHsmArgs{
Location: pulumi.String("westus"),
Name: pulumi.String("hsm1"),
NetworkProfile: &hardwaresecuritymodules.NetworkProfileArgs{
NetworkInterfaces: hardwaresecuritymodules.NetworkInterfaceArray{
&hardwaresecuritymodules.NetworkInterfaceArgs{
PrivateIpAddress: pulumi.String("1.0.0.1"),
},
},
Subnet: &hardwaresecuritymodules.ApiEntityReferenceArgs{
ResourceId: pulumi.String("/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/hsm-group/providers/Microsoft.Network/virtualNetworks/stamp01/subnets/stamp01"),
},
},
ResourceGroupName: pulumi.String("hsm-group"),
Sku: &hardwaresecuritymodules.SkuArgs{
Name: pulumi.String(hardwaresecuritymodules.SkuName_PayShield10K_LMK1_CPS60),
},
StampId: pulumi.String("stamp01"),
Tags: pulumi.StringMap{
"Dept": pulumi.String("hsm"),
"Environment": pulumi.String("dogfood"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var dedicatedHsm = new AzureNative.HardwareSecurityModules.DedicatedHsm("dedicatedHsm", new()
{
Location = "westus",
Name = "hsm1",
NetworkProfile = new AzureNative.HardwareSecurityModules.Inputs.NetworkProfileArgs
{
NetworkInterfaces = new[]
{
new AzureNative.HardwareSecurityModules.Inputs.NetworkInterfaceArgs
{
PrivateIpAddress = "1.0.0.1",
},
},
Subnet = new AzureNative.HardwareSecurityModules.Inputs.ApiEntityReferenceArgs
{
ResourceId = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/hsm-group/providers/Microsoft.Network/virtualNetworks/stamp01/subnets/stamp01",
},
},
ResourceGroupName = "hsm-group",
Sku = new AzureNative.HardwareSecurityModules.Inputs.SkuArgs
{
Name = AzureNative.HardwareSecurityModules.SkuName.PayShield10K_LMK1_CPS60,
},
StampId = "stamp01",
Tags =
{
{ "Dept", "hsm" },
{ "Environment", "dogfood" },
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.hardwaresecuritymodules.DedicatedHsm;
import com.pulumi.azurenative.hardwaresecuritymodules.DedicatedHsmArgs;
import com.pulumi.azurenative.hardwaresecuritymodules.inputs.NetworkProfileArgs;
import com.pulumi.azurenative.hardwaresecuritymodules.inputs.ApiEntityReferenceArgs;
import com.pulumi.azurenative.hardwaresecuritymodules.inputs.SkuArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var dedicatedHsm = new DedicatedHsm("dedicatedHsm", DedicatedHsmArgs.builder()
.location("westus")
.name("hsm1")
.networkProfile(NetworkProfileArgs.builder()
.networkInterfaces(NetworkInterfaceArgs.builder()
.privateIpAddress("1.0.0.1")
.build())
.subnet(ApiEntityReferenceArgs.builder()
.resourceId("/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/hsm-group/providers/Microsoft.Network/virtualNetworks/stamp01/subnets/stamp01")
.build())
.build())
.resourceGroupName("hsm-group")
.sku(SkuArgs.builder()
.name("payShield10K_LMK1_CPS60")
.build())
.stampId("stamp01")
.tags(Map.ofEntries(
Map.entry("Dept", "hsm"),
Map.entry("Environment", "dogfood")
))
.build());
}
}
resources:
dedicatedHsm:
type: azure-native:hardwaresecuritymodules:DedicatedHsm
properties:
location: westus
name: hsm1
networkProfile:
networkInterfaces:
- privateIpAddress: 1.0.0.1
subnet:
resourceId: /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/hsm-group/providers/Microsoft.Network/virtualNetworks/stamp01/subnets/stamp01
resourceGroupName: hsm-group
sku:
name: payShield10K_LMK1_CPS60
stampId: stamp01
tags:
Dept: hsm
Environment: dogfood
The PayShield10K_LMK1_CPS60 SKU provides specialized payment cryptography functions rather than general-purpose operations. The network configuration follows the same pattern as the SafeNet example, but the HSM firmware and capabilities differ to meet payment industry requirements.
Configure separate management and data plane networks
Production deployments often separate management traffic from cryptographic data plane traffic for security and operational isolation.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const dedicatedHsm = new azure_native.hardwaresecuritymodules.DedicatedHsm("dedicatedHsm", {
location: "westus",
managementNetworkProfile: {
networkInterfaces: [{
privateIpAddress: "1.0.0.2",
}],
subnet: {
resourceId: "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/hsm-group/providers/Microsoft.Network/virtualNetworks/stamp01/subnets/stamp01",
},
},
name: "hsm1",
networkProfile: {
networkInterfaces: [{
privateIpAddress: "1.0.0.1",
}],
subnet: {
resourceId: "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/hsm-group/providers/Microsoft.Network/virtualNetworks/stamp01/subnets/stamp01",
},
},
resourceGroupName: "hsm-group",
sku: {
name: azure_native.hardwaresecuritymodules.SkuName.PayShield10K_LMK1_CPS60,
},
stampId: "stamp01",
tags: {
Dept: "hsm",
Environment: "dogfood",
},
});
import pulumi
import pulumi_azure_native as azure_native
dedicated_hsm = azure_native.hardwaresecuritymodules.DedicatedHsm("dedicatedHsm",
location="westus",
management_network_profile={
"network_interfaces": [{
"private_ip_address": "1.0.0.2",
}],
"subnet": {
"resource_id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/hsm-group/providers/Microsoft.Network/virtualNetworks/stamp01/subnets/stamp01",
},
},
name="hsm1",
network_profile={
"network_interfaces": [{
"private_ip_address": "1.0.0.1",
}],
"subnet": {
"resource_id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/hsm-group/providers/Microsoft.Network/virtualNetworks/stamp01/subnets/stamp01",
},
},
resource_group_name="hsm-group",
sku={
"name": azure_native.hardwaresecuritymodules.SkuName.PAY_SHIELD10_K_LMK1_CPS60,
},
stamp_id="stamp01",
tags={
"Dept": "hsm",
"Environment": "dogfood",
})
package main
import (
hardwaresecuritymodules "github.com/pulumi/pulumi-azure-native-sdk/hardwaresecuritymodules/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := hardwaresecuritymodules.NewDedicatedHsm(ctx, "dedicatedHsm", &hardwaresecuritymodules.DedicatedHsmArgs{
Location: pulumi.String("westus"),
ManagementNetworkProfile: &hardwaresecuritymodules.NetworkProfileArgs{
NetworkInterfaces: hardwaresecuritymodules.NetworkInterfaceArray{
&hardwaresecuritymodules.NetworkInterfaceArgs{
PrivateIpAddress: pulumi.String("1.0.0.2"),
},
},
Subnet: &hardwaresecuritymodules.ApiEntityReferenceArgs{
ResourceId: pulumi.String("/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/hsm-group/providers/Microsoft.Network/virtualNetworks/stamp01/subnets/stamp01"),
},
},
Name: pulumi.String("hsm1"),
NetworkProfile: &hardwaresecuritymodules.NetworkProfileArgs{
NetworkInterfaces: hardwaresecuritymodules.NetworkInterfaceArray{
&hardwaresecuritymodules.NetworkInterfaceArgs{
PrivateIpAddress: pulumi.String("1.0.0.1"),
},
},
Subnet: &hardwaresecuritymodules.ApiEntityReferenceArgs{
ResourceId: pulumi.String("/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/hsm-group/providers/Microsoft.Network/virtualNetworks/stamp01/subnets/stamp01"),
},
},
ResourceGroupName: pulumi.String("hsm-group"),
Sku: &hardwaresecuritymodules.SkuArgs{
Name: pulumi.String(hardwaresecuritymodules.SkuName_PayShield10K_LMK1_CPS60),
},
StampId: pulumi.String("stamp01"),
Tags: pulumi.StringMap{
"Dept": pulumi.String("hsm"),
"Environment": pulumi.String("dogfood"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var dedicatedHsm = new AzureNative.HardwareSecurityModules.DedicatedHsm("dedicatedHsm", new()
{
Location = "westus",
ManagementNetworkProfile = new AzureNative.HardwareSecurityModules.Inputs.NetworkProfileArgs
{
NetworkInterfaces = new[]
{
new AzureNative.HardwareSecurityModules.Inputs.NetworkInterfaceArgs
{
PrivateIpAddress = "1.0.0.2",
},
},
Subnet = new AzureNative.HardwareSecurityModules.Inputs.ApiEntityReferenceArgs
{
ResourceId = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/hsm-group/providers/Microsoft.Network/virtualNetworks/stamp01/subnets/stamp01",
},
},
Name = "hsm1",
NetworkProfile = new AzureNative.HardwareSecurityModules.Inputs.NetworkProfileArgs
{
NetworkInterfaces = new[]
{
new AzureNative.HardwareSecurityModules.Inputs.NetworkInterfaceArgs
{
PrivateIpAddress = "1.0.0.1",
},
},
Subnet = new AzureNative.HardwareSecurityModules.Inputs.ApiEntityReferenceArgs
{
ResourceId = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/hsm-group/providers/Microsoft.Network/virtualNetworks/stamp01/subnets/stamp01",
},
},
ResourceGroupName = "hsm-group",
Sku = new AzureNative.HardwareSecurityModules.Inputs.SkuArgs
{
Name = AzureNative.HardwareSecurityModules.SkuName.PayShield10K_LMK1_CPS60,
},
StampId = "stamp01",
Tags =
{
{ "Dept", "hsm" },
{ "Environment", "dogfood" },
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.hardwaresecuritymodules.DedicatedHsm;
import com.pulumi.azurenative.hardwaresecuritymodules.DedicatedHsmArgs;
import com.pulumi.azurenative.hardwaresecuritymodules.inputs.NetworkProfileArgs;
import com.pulumi.azurenative.hardwaresecuritymodules.inputs.ApiEntityReferenceArgs;
import com.pulumi.azurenative.hardwaresecuritymodules.inputs.SkuArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var dedicatedHsm = new DedicatedHsm("dedicatedHsm", DedicatedHsmArgs.builder()
.location("westus")
.managementNetworkProfile(NetworkProfileArgs.builder()
.networkInterfaces(NetworkInterfaceArgs.builder()
.privateIpAddress("1.0.0.2")
.build())
.subnet(ApiEntityReferenceArgs.builder()
.resourceId("/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/hsm-group/providers/Microsoft.Network/virtualNetworks/stamp01/subnets/stamp01")
.build())
.build())
.name("hsm1")
.networkProfile(NetworkProfileArgs.builder()
.networkInterfaces(NetworkInterfaceArgs.builder()
.privateIpAddress("1.0.0.1")
.build())
.subnet(ApiEntityReferenceArgs.builder()
.resourceId("/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/hsm-group/providers/Microsoft.Network/virtualNetworks/stamp01/subnets/stamp01")
.build())
.build())
.resourceGroupName("hsm-group")
.sku(SkuArgs.builder()
.name("payShield10K_LMK1_CPS60")
.build())
.stampId("stamp01")
.tags(Map.ofEntries(
Map.entry("Dept", "hsm"),
Map.entry("Environment", "dogfood")
))
.build());
}
}
resources:
dedicatedHsm:
type: azure-native:hardwaresecuritymodules:DedicatedHsm
properties:
location: westus
managementNetworkProfile:
networkInterfaces:
- privateIpAddress: 1.0.0.2
subnet:
resourceId: /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/hsm-group/providers/Microsoft.Network/virtualNetworks/stamp01/subnets/stamp01
name: hsm1
networkProfile:
networkInterfaces:
- privateIpAddress: 1.0.0.1
subnet:
resourceId: /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/hsm-group/providers/Microsoft.Network/virtualNetworks/stamp01/subnets/stamp01
resourceGroupName: hsm-group
sku:
name: payShield10K_LMK1_CPS60
stampId: stamp01
tags:
Dept: hsm
Environment: dogfood
The managementNetworkProfile property creates a dedicated network interface for administrative access, distinct from the networkProfile used for cryptographic operations. Both profiles can reference the same subnet (as shown here) or different subnets depending on your network segmentation requirements. This separation allows you to apply different firewall rules and access controls to management versus data plane traffic.
Beyond these examples
These snippets focus on specific HSM deployment features: SafeNet Luna and PayShield HSM SKUs, VNet integration with private IP addressing, and management network separation. They’re intentionally minimal rather than full cryptographic infrastructure deployments.
The examples reference pre-existing infrastructure such as Azure VNets and subnets, and resource groups and subscriptions. They focus on HSM provisioning rather than creating the surrounding network infrastructure.
To keep things focused, common HSM patterns are omitted, including:
- Availability zone placement (zones property)
- High availability clustering across multiple HSMs
- Client application integration and SDK usage
- Backup and disaster recovery configuration
These omissions are intentional: the goal is to illustrate how each HSM feature is wired, not provide drop-in cryptographic modules. See the DedicatedHsm resource reference for all available configuration options.
Let's deploy Azure Dedicated Hardware Security Modules
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Configuration & Setup
What HSM types can I deploy?
The examples show two SKU options:
SafeNet Luna Network HSM A790 for general-purpose HSMs and payShield10K_LMK1_CPS60 for payment HSMs.What's the difference between networkProfile and managementNetworkProfile?
networkProfile configures the primary network interfaces for the HSM, while managementNetworkProfile provides separate network interfaces for management access. Payment HSMs can use both profiles for network segregation.When should I use stampId versus zones?
Use
stampId when the resource provider doesn’t support availability zones. Use zones to specify availability zones for high availability deployments.Resource Lifecycle
Which properties can't I change after creating the HSM?
The
location, name, and resourceGroupName properties are immutable and cannot be changed after creation.API Versions & Compatibility
How do I use a different API version like 2021-11-30?
Generate a local SDK package using the CLI command:
pulumi package add azure-native hardwaresecuritymodules [ApiVersion]. Available versions include 2021-11-30 and 2025-03-31.