Azure Dedicated HSM
Azure Dedicated HSM provides FIPS 140-2 Level 3-validated hardware security modules for stringent cryptographic key management and encryption.
| Category | Data Security & Encryption |
|---|---|
| This page updated | a month ago |
| Pricing Details | Minimum of $5 million in annual committed Azure revenue required. |
| Target Audience | Organizations requiring stringent cryptographic key management and compliance. |
Azure Dedicated HSM addresses the critical security and compliance challenges faced by organizations that require stringent cryptographic key management and encryption. This service provides FIPS 140-2 Level 3-validated hardware security modules (HSMs), specifically the Thales Luna 7 HSM model A790, which are deployed directly into a customer's virtual network in Azure.
The technical architecture involves provisioning these single-tenant HSM devices within the customer's private IP address space, ensuring that Microsoft has no access to the cryptographic functionality. Customers have full administrative and cryptographic control, including monitoring, configuration, and software/firmware maintenance. The HSMs are integrated into the customer's virtual network, allowing access from virtual machines or other compute resources within the same network. For high availability, HSM devices can be provisioned in pairs and across different regions.
Key operational considerations include the need for a highly secure networking environment, which involves creating and connecting virtual networks, and configuring VPN connections (either site-to-site or point-to-site) to facilitate secure communication between the Azure cloud and on-premises IT resources. Customers must also manage the networking infrastructure, including virtual networks, VPN gateways, and associated resources, which incur additional costs.
From a technical standpoint, the HSMs support various cryptographic APIs and SDKs such as PKCS#11, Java (JCA/JCE), Microsoft CAPI, and CNG, and OpenSSL. However, the service does not support integration with other Azure or Microsoft cloud services, and customers are responsible for ensuring the health and uptime of the devices since Microsoft is not involved in their management.
In terms of limitations, the service is available in limited regions, and customers must meet specific monetary requirements (a minimum of $5 million in annual committed Azure revenue) and have an assigned Microsoft Account Manager to qualify for onboarding. Additionally, the service does not support functionality modules or ExpressRoute connections for on-premises resources.