Quickstart: Create an Azure Dedicated HSM by using the Azure CLI
This article describes how to create and manage an Azure Dedicated HSM by using the az dedicated-hsm Azure CLI extension.
Prerequisites
An Azure subscription. You can create a free account if you don't have one.
If you have more than one Azure subscription, set the subscription to use for billing with the Azure CLI az account set command.
az account set --subscription 00000000-0000-0000-0000-000000000000
Use the Bash environment in Azure Cloud Shell. For more information, see Quickstart for Bash in Azure Cloud Shell.
If you prefer to run CLI reference commands locally, install the Azure CLI. If you're running on Windows or macOS, consider running Azure CLI in a Docker container. For more information, see How to run the Azure CLI in a Docker container.
If you're using a local installation, sign in to the Azure CLI by using the az login command. To finish the authentication process, follow the steps displayed in your terminal. For other sign-in options, see Sign in with the Azure CLI.
When you're prompted, install the Azure CLI extension on first use. For more information about extensions, see Use extensions with the Azure CLI.
Run az version to find the version and dependent libraries that are installed. To upgrade to the latest version, run az upgrade.
- All requirements met for a dedicated HSM, including registration, approval, and a virtual network and virtual machine to use for provisioning. For more information about dedicated HSM requirements and prerequisites, see Tutorial: Deploying HSMs into an existing virtual network using the Azure CLI.
Create a resource group
An Azure resource group is a logical container for deploying and managing Azure resources as a group. If you don't already have a resource group for the dedicated HSM, create one by using the az group create command. The following example creates a resource group named myRG in the westus Azure region:
az group create --name myRG --location westus
Create a dedicated HSM
To create a dedicated HSM, use the az dedicated-hsm create command. The following example provisions a dedicated HSM named hsm1 in the westus region, myRG resource group, and specified subscription, virtual network, and subnet. The required parameters are name, location, and resource group.
az dedicated-hsm create \
--resource-group myRG \
--name "hsm1" \
--location "westus" \
--network-profile-network-interfaces private-ip-address="1.0.0.1" \
--subnet id="/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/hsm-group/providers/Microsoft.Network/virtualNetworks/MyHSM-vnet/subnets/MyHSM-vnet" \
--stamp-id "stamp1" \
--sku name="SafeNet Luna Network HSM A790" \
--tags resourceType="hsm" Environment="test" \
--zones "AZ1"
The deployment takes approximately 25 to 30 minutes to complete.
Get a dedicated HSM
To get a current dedicated HSM, run the az dedicated-hsm show command. The following example gets the hsm1 dedicated HSM in the myRG resource group.
az dedicated-hsm show --resource-group myRG --name hsm1
Update a dedicated HSM
Use the az dedicated-hsm update command to update a dedicated HSM. The following example updates the hsm1 dedicated HSM in the myRG resource group, and its tags:
az dedicated-hsm update --resource-group myRG –-name hsm1 --tags resourceType="hsm" Environment="prod" Slice="A"
List dedicated HSMs
Run the az dedicated-hsm list command to get information about current dedicated HSMs. The following example lists the dedicated HSMs in the myRG resource group:
az dedicated-hsm list --resource-group myRG
Remove a dedicated HSM
To remove a dedicated HSM, use the az dedicated-hsm delete command. The following example deletes the hsm1 dedicated HSM from the myRG resource group:
az dedicated-hsm delete --resource-group myRG –-name hsm1
Delete the resource group
If you no longer need the resource group you created for dedicated HSM, you can delete it by running the az group delete command. This command deletes the group and all resources in it, including any that are unrelated to dedicated HSM. The following example deletes the myRG resource group and everything in it:
az group delete --name myRG
Next steps
To learn more about Azure Dedicated HSM, see Azure Dedicated HSM.