Merge pull request #219847 from msmbaldwin/phsm-misc

Deployment scenarios and solution design

Author: Court72

articles/payment-hsm/deployment-scenarios.md

@@ -8,10 +8,9 @@ tags: azure-resource-manager
 ms.service: payment-hsm
 ms.workload: security
 ms.topic: article
-ms.date: 01/25/2022
+ms.date: 12/01/2022
 ms.author: mbaldwin
 
-
 ---
 # Deployment scenarios
 
@@ -20,11 +19,12 @@ Microsoft deploys payment hardware security modules (HSM) in stamps within a reg
 Thales doesn't provide PayShield SDK to customers, which supports HA over a cluster (a collection of HSMs initialized with same LMK). However, the customers usage scenario of the Thales PayShield devices is like a Stateless Server. Thus, no synchronization is required between HSMs during application runtime. Customers handle the HA using their custom client. One implementation would be to load balance between healthy HSMs connected to the application. Customers are responsible for implementing high availability by provisioning multiple devices, load balancing them, and using any kind of available backup mechanism to back up keys.
 
 > [!IMPORTANT]
-> - Virtual network peering does not support cross-region communication between payment HSM instances. A payment HSM instance in one region cannot communicate with a payment HSM instance in another region.  
-> - NSGs are not supported for payment HSM subnet.
+> - Ensure your Microsoft Cloud Solution Architect has reviewed your payment HSM deployment architecture design and readiness before production launch.
+> - Review the supported topologies and constraints listed in the [Solution design](solution-design.md).
+> - Network Security Groups and User Defined Routes are not not supported for payment HSM subnets.
+> - Virtual network peering does not support cross-region communication with payment HSM instances. A VM in one region cannot communicate with a payment HSM instance in another region without the use of ExpressRoute or a VPN gateway.
 > - Customers can allocate a maximum of two payment HSMs from each stamp in one region under same subscription.
 > - If customer does not have a High Availability setup in their production environment, the customer will not be able to receive S2 support from Microsoft side.
-> - Please ensure your Microsoft Cloud Solution Architect has reviewed your payment HSM deployment architecture design and readiness before production launch.
 
 ## High availability deployment
 
@@ -41,6 +41,7 @@ This scenario caters to regional-level failure. The usual strategy is to complet
 ## Next steps
 
 - Learn more about [Azure Payment HSM](overview.md)
+- See the Azure Payment HSM [Solution design](solution-design.md)
 - Find out how to [get started with Azure Payment HSM](getting-started.md)
 - Learn how to [Create a payment HSM](create-payment-hsm.md)
 - Read the [frequently asked questions](faq.yml)

articles/payment-hsm/solution-design.md

@@ -0,0 +1,58 @@
+---
+title: Solution design for Azure Payment HSM
+description: Learn about topologies and constraints for Azure Payment HSM
+services: payment-hsm
+author: msmbaldwin
+
+tags: azure-resource-manager
+ms.service: payment-hsm
+ms.workload: security
+ms.topic: article
+ms.date: 12/01/2022
+ms.author: mbaldwin
+
+---
+
+# Azure Payment HSM solution design
+
+This article identifies topologies and constraints for Azure Payment HSM.
+
+## Supported topologies
+
+The following table describes the network topologies supported by each network features configuration of Azure Payment HSM.
+
+|Topology |Basic network features |
+| :------------------- |:---------------:|
+|Connectivity to a payment HSM in a local VNet | Yes |
+|Connectivity to a payment HSM in a peered VNet (Same region) | Yes |
+|Connectivity to a payment HSM in a peered VNet (Cross region or global peering) | No |
+|Connectivity to a payment HSM over ExpressRoute gateway | Yes|
+|ExpressRoute (ER) FastPath | No |
+|Connectivity from on-premises to a payment HSM in a spoke VNet over ExpressRoute gateway and VNet peering with gateway transit | Yes |
+|Connectivity from on-premises to a payment HSM in a spoke VNet over VPN gateway | Yes |
+|Connectivity from on-premises to a payment HSM in a spoke VNet over VPN gateway and VNet peering with gateway transit | Yes |
+|Connectivity over Active/Passive VPN gateways | Yes |
+|Connectivity over Active/Active VPN gateways | No |
+|Connectivity over Active/Active Zone Redundant gateways | No |
+|Connectivity over Virtual WAN (VWAN) | No |
+
+## Constraints
+
+The following table describes what's supported for each network features configuration:
+
+|Features |Basic network features |
+| :------------------- | -------------------: |
+|Delegated subnet per VNet | 1 |
+|[Network Security Groups](../virtual-network/network-security-groups-overview.md) on payment HSMs on Azure-delegated subnets | No |
+|[User-defined routes (UDRs)](../virtual-network/virtual-networks-udr-overview.md#user-defined) on payment HSMs on Azure-delegated subnets | No |
+|Connectivity to [private endpoints](../private-link/private-endpoint-overview.md) | No |
+|Load balancers for payment HSMs on Azure traffic | No |
+|Dual stack (IPv4 and IPv6) virtual network | IPv4 only supported |
+
+## Next steps
+
+- Learn more about [Azure Payment HSM](overview.md)
+- See Azure Payment HSM [Deployment Scenarios](deployment-scenarios.md)
+- Find out how to [get started with Azure Payment HSM](getting-started.md)
+- Learn how to [Create a payment HSM](create-payment-hsm.md)
+- Read the [frequently asked questions](faq.yml)

articles/payment-hsm/toc.yml

@@ -55,6 +55,8 @@
   items:
   - name: High availability & disaster recovery
     href: deployment-scenarios.md
+  - name: Solution design
+    href: solution-design.md
 
 - name: Support
   items: