Merge pull request #232229 from msmbaldwin/phsm-misc

Updating fastpath info

Author: Stacyrch140

articles/payment-hsm/certification-compliance.md

@@ -8,17 +8,37 @@ tags: azure-resource-manager
 ms.service: payment-hsm
 ms.workload: security
 ms.topic: article
-ms.date: 01/25/2022
+ms.date: 03/25/2023
 ms.author: mbaldwin
 ---
 
 # Certification and compliance
 
-The Azure Payment HSM service is PCI PIN, PCI DSS, and PCI 3DS compliant.
+Azure maintains the largest compliance portfolio in the industry. For details, see [Microsoft Azure Compliance Offerings](https://azure.microsoft.com/resources/microsoft-azure-compliance-offerings/), Each offering description provides an up to-date-scope statement and links to useful downloadable resources.
 
-- [Azure - PCI PIN - 2022 Package](https://servicetrust.microsoft.com/ViewPage/MSComplianceGuideV3?command=Download&downloadType=Document&downloadId=52eb9daa-f254-4914-aec6-46d40287a106) – Microsoft Azure PCI PIN Attestation of Compliance (AOC) report for Azure Payment HSM.
-- [Azure - PCI DSS - 2022 Package](https://servicetrust.microsoft.com/ViewPage/MSComplianceGuideV3?command=Download&downloadType=Document&downloadId=b9cc20e0-38db-4953-aa58-9fb5cce26cc2&tab=7027ead0-3d6b-11e9-b9e1-290b1eb4cdeb&docTab=7027ead0-3d6b-11e9-b9e1-290b1eb4cdeb_PCI_DSS) – Contains the official PCI DSS certification reports and shared responsibility matrices. The PCI DSS AOC includes the full list of PCI DSS certified Azure offerings and regions. Customers can use Azure's PCI DSS AOC during their PCI DSS assessment.
-- [Azure - PCI 3DS - 2022 Package](https://servicetrust.microsoft.com/ViewPage/MSComplianceGuideV3?command=Download&downloadType=Document&downloadId=45ade37c-753c-4392-8321-adc49ecad12c&tab=7027ead0-3d6b-11e9-b9e1-290b1eb4cdeb&docTab=7027ead0-3d6b-11e9-b9e1-290b1eb4cdeb_PCI_DSS) – Contains the official PCI 3DS certification report, shared responsibility matrix, and whitepaper. The PCI 3DS AOC includes the full list of PCI 3DS certified Azure offerings and regions. Customers can use Azure’s PCI 3DS AOC during their PCI 3DS assessment.
+Azure payment HSM meets following compliance standards:
+
+- PCI DSS
+- PCI PIN
+- PCI 3DS
+- CSA STAR Certification
+- CSA STAR Attestation
+- ISO 20000-1:2018
+- ISO 22301:2019
+- ISO 27001:2013
+- ISO 27017:2015
+- ISO 27018:2019
+- ISO 27701:2019
+- ISO 9001:2015
+- SOC 1, 2, 3
+- Germany C5
+
+To download latest certification and attestation reports, please go to [Service Trust Portal Home Page (microsoft.com)](https://servicetrust.microsoft.com/ViewPage/HomePageVNext)
+
+For example, the latest PCI certification reports and shared responsibility matrices are:
+- [Azure PCI PIN V3.1](https://servicetrust.microsoft.com/DocumentPage/52eb9daa-f254-4914-aec6-46d40287a106) (2022-09-16)
+- [Azure PCI DSS V4.0](https://servicetrust.microsoft.com/DocumentPage/3be58cb9-de55-426b-9c3d-0ba90dd29572) (2023-03-07)
+- [Azure PCI 3DS V1.0](https://servicetrust.microsoft.com/DocumentPage/a9fe4984-3c73-4abf-bf88-a197c3821690) (2023-03-07)
 
 Thales payShield 10K HSMs are certified to FIPS 140-2 Level 3 and PCI HSM v3.
 

articles/payment-hsm/create-payment-hsm.md

@@ -34,6 +34,9 @@ In this tutorial, you learn how to:
 
 - You must register the "Microsoft.HardwareSecurityModules" and "Microsoft.Network" resource providers, as well as the Azure Payment HSM features. Steps for doing so are at [Register the Azure Payment HSM resource provider and resource provider features](register-payment-hsm-resource-providers.md).
 
+  > [!WARNING]
+  > You must apply the "FastPathEnabled" feature flag to **every** subscription ID, and add the "fastpathenabled" tag to **every** virtual network. For more details, see [Fastpathenabled](fastpathenabled.md).
+
   To quickly ascertain if the resource providers and features are already registered, use the Azure CLI [az provider show](/cli/azure/provider#az-provider-show) command. (You will find the output of this command more readable if you display it in table-format.)
 
   ```azurecli-interactive
@@ -55,6 +58,9 @@ In this tutorial, you learn how to:
 
 - You must register the "Microsoft.HardwareSecurityModules" and "Microsoft.Network" resource providers, as well as the Azure Payment HSM features. Steps for doing so are at [Register the Azure Payment HSM resource provider and resource provider features](register-payment-hsm-resource-providers.md).
 
+  > [!WARNING]
+  > You must apply the "FastPathEnabled" feature flag to **every** subscription ID, and add the "fastpathenabled" tag to **every** virtual network. For more details, see [Fastpathenabled](fastpathenabled.md).
+
   To quickly ascertain if the resource providers and features are already registered, use the Azure PowerShell [Get-AzProviderFeature](/powershell/module/az.resources/get-azproviderfeature) cmdlet:
 
 ```azurepowershell-interactive

articles/payment-hsm/deployment-scenarios.md

@@ -8,7 +8,7 @@ tags: azure-resource-manager
 ms.service: payment-hsm
 ms.workload: security
 ms.topic: article
-ms.date: 12/01/2022
+ms.date: 03/25/2023
 ms.author: mbaldwin
 
 ---

articles/payment-hsm/fastpathenabled.md

@@ -0,0 +1,52 @@
+---
+title: Azure Payment HSM "fastpathenabled" feature flag and tag
+description: The "fastpathenabled" feature flag and tag, as it relates to Azure Payment HSM and affiliated subscriptions and virtual networks
+services: payment-hsm
+author: msmbaldwin
+
+tags: azure-resource-manager
+ms.service: payment-hsm
+ms.workload: security
+ms.topic: article
+ms.date: 03/25/2023
+ms.author: mbaldwin
+
+---
+
+# Fastpathenabled
+
+Azure Payment HSM uses the term "Fastpathenabled" in two related but distinct ways:
+
+- "FastPathEnabled" is an Azure Feature Exposure Control (AFEC) flag. It must be applied to **every** subscription ID that wants to access to Azure Payment HSM.
+- "fastpathenabled" (always lowercased) is a virtual network tag. It must be added to the virtual network hosting the payment HSM's delegated subnet, as well as to **every** peered VNet requiring connectivity to the payment HSM.
+
+Adding the “FastPathEnabled” feature flag and enabling the “fastpathenabled” tag don't cause any downtime.
+
+### Subscriptions
+
+The "FastPathEnabled" feature flag must be added/registered to all subscriptions IDs that need access to Azure Payment HSM.  To apply the "FastPathEnabled" feature flag, see [Register the resource providers and features](register-payment-hsm-resource-providers.md).
+
+> [!IMPORTANT]
+> After registering the "FastPathEnabled" feature flag, you **must** contact the [Azure Payment HSM support team](support-guide.md#microsoft-support) team to have your registration approved. In your message to Microsoft support, include the subscription IDs of **every** subscription that needs access to Azure Payment HSM.
+
+### Virtual networks
+
+The "fastpathenabled" tag must be added to every virtual network connecting to the payment HSM's delegated subnet. In a Hub and Spoke topology, the "fastpathenabled" tag must be added to both the central Hub VNet and the peered Spoke VNet containing the payment HSM.
+
+The "fastpathenabled" tag isn't required on nondirectly peered VNets reaching the Payment HSM's VNet via a Central hub.
+
+> [!WARNING]
+> Adding the "fastpathenabled" tag through the Azure portal is insufficient—it must be done from the commandline. To do so, follow the steps outlined in [How to peer Azure Payment HSM virtual networks](peer-vnets.md?tabs=azure-cli).
+
+### Virtual Network NAT scenario
+
+For a Virtual Network NAT scenario, you must add the "fastpathenabled" tag with a value of `True` when creating the NAT gateway (not after the NAT gateway is created).
+
+## Next steps
+
+- Learn more about [Azure Payment HSM](overview.md)
+- [Register the resource providers and features](register-payment-hsm-resource-providers.md)
+- [How to peer Azure Payment HSM virtual networks](peer-vnets.md?tabs=azure-cli)
+- [Get started with Azure Payment HSM](getting-started.md)
+- [Create a payment HSM](create-payment-hsm.md)
+- Read the [frequently asked questions](faq.yml)

articles/payment-hsm/quickstart-cli.md

@@ -8,7 +8,7 @@ ms.author: mbaldwin
 ms.topic: quickstart
 ms.devlang: azurecli
 ms.custom: devx-track-azurecli
-ms.date: 09/12/2022
+ms.date: 03/25/2023
 ---
 
 # Quickstart: Create an Azure Payment HSM with the Azure CLI
@@ -21,7 +21,10 @@ This article describes how to create, update, and delete an Azure Payment HSM by
 
 - You must register the "Microsoft.HardwareSecurityModules" and "Microsoft.Network" resource providers, as well as the Azure Payment HSM features. Steps for doing so are at [Register the Azure Payment HSM resource provider and resource provider features](register-payment-hsm-resource-providers.md).
 
-  To quickly ascertain if the resource providers and features are already registered, use the Azure CLI [az provider show](/cli/azure/provider#az-provider-show) command. (You will find the output of this command more readable if you display it in table-format.)
+  > [!WARNING]
+  > You must apply the "FastPathEnabled" feature flag to **every** subscription ID, and add the "fastpathenabled" tag to **every** virtual network. For more information, see [Fastpathenabled](fastpathenabled.md).
+
+  To quickly ascertain if the resource providers and features are already registered, use the Azure CLI [az provider show](/cli/azure/provider#az-provider-show) command. (The output of this command is more readable if you display it in table-format.)
 
   ```azurecli-interactive
   az provider show --namespace "Microsoft.HardwareSecurityModules" -o table
@@ -69,7 +72,7 @@ To verify that the VNet and subnet were created correctly, use the Azure CLI [az
 az network vnet show -n "myVNet" -g "myResourceGroup"
 ```
 
-Make note of the value returned as "id", as you will need it for the next step.  The "id" will be in the format:
+Make note of the value returned as `id`, as it is used in the next step.  The `id` is in the format:
 
 ```json
 "id": "/subscriptions/<subscriptionID>/resourceGroups/myResourceGroup/providers/Microsoft.Network/virtualNetworks/myVNet/subnets/myPHSMSubnet",
@@ -97,7 +100,7 @@ To see your payment HSM and its properties, use the Azure CLI [az dedicated-hsm
 az dedicated-hsm show --resource-group "myResourceGroup" --name "myPaymentHSM"
 ```
 
-To list all of your payment HSMs, use the [az dedicated-hsm list](/cli/azure/dedicated-hsm#az-dedicated-hsm-list) command. (You will find the output of this command more readable if you display it in table-format.)
+To list all of your payment HSMs, use the [az dedicated-hsm list](/cli/azure/dedicated-hsm#az-dedicated-hsm-list) command. (The output of this command is more readable if you display it in table-format.)
 
 ```azurecli-interactive
 az dedicated-hsm list --resource-group "myResourceGroup" -o table
@@ -117,7 +120,7 @@ az dedicated-hsm delete --name "myPaymentHSM" -g "myResourceGroup"
 
 ## Next steps
 
-In this quickstart, you created a payment HSM, viewed and updated its properties, and deleted it. To learn more about Payment HSM and how to integrate it with your applications, continue on to the articles below.
+In this quickstart, you created a payment HSM, viewed and updated its properties, and deleted it. To learn more about Payment HSM and how to integrate it with your applications, continue on to these articles.
 
 - Read an [Overview of Payment HSM](overview.md)
 - Find out how to [get started with Azure Payment HSM](getting-started.md)

articles/payment-hsm/quickstart-powershell.md

@@ -21,6 +21,9 @@ This article describes how you can create an Azure Payment HSM using the [Az.Ded
 
 - You must register the "Microsoft.HardwareSecurityModules" and "Microsoft.Network" resource providers, as well as the Azure Payment HSM features. Steps for doing so are at [Register the Azure Payment HSM resource provider and resource provider features](register-payment-hsm-resource-providers.md).
 
+  > [!WARNING]
+  > You must apply the "FastPathEnabled" feature flag to **every** subscription ID, and add the "fastpathenabled" tag to **every** virtual network. For more information, see [Fastpathenabled](fastpathenabled.md).
+
   To quickly ascertain if the resource providers and features are already registered, use the Azure PowerShell [Get-AzProviderFeature](/powershell/module/az.resources/get-azproviderfeature) cmdlet:
 
 ```azurepowershell-interactive
@@ -90,7 +93,7 @@ To verify that the VNet was created correctly, use the Azure PowerShell [Get-AzV
 Get-AzVirtualNetwork -Name "myVNet" -ResourceGroupName "myResourceGroup"
 ```
 
-Make note of the value returned as "Id", as you will need it for the next step.  The "Id" will be in the format:
+Make note of the value returned as `Id`, as it is used in the next step.  The `Id` is in the format:
 
 ```json
 "Id": "/subscriptions/<subscriptionID>/resourceGroups/myResourceGroup/providers/Microsoft.Network/virtualNetworks/myVNet/subnets/myPHSMSubnet",
@@ -104,7 +107,7 @@ To create a payment HSM, use the [New-AzDedicatedHsm](/powershell/module/az.dedi
 New-AzDedicatedHsm -Name "myPaymentHSM" -ResourceGroupName "myResourceGroup" -Location "East US" -Sku "payShield10K_LMK1_CPS60" -StampId "stamp1" -SubnetId "<subnet-id>"
 ```
 
-The output of the payment HSM creation will look like this:
+The output of payment HSM creation looks like this:
 
 ```Output
 Name  Provisioning State SKU                     Location
@@ -142,7 +145,7 @@ Remove-AzDedicatedHsm -Name "myPaymentHSM" -ResourceGroupName "myResourceGroup"
 
 ## Next steps
 
-In this quickstart, you created a payment HSM, viewed and updated its properties, and deleted it. To learn more about Payment HSM and how to integrate it with your applications, continue on to the articles below.
+In this quickstart, you created a payment HSM, viewed and updated its properties, and deleted it. To learn more about Payment HSM and how to integrate it with your applications, continue on to these articles.
 
 - Read an [Overview of Payment HSM](overview.md)
 - Find out how to [get started with Azure Payment HSM](getting-started.md)

articles/payment-hsm/quickstart-template.md

@@ -28,6 +28,9 @@ This article describes how to create a payment HSM with the host and management
 
 - You must register the "Microsoft.HardwareSecurityModules" and "Microsoft.Network" resource providers, as well as the Azure Payment HSM features. Steps for doing so are at [Register the Azure Payment HSM resource provider and resource provider features](register-payment-hsm-resource-providers.md).
 
+  > [!WARNING]
+  > You must apply the "FastPathEnabled" feature flag to **every** subscription ID, and add the "fastpathenabled" tag to **every** virtual network. For more details, see [Fastpathenabled](fastpathenabled.md).
+
   To quickly ascertain if the resource providers and features are already registered, use the Azure CLI [az provider show](/cli/azure/provider#az-provider-show) command. (You will find the output of this command more readable if you display it in table-format.)
 
   ```azurecli-interactive

articles/payment-hsm/register-payment-hsm-resource-providers.md

@@ -6,7 +6,7 @@ author: msmbaldwin
 ms.service: payment-hsm
 ms.custom: devx-track-azurecli, devx-track-azurepowershell
 ms.topic: overview
-ms.date: 09/12/2022
+ms.date: 02/25/2023
 ms.author: mbaldwin
 ---
 # Register the Azure Payment HSM resource providers and resource provider features
@@ -25,7 +25,7 @@ az provider register --namespace "Microsoft.HardwareSecurityModules"
 az feature registration create --namespace "Microsoft.HardwareSecurityModules" --name "AzureDedicatedHsm" 
 ```
 
-You must also register the "Microsoft.Network" resource provider and the "FastPathEnabled" feature.
+You must also register the "Microsoft.Network" resource provider and the "FastPathEnabled" Azure Feature Exposure Control (AFEC) flag. For more information on the "FastPathEnabled" feature flag, see [Fathpathenabled](fastpathenabled.md).
 
 ```azurecli-interactive
 az provider register --namespace "Microsoft.Network"
@@ -34,7 +34,7 @@ az feature registration create --namespace "Microsoft.Network" --name "FastPathE
 ```
 
 > [!IMPORTANT]
-> After registering the "FastPathEnabled" feature, you **must** contact the [Azure Payment HSM support team](support-guide.md#microsoft-support) team to have your registration approved.  In your message to Microsoft support, include your subscription ID.
+> After registering the "FastPathEnabled" feature flag, you **must** contact the [Azure Payment HSM support team](support-guide.md#microsoft-support) team to have your registration approved.  In your message to Microsoft support, include your subscription ID.  If multiple subsciptions must connect with the payment HSM, you must include **all** the subscriopts IDs.
 
 You can verify that your registrations are complete with the Azure CLI [az provider show](/cli/azure/provider#az-provider-show) command. (You will find the output of this command more readable if you display it in table-format.)
 
@@ -58,7 +58,7 @@ Register-AzResourceProvider -ProviderNamespace Microsoft.HardwareSecurityModules
 Register-AzProviderFeature -FeatureName "AzureDedicatedHsm" -ProviderNamespace Microsoft.HardwareSecurityModules
 ```
 
-You must also register the "Microsoft.Network" resource provider and the "FastPathEnabled" feature.
+You must also register the "Microsoft.Network" resource provider and the "FastPathEnabled" Azure Feature Exposure Control (AFEC) flag. For more information on the "FastPathEnabled" feature flag, see [Fathpathenabled](fastpathenabled.md).
 
 ```azurepowershell-interactive
 Register-AzResourceProvider -ProviderNamespace Microsoft.Network
@@ -67,7 +67,7 @@ Register-AzProviderFeature -FeatureName "FastPathEnabled" -ProviderNamespace Mic
 ```
 
 > [!IMPORTANT]
-> After registering the "FastPathEnabled" feature, you **must** contact the [Azure Payment HSM support team](support-guide.md#microsoft-support) team to have your registration approved.  In your message to Microsoft support, include your subscription ID.
+> After registering the "FastPathEnabled" feature flag, you **must** contact the [Azure Payment HSM support team](support-guide.md#microsoft-support) team to have your registration approved.  In your message to Microsoft support, include the subscription IDs of **every** subscription you want to connect to the payment HSM.
 
 You can verify that your registrations are complete with the Azure PowerShell [Get-AzProviderFeature](/powershell/module/az.resources/get-azproviderfeature) cmdlet:
 

articles/payment-hsm/toc.yml

@@ -57,6 +57,8 @@
     href: deployment-scenarios.md
   - name: Solution design
     href: solution-design.md
+  - name: Fastpathenabled
+    href: fastpathenabled.md
 
 - name: Support
   items: