Merge pull request #233658 from msmbaldwin/phsm-misc

New PHSM traffic inspection article

Author: JamesJBarnett

articles/payment-hsm/deployment-scenarios.md

@@ -40,8 +40,9 @@ This scenario caters to regional-level failure. The usual strategy is to complet
 
 ## Next steps
 
-- Learn more about [Azure Payment HSM](overview.md)
-- See the Azure Payment HSM [Solution design](solution-design.md)
-- Find out how to [get started with Azure Payment HSM](getting-started.md)
-- Learn how to [Create a payment HSM](create-payment-hsm.md)
-- Read the [frequently asked questions](faq.yml)
+- [What is Azure Payment HSM?](overview.md)
+- [Azure Payment HSM solution design](solution-design.md)
+- [Azure Payment HSM traffic inspection](inspect-traffic.md)
+- [Get started with Azure Payment HSM](getting-started.md)
+- [Create a payment HSM](create-payment-hsm.md)
+- [Frequently asked questions](faq.yml)

articles/payment-hsm/fastpathenabled.md

@@ -2,14 +2,12 @@
 title: Azure Payment HSM "fastpathenabled" feature flag and tag
 description: The "fastpathenabled" feature flag and tag, as it relates to Azure Payment HSM and affiliated subscriptions and virtual networks
 services: payment-hsm
-author: msmbaldwin
-
-tags: azure-resource-manager
+author: cynthiatreger
 ms.service: payment-hsm
 ms.workload: security
 ms.topic: article
 ms.date: 03/25/2023
-ms.author: mbaldwin
+ms.author: ctreger
 
 ---
 

articles/payment-hsm/inspect-traffic.md

@@ -0,0 +1,107 @@
+---
+title: Azure Payment HSM traffic inspection
+description: Guiance on how to bypass the UDR restriction and inspect traffic destined to an Azure Payment HSM.
+services: payment-hsm
+ms.service: payment-hsm
+author: dawlysd
+ms.author: dasantiago
+ms.topic: quickstart
+ms.date: 04/06/2023
+---
+
+# Azure Payment HSM traffic inspection
+
+Azure Payment Hardware Security Module (Payment HSM or PHSM) is a [bare-metal service](overview.md) providing cryptographic key operations for real-time and critical payment transactions in the Azure cloud. For more information, see [What is Azure Payment HSM?](overview.md).
+
+When Payment HSM is deployed, it comes with a host network interface and a management network interface. There are several deployment scenarios:
+
+1. [With host and management ports in same VNet](create-payment-hsm.md?tabs=azure-cli)
+2. [With host and management ports in different VNets](create-different-vnet.md?tabs=azure-cli)
+3. [With host and management port with IP addresses in different VNets](create-different-ip-addresses.md?tabs=azure-cli)
+
+In all of the above scenarios, Payment HSM is a VNet-injected service in a delegated subnet: `hsmSubnet` and `managementHsmSubnet` must be delegated to `Microsoft.HardwareSecurityModules/dedicatedHSMs` service.
+
+> [!IMPORTANT]
+> The `FastPathEnabled` feature must be [registered and approved](register-payment-hsm-resource-providers.md?tabs=azure-cli#register-the-resource-providers-and-features) on all subscriptions that need access to Payment HSM. You must also enable the `fastpathenabled` tag on the VNet hosting the Payment HSM delegated subnet and on every peered VNet requiring [connectivity to the Payment HSM devices](peer-vnets.md?tabs=azure-cli).
+> 
+> For the `fastpathenabled` VNet tag to be valid, the `FastPathEnabled` feature must be enabled on the subscription where that VNet is deployed. Both steps must be completed to enable resources to connect to the Payment HSM devices. For more information, see [FastPathEnabled](fastpathenabled.md).
+
+PHSM isn't compatible with vWAN topologies or cross region VNet peering, as listed in the [topology supported](solution-design.md#supported-topologies). Payment HSM comes with some policy [restrictions](solution-design.md#constraints) on these subnets: **Network Security Groups (NSGs) and User-Defined Routes (UDRs) are currently not supported**.
+
+It's possible to bypass the current UDR restriction and inspect traffic destined to a Payment HSM. This article presents two ways: a firewall with source network address translation (SNAT), and a firewall with reverse proxy.
+
+## Firewall with source network address translation (SNAT)
+
+This design is inspired by the [Dedicated HSM solution architecture](../dedicated-hsm/networking.md#solution-architecture).
+
+The firewall **SNATs the client IP address** before forwarding traffic to the PHSM NIC, guaranteeing that the return traffic will automatically be directed back to the Firewall. Either an Azure Firewall or a third party FW NVA can be used in this design.
+
+:::image type="content" source="./media/firewall-snat-architecture-diagram.png" alt-text="Architecture diagram of the firewall with SNAT" lightbox="./media/firewall-snat-architecture-diagram.png":::
+
+Route tables required:
+- On-premises to PHSM: a Route Table containing a UDR for the Payment HSM VNet range and pointing to the central hub Firewall is applied to the GatewaySubnet.
+- Spoke VNet(s) to PHSM: a Route Table containing the usual default route pointing to the central hub Firewall is applied to the Spoke VNet(s) subnets. 
+
+Results:
+- UDRs not being supported on the PHSM subnet is addressed by the Firewall doing SNAT on the client IP: when forwarding traffic to PHSM, the return traffic will automatically be directed back to the Firewall.
+- Filtering rules that cannot be enforced using NSGs on the PHSM subnet can be configured on the Firewall.
+- Both Spoke traffic and on-premises traffic to the PHSM environment are secured.
+
+## Firewall with reverse proxy
+
+This design is a good option when performing SNAT on a Firewall that has not been approved by network security teams, requiring instead to keep the source and destination IPs unchanged for traffic crossing the Firewall.
+
+This architecture uses a reverse proxy, deployed in a dedicated subnet in the PHSM VNet directly or in a peered VNet. Instead of sending traffic to the PHSM devices, the destination is set to the reverse proxy IP, located in a subnet that does not have the restrictions of the PHSM delegated subnet: both NSGs and UDRs can be configured, and combined with a Firewall in the central hub.
+
+:::image type="content" source="./media/firewall-reverse-proxy-architecture-diagram.png" alt-text="Architecture diagram of the firewall with reverse proxy" lightbox="./media/firewall-reverse-proxy-architecture-diagram.png":::
+
+This solution requires a reverse proxy, such as:
+
+- F5 (Azure Marketplace; VM-based)
+- NGINXaaS (Azure Marketplace; PaaS fully managed)
+- Reverse proxy Server using NGINX (VM-based)
+- Reverse proxy Server using HAProxy (VM-based)
+
+Example of reverse proxy Server using NGINX (VM-based) configuration:
+
+```conf
+# Nginx.conf  
+stream { 
+    server { 
+        listen 1500; 
+        proxy_pass 10.221.8.4:1500; 
+    } 
+
+    upstream phsm { 
+        server 10.221.8.5:443; 
+    } 
+
+    server { 
+        listen 443; 
+        proxy_pass phsm; 
+        proxy_next_upstream on; 
+    } 
+} 
+```
+
+Route tables required:
+- On-premises to PHSM: a Route Table containing a UDR for the Payment HSM VNet range and pointing to the central hub Firewall is applied to the GatewaySubnet.
+- Spoke VNet(s) to PHSM: a Route Table containing the usual default route pointing to the central hub Firewall is applied to the Spoke VNet(s) subnets. 
+
+> [!IMPORTANT]
+> Gateway Route propagation must be disabled on the reverse proxy subnet, so that a 0/0 UDR is enough to force the return traffic via the firewall.
+
+Results:
+- UDRs not being supported on the PHSM subnet can be configured on the reverse proxy subnet.
+- The reverse proxy SNATs the client IP: when forwarding traffic to PHSM, the return traffic will automatically be directed back to the reverse proxy.
+- Filtering rules that cannot be enforced using NSGs on the PHSM subnet can be configured on the Firewall and/or on NSGs applied to the reverse proxy subnet.
+- Both Spoke traffic and on-premises traffic to the PHSM environment are secured.
+
+## Next steps
+
+- [What is Azure Payment HSM?](overview.md)
+- [Azure Payment HSM solution design](solution-design.md)
+- [Azure Payment HSM deployment scenarios](deployment-scenarios.md)
+- [Get started with Azure Payment HSM](getting-started.md)
+- [Create a payment HSM](create-payment-hsm.md)
+- [Frequently asked questions](faq.yml)

articles/payment-hsm/media/firewall-reverse-proxy-architecture-diagram.png

@@ -19,6 +19,10 @@ Azure Payment HSM is a "BareMetal" service delivered using [Thales payShield 10K
 
 Payment HSMs are provisioned and connected directly to users' virtual network, and HSMs are under users' sole administration control. HSMs can be easily provisioned as a pair of devices and configured for high availability. Users of the service utilize [Thales payShield Manager](https://cpl.thalesgroup.com/encryption/hardware-security-modules/payment-hsms/payshield-manager) for secure remote access to the HSMs as part of their Azure-based subscription. Multiple subscription options are available to satisfy a broad range of performance and multiple application requirements that can be upgraded quickly in line with end-user business growth. Azure payment HSM service offers highest performance level 2500 CPS.
 
+Payment HSM devices are a variation of [Dedicated HSM](../dedicated-hsm/index.yml) devices, with more advanced cryptographic modules and features; for example, a payment HSM never decrypts the PIN value in transit.
+
+The Azure Payment HSM solution uses hardware from [Thales](https://cpl.thalesgroup.com/encryption/hardware-security-modules/payment-hsms/payshield-10k) as a vendor. Customers have [full control and exclusive access](overview.md#customer-managed-hsm-in-azure) to the Payment HSM.
+
 > [!IMPORTANT]
 > Azure Payment HSM a highly specialized service. We highly recommend that you review the [Azure Payment HSM pricing page](https://azure.microsoft.com/services/payment-hsm/) and [Getting started with Azure Payment HSM](getting-started.md#support).
 
@@ -114,7 +118,7 @@ Azure Payment HSM supports the following SKUs:
 |---|---|
 | 3DS | 3D Secure |
 | ATM | Automated Teller Machine |
-| EMV | Europay Mastercard Visa |
+| EMV | Euro Mastercard Visa |
 | FIPS | Federal Information Processing Standards |
 | HCE | Host Card Emulation |
 | HSM | Hardware Security Module |

articles/payment-hsm/media/firewall-snat-architecture-diagram.png

@@ -51,8 +51,9 @@ The following table describes what's supported for each network features configu
 
 ## Next steps
 
-- Learn more about [Azure Payment HSM](overview.md)
-- See Azure Payment HSM [Deployment Scenarios](deployment-scenarios.md)
-- Find out how to [get started with Azure Payment HSM](getting-started.md)
-- Learn how to [Create a payment HSM](create-payment-hsm.md)
-- Read the [frequently asked questions](faq.yml)
+- [What is Azure Payment HSM?](overview.md)
+- [Azure Payment HSM deployment scenarios](deployment-scenarios.md)
+- [Azure Payment HSM traffic inspection](inspect-traffic.md)
+- [Get started with Azure Payment HSM](getting-started.md)
+- [Create a payment HSM](create-payment-hsm.md)
+- [Frequently asked questions](faq.yml)

articles/payment-hsm/overview.md

@@ -59,6 +59,8 @@
     href: solution-design.md
   - name: Fastpathenabled
     href: fastpathenabled.md
+  - name: Azure Payment HSM traffic inspection
+    href: inspect-traffic.md
 
 - name: Support
   items: