您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

教程:使用 CLI 将 HSM 部署到现有虚拟网络中Tutorial: Deploying HSMs into an existing virtual network using CLI

Azure 专用 HSM 提供供单个客户使用的物理设备,由客户对设备进行完全的管理控制并承担完全的管理责任。Azure Dedicated HSM provides a physical device for sole customer use, with complete administrative control and full management responsibility. 由于使用物理设备,因此需要 Microsoft 来控制设备分配,确保对容量进行有效的管理。The use of physical devices creates the need for Microsoft to control device allocation to ensure capacity is managed effectively. 因此,在 Azure 订阅中,专用 HSM 服务通常不可见,不可用于资源预配。As a result, within an Azure subscription, the Dedicated HSM service will not normally be visible for resource provisioning. Azure 客户如果需要访问专用 HSM 服务,必须首先联系其 Microsoft 客户主管,提交专用 HSM 服务注册请求。Any Azure customer requiring access to the Dedicated HSM service, must first contact their Microsoft account executive to request registration for the Dedicated HSM service. 只有在此流程成功完成以后,才可以进行预配。Only once this process completes successfully will provisioning be possible.

本教程介绍一个典型的预配过程,其中:This tutorial shows a typical provisioning process where:

  • 客户已经有一个虚拟网络A customer has a virtual network already
  • 客户有一个虚拟机They have a virtual machine
  • 客户需将 HSM 资源添加到现有环境中。They need to add HSM resources into that existing environment.

典型的高可用性多区域部署体系结构看起来如下所示:A typical, high availability, multi-region deployment architecture may look as follows:


本教程重点介绍一对 HSM 和必需的 ExpressRoute 网关(参见上面的子网 1),该网关会集成到现有的虚拟网络(参见上面的 VNET 1)中。This tutorial focuses on a pair of HSMs and required ExpressRoute Gateway (see Subnet 1 above) being integrated into an existing virtual network (see VNET 1 above). 所有其他资源都是标准的 Azure 资源。All other resources are standard Azure resources. 同一集成过程可以用于上述 VNET 3 上的子网 4 中的 HSM。The same integration process can be used for HSMs in subnet 4 on VNET 3 above.


Azure 专用 HSM 目前在 Azure 门户中不可用。Azure Dedicated HSM is not currently available in the Azure portal. 与该服务的所有交互将通过命令行或 PowerShell 进行。All interaction with the service will be via command-line or using PowerShell. 本教程将使用 Azure Cloud Shell 中的命令行 (CLI) 界面。This tutorial will use the command-line (CLI) interface in the Azure Cloud Shell. 如果不熟悉 Azure CLI,请按以下入门说明操作:Azure CLI 2.0 入门If you are new to the Azure CLI, follow getting started instructions here: Azure CLI 2.0 Get Started.


  • 已完成 Azure 专用 HSM 注册过程You completed the Azure Dedicated HSM registration process
  • 已获允使用此服务。You have been approved for use of the service. 否则,请与 Microsoft 客户代表联系,了解详细信息。If not, contact your Microsoft account representative for details.
  • 已为这些资源创建一个资源组,在本教程中部署的新资源将加入该组。You created a Resource Group for these resources and the new ones deployed in this tutorial will join that group.
  • 已根据上图创建必需的虚拟网络、子网和虚拟机,现在需将 2 个 HSM 集成到该部署中。You already created the necessary virtual network, subnet, and virtual machines as per the diagram above and now want to integrate 2 HSMs into that deployment.

下面的所有说明假定你已导航到 Azure 门户并打开 Cloud Shell(选择门户右上角的“>_”)。All instructions below assume that you have already navigated to the Azure portal and you have opened the Cloud Shell (select “>_” towards the top right of the portal).

预配专用 HSMProvisioning a Dedicated HSM

可以通过 ExpressRoute 网关预配 HSM 并将其集成到现有虚拟网络中,这一操作将通过 ssh 进行验证。Provisioning HSMs and integrating them into an existing virtual network via ExpressRoute Gateway will be validated using ssh. 该验证可确保 HSM 设备的可访问性以及基本的可用性,以便进行进一步的配置活动。This validation helps ensure reachability and basic availability of the HSM device for any further configuration activities. 以下命令将使用 Azure 资源管理器模板创建 HSM 资源和关联的网络资源。The following commands will use an Azure Resource Manager template to create the HSM resources and associated networking resources.

验证功能注册Validating Feature Registration

如上所述,任何预配活动都要求为订阅注册专用 HSM 服务。As mentioned above, any provisioning activity requires that the Dedicated HSM service is registered for your subscription. 若要对此进行验证,请在 Azure 门户 Cloud Shell 中运行以下命令。To validate that, run the following commands in the Azure portal cloud shell.

az feature show \
   --namespace Microsoft.HardwareSecurityModules \
   --name AzureDedicatedHSM

以下命令验证专用 HSM 服务所需的网络功能。The following command verifies the networking features required for the Dedicated HSM service.

az feature show \
   --namespace Microsoft.Network \
   --name AllowBaremetalServers

两个命令都应该返回“已注册”状态(如下所示)。Both commands should return a status of “Registered” (as shown below). 如果这两个命令没有返回“已注册”,而你需要注册此服务,请与 Microsoft 客户代表联系。If the commands don't return "Registered" you need to register for this service, contact your Microsoft account representative.


创建 HSM 资源Creating HSM resources

HSM 预配到客户的虚拟网络中,因此虚拟网络和子网是必需的。An HSM is provisioned into a customers’ virtual network so a virtual network and subnet are required. HSM 依赖 ExpressRoute 网关在虚拟网络和物理设备之间通信。最终如果需要使用 Gemalto 客户端软件来访问 HSM 设备,则虚拟机是必需的。A dependency for the HSM to enable communication between the virtual network and physical device is an ExpressRoute Gateway, and finally a virtual machine is required to access the HSM device using the Gemalto client software. 这些资源已收集到一个带有相应参数文件的模板文件中,以方便使用。These resources have been collected into a template file, with corresponding parameter file, for ease of use. 若要获取这些文件,请通过 HSMrequest@Microsoft.com 直接联系 Microsoft。The files are available by contacting Microsoft directly as HSMrequest@Microsoft.com.

有了这些文件以后,必须编辑该参数文件,插入资源的首选名称。Once you have the files, you must edit the parameter file to insert your preferred names for resources. 请使用“值”: “”格式编辑行。Edit lines with “value”: “”.

  • namingInfix HSM 资源名称的前缀namingInfix Prefix for names of HSM resources
  • ExistingVirtualNetworkName 用于 HSM 的虚拟网络的名称ExistingVirtualNetworkName Name of the virtual network used for the HSMs
  • DedicatedHsmResourceName1 数据中心戳 1 中 HSM 资源的名称DedicatedHsmResourceName1 Name of HSM resource in datacenter stamp 1
  • DedicatedHsmResourceName2 数据中心戳 2 中 HSM 资源的名称DedicatedHsmResourceName2 Name of HSM resource in datacenter stamp 2
  • hsmSubnetRange HSM 的子网 IP 地址范围hsmSubnetRange Subnet IP Address range for HSMs
  • ERSubnetRange VNET 网关的子网 IP 地址范围ERSubnetRange Subnet IP Address range for VNET gateway

这些更改的示例如下所示:An example of these changes is as follows:

"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json",
  "contentVersion": "",
  "parameters": {
    "namingInfix": {
      "value": "MyHSM"
    "ExistingVirtualNetworkName": {
      "value": "MyHSM-vnet"
    "DedicatedHsmResourceName1": {
      "value": "HSM1"
    "DedicatedHsmResourceName2": {
      "value": "HSM2"
    "hsmSubnetRange": {
      "value": ""
    "ERSubnetRange": {
      "value": ""

关联的 Azure 资源管理器模板文件将根据以下信息创建 6 个资源:The associated Azure Resource Manager template file will create 6 resources with this information:

  • 指定 VNET 中的 HSM 的子网A subnet for the HSMs in the specified VNET
  • 虚拟网关的子网A subnet for the virtual network gateway
  • 将 VNET 连接到 HSM 设备的虚拟网关A virtual network gateway that connects the VNET to the HSM devices
  • 网关的公共 IP 地址A public IP address for the gateway
  • 戳 1 中的 HSMAn HSM in stamp 1
  • 戳 2 中的 HSMAn HSM in stamp 2

设置参数值以后,需将文件上传到 Azure 门户 Cloud Shell 文件共享以供使用。Once parameter values are set, the files need to be uploaded to Azure portal cloud shell file share for use. 在 Azure 门户中单击右上角的“>_”Cloud Shell 符号,这样就会使屏幕的底部成为一个命令环境。In the Azure portal, click the “>_” cloud shell symbol top right and this will make the bottom portion of the screen a command environment. 此处的选项为 BASH 和 PowerShell,应该选择 BASH(如果尚未设置)。The options for this are BASH and PowerShell and you should select BASH if not already set.

命令 shell 在工具栏上有一个上传/下载选项。应该选择该选项,将模板和参数文件上传到文件共享:The command shell has an upload/download option on the toolbar and you should select this to upload the template and parameter files to your file share:


上传文件以后,即可创建资源。Once the files are uploaded, you are ready to create resources. 在创建新的 HSM 资源之前,应确保某些先决条件资源到位:Prior to creating new HSM resources there are some pre-requisite resources you should ensure are in place. 必须有一个子网范围适用于计算、HSM 和网关的虚拟网络。You must have a virtual network with subnet ranges for compute, HSMs, and gateway. 以下命令以示例方式说明了如何才能创建此类虚拟网络。The following commands serve as an example of what would create such a virtual network.

az network vnet create \
  --name myHSM-vnet \
  --resource-group myRG \
  --subnet-name compute
--vnet-name myHSM-vnet \
  --resource-group myRG \
  --name hsmsubnet \
  --address-prefixes \
  --delegations Microsoft.HardwareSecurityModules/dedicatedHSMs
az network vnet subnet create \
  --vnet-name myHSM-vnet \
  --resource-group myRG \
  --name GatewaySubnet \


此虚拟网络需要注意的最重要配置,是 HSM 设备的子网必须将委托设置为“Microsoft.HardwareSecurityModules/dedicatedHSMs”。The most important configuration to note for the virtual network, is that the subnet for the HSM device must have delegations set to “Microsoft.HardwareSecurityModules/dedicatedHSMs”. 如果不设置此选项,HSM 预配将不起作用。The HSM provisioning will not work without this option being set.

所有先决条件都已准备到位以后,请运行使用 Azure 资源管理器模板所需的以下命令,确保已使用唯一名称(至少已使用资源组名称)更新值:Once all pre-requisites are in place, run the following command to use the Azure Resource Manager template ensuring you have updated values with your unique names (at least the resource group name):

az group deployment create \
   --resource-group myRG  \
   --template-file ./Deploy-2HSM-toVNET-Template.json \
   --parameters ./Deploy-2HSM-toVNET-Params.json \
   --name HSMdeploy \

完成此部署应该需要大约 25 到 30 分钟,大部分时间花在 HSM 设备上This deployment should take approximately 25 to 30 minutes to complete with the bulk of that time being the HSM devices


部署成功完成以后,将会显示“provisioningState: 成功”。When the deployment completes successfully “provisioningState”: “Succeeded” will be displayed. 可以连接到现有的虚拟机,并使用 SSH 确保 HSM 设备的可用性。You can connect to your existing virtual machine and use SSH to ensure availability of the HSM device.

验证部署Verifying the Deployment

若要验证设备是否已预配并查看设备属性,请运行以下命令集。To verify the devices have been provisioned and see device attributes, run the following command set. 确保资源组已正确设置且资源名称与参数文件中的名称完全一样。Ensure the resource group is set appropriately and the resource name is exactly as you have in the parameter file.

subid=$(az account show --query id --output tsv)
az resource show \
   --ids /subscriptions/$subid/resourceGroups/myRG/providers/Microsoft.HardwareSecurityModules/dedicatedHSMs/HSM1
az resource show \
   --ids /subscriptions/$subid/resourceGroups/myRG/providers/Microsoft.HardwareSecurityModules/dedicatedHSMs/HSM2


现在也可通过 Azure 资源浏览器来查看资源。You will also now be able to see the resources using the Azure resource explorer. 进入浏览器中以后,请依次展开左侧的“订阅”、专用 HSM 的特定订阅、“资源组”、所使用的资源组,最后选择“资源”项。Once in the explorer, expand “subscriptions” on the left, expand your specific subscription for Dedicated HSM, expand “resource groups”, expand the resource group you used and finally select the “resources” item.

测试部署Testing the Deployment

测试部署就是先连接到能够访问 HSM 的虚拟机,然后直接连接到 HSM 设备。Testing the deployment is a case of connecting to a virtual machine that can access the HSM(s) and then connecting directly to the HSM device. 上述操作将确认 HSM 是否可以访问。These actions will confirm the HSM is reachable. ssh 工具用于连接到虚拟机。The ssh tool is used to connect to the virtual machine. 命令将如下所示,但使用在参数中指定的管理员名称和 dns 名称。The command will be similar to the following but with the administrator name and dns name you specified in the parameter.

ssh adminuser@hsmlinuxvm.westus.cloudapp.azure.com

也可使用 VM 的 IP 地址来代替上述命令中的 DNS 名称。The IP Address of the VM could also be used in place of the DNS name in the above command. 如果命令成功,它会提示你输入密码,你应该输入该密码。If the command is successful, it will prompt for a password and you should enter that. 登录到虚拟机以后,则可使用在门户中发现的与 HSM 相关联的网络接口资源的专用 IP 地址登录到 HSM。Once logged on to the virtual machine, you can sign in to the HSM using the private IP address found in the portal for the network interface resource associated with the HSM.



请注意“显示隐藏的类型”复选框,该复选框在选中时会显示 HSM 资源。Notice the “Show hidden types” checkbox, which when selected will display HSM resources.

在上面的屏幕截图中,单击“HSM1_HSMnic”或“HSM2_HSMnic”会显示相应的专用 IP 地址。In the screenshot above, clicking the “HSM1_HSMnic” or “HSM2_HSMnic” would show the appropriate Private IP Address. 也可通过上面使用的 az resource show 命令来确定正确的 IP 地址。Otherwise, the az resource show command used above is a way to identify the right IP Address.

有了正确的 IP 地址以后,请运行以下命令,用该地址进行替换:When you have the correct IP address, run the following command substituting that address:

ssh tenantadmin@

如果成功,系统会提示你输入密码。If successful you will be prompted for a password. 默认的密码为 PASSWORD,HSM 会首先要求你更改密码。因此,请设置一个强密码,并使用组织首选的机制来存储密码,防止丢失。The default password is PASSWORD and the HSM will first ask you to change your password so set a strong password and use whatever mechanism your organization prefers to store the password and prevent loss.


如果丢失此密码,则需重置 HSM,这意味着丢失密钥。if you lose this password, the HSM will have to be reset and that means losing your keys.

使用 ssh 连接到 HSM 以后,请运行以下命令,确保 HSM 可以正常运行。When you are connected to the HSM using ssh, run the following command to ensure the HSM is operational.

hsm show

输出应该如下图所示:The output should look as shown on the image below:


目前已为一个高度可用的双 HSM 型部署分配了所有资源,并验证了访问权限和运行状态。At this point, you have allocated all resources for a highly available, two HSM deployment and validated access and operational state. 进一步的配置或测试涉及更多针对 HSM 设备本身的工作。Any further configuration or testing involves more work with the HSM device itself. 因此,应该按照《Gemalto Luna 网络 HSM 7 管理指南》第 7 章中的说明操作,以便初始化 HSM 并创建分区。For this, you should follow the instructions in the Gemalto Luna Network HSM 7 Administration Guide chapter 7 to initialize the HSM and create partitions. 在 Gemalto 客户支持门户中注册并获得客户 ID 以后,即可直接从 Gemalto 下载所有文档和软件。All documentation and software are available directly from Gemalto for download once you are registered in the Gemalto Customer Support Portal and have a Customer ID. 下载客户端软件 7.2 版即可获取所有必需的组件。Download Client Software version 7.2 to get all required components.

删除或清理资源Delete or clean up resources

如果已完成 HSM 设备的操作,则可将其作为资源删除,并让其返回到可用池中。If you have finished with just the HSM device, then it can be deleted as a resource and returned to the free pool. 执行该操作时,最需要关注的问题是设备上的敏感客户数据。The obvious concern when doing this is any sensitive customer data that is on the device. 若要删除敏感客户数据,应通过 Gemalto 客户端对设备进行出厂重置。To remove sensitive customer data the device should be factory reset using the Gemalto client. 请参阅适用于 SafeNet 网络 Luna 7 设备的 Gemalto 管理员指南,并考虑按顺序执行以下命令。Refer to the Gemalto administrators guide for the SafeNet Network Luna 7 device and consider the following commands in order.

  1. hsm factoryReset -f
  2. sysconf config factoryReset -f -service all
  3. network interface delete -device eth0
  4. network interface delete -device eth1
  5. network interface delete -device eth2
  6. network interface delete -device eth3
  7. my file clear -f
  8. my public-key clear -f
  9. syslog rotate


如果有 Gemalto 设备配置的问题,则应联系 Gemalto 客户支持if you have issue with any Gemalto device configuration you should contact Gemalto customer support.

如果已完成此资源组中资源的相关操作,则可使用以下命令将其全部删除:If you have finished with resources in this resource group, then you can remove them all with the following command:

az group deployment delete \
   --resource-group myRG \
   --name HSMdeploy \

后续步骤Next steps

完成本教程中的步骤以后,你就预配好了专用 HSM 资源,并有了一个虚拟网络,该虚拟网络包含与 HSM 通信所需的 HSM 和其他网络组件。After completing the steps in the tutorial, Dedicated HSM resources are provisioned and you have a virtual network with necessary HSMs and further network components to enable communication with the HSM. 现在可以根据首选部署体系结构的要求,使用更多资源来补充此部署了。You are now in a position to compliment this deployment with more resources as required by your preferred deployment architecture. 若要详细了解如何进行部署规划,请参阅概念文档。For more information on helping plan your deployment, see the Concepts documents. 建议在进行设计时,在主要区域使用两个 HSM 解决机架级可用性问题,在次要区域使用两个 HSM 解决区域可用性问题。A design with two HSMs in a primary region addressing availability at the rack level, and two HSMs in a secondary region addressing regional availability is recommended. 在本教程中使用的模板文件可以轻松地用作双 HSM 型部署的基础,但你需要根据自己的要求对其参数进行修改。The template file used in this tutorial can easily be used as a basis for a two HSM deployment but needs to have its parameters modified to meet your requirements.