CloudHSM operates in cluster mode and requires dual-zone deployment. When you purchase HSM instances, you configure the cluster settings at the same time — the cluster is created automatically after the purchase completes.
Prerequisites
Before you begin, ensure that you have:
A virtual private cloud (VPC) with at least one vSwitch configured. See Create a VPC with an IPv4 CIDR block.
An Elastic Compute Service (ECS) instance in the VPC for installing the HSM management tool — not a business server. HSM instances can be accessed only from ECS instances within the same VPC. Operating system requirements differ by region:
Chinese mainland: the ECS instance must run Windows.
Outside the Chinese mainland: the ECS instance must run Linux.
Purchase GVSM (SM) or GVSM (NIST FIPS) instances
Log on to the HSM Management Console. In the top navigation bar, select the destination region.
On the VSMs page, click Create HSM.
On the CloudHSM purchase page, configure the following parameters, then click Buy Now and complete the payment.
Required parameters
Parameter Description Region The region where the HSM instance is deployed. The HSM instance must be in the same region as your ECS instance and VPC. For available regions, see Supported regions and zones. Device model The hardware model of the HSM instance. Models differ in performance. For details, see Performance of virtual HSM instances. Deployment mode Dual-zone deployment requires at least two HSMs across different zones for cross-zone disaster recovery. Only zones within the same region can communicate over the network. CloudHSM and ECS instances can be in different zones. Cluster name 1 to 24 characters. Must start with an English letter, Chinese character, or digit. Can contain digits, underscores (_), and hyphens (-). VPC ID The VPC that the HSM instance belongs to. vSwitch Select 2 to 4 vSwitches in different zones. Network type VPC only. Quantity The number of HSM instances to purchase. Default: 2. Duration The subscription period. To avoid service interruptions from expiration, select Auto-renewal Recommended. Auto-renewal is monthly — Alibaba Cloud deducts the fee 9 calendar days before expiration at the current market price. You can disable auto-renewal at any time. Configurable parameters
Parameter Options Recommendation Add to whitelist Yes: Adds the VPC CIDR block to the cluster whitelist, allowing all IP addresses in the VPC to access the HSM cluster. To restrict access to specific IP addresses, modify the whitelist after the cluster is created. See Use an HSM instance cluster. No: All IP addresses can access the HSM cluster. Yes (Recommended) Automatic certificate generation Yes: Certificates are generated automatically and viewable on the Instance Details page. No: Generate and configure certificates manually. See (Optional) Step 2: Generate certificates and configure mutual TLS and Step 3: Import cluster certificates. Yes (Recommended) Data backup and restoration Supports HSM backup and restoration. Backup images are retained for 90 days after the HSM is released, then deleted automatically. Cross-region image replication is available for enhanced disaster recovery. — Image quota The maximum number of backup images per HSM instance. Images are created automatically at 00:00 (UTC+8) daily after the HSM is initialized. When the quota is reached, the oldest image is deleted automatically. — After the purchase completes, view the HSM instance on the VSMs page. The HSM cluster is ready in approximately 5 minutes.
(Optional) Obtain the UKEY for the HSM — Chinese mainland only.
NoteHSM instances outside the Chinese mainland do not require UKEY configuration.
UKEY behavior depends on whether you register a UKEY administrator:
User type UKEY administrator registered Certificate rotation behavior KMS hardware key management users Do not register CloudHSM rotates the certificate automatically before it expires. No manual action required. Registering a UKEY administrator prevents automatic rotation and disrupts hardware-protected key usage. Other users Yes Automatic certificate rotation is not supported. Before the certificate expires, generate a new certificate and update it on both the client SDK and the server-side HSM. Other users No CloudHSM generates a new certificate automatically before expiration. Download and update the client certificate from the console; CloudHSM uploads the server certificate to the HSM automatically.
What's next
To purchase and configure an HSM cluster associated with a KMS hardware key management instance, see Configure an HSM cluster for a KMS hardware key management instance.