Merge pull request #184994 from zxue/master

Update export to storage accounts behind firewalls docs

Author: ShannonLeavitt

articles/healthcare-apis/azure-api-for-fhir/media/move/move-review.png

@@ -0,0 +1,58 @@
+---
+title: Move FHIR service to another subscription or resource group
+description: This article describes how to move Azure an API for FHIR service instance  
+author: zxue
+ms.service: healthcare-apis
+ms.subservice: fhir
+ms.topic: conceptual
+ms.date: 01/14/2022
+ms.author: zxue
+---
+
+# Move FHIR service to another subscription or resource group
+
+In this article, you'll learn how to move an Azure API for FHIR service instance to another subscription or another resource group.  
+
+
+Moving to a different region is not supported, though the option may be available from the list. See more information on [Move operation support for resources](../../azure-resource-manager/management/move-support-resources.md).
+
+> [!Note] 
+> Moving an instance of Azure API for FHIR between subscriptions or resource groups is supported, as long as Private Link is NOT enabled and no IoMT connectors are created.
+
+## Move to another subscription
+
+You can move an Azure API for FHIR service instance to another subscription from the portal. However, the runtime and data for the service are not moved. On average the **move** operation takes approximately 15 minutes or so, and the actual time may vary.
+
+The **move** operation takes a few simple steps.
+
+1. Select a FHIR service instance 
+
+Select the FHIR service from the source subscription and then the target subscription.
+
+  :::image type="content" source="media/move/move-source-target.png" alt-text="Screenshot of Move to another subscription with source and target." lightbox="media/move/move-source-target.png":::
+
+2. Validate the move operation
+
+This step validates whether the selected resource can be moved. It takes a few minutes and returns a status from **Pending validation** to **Succeeded** or **Failed**. If the validation failed, you can view the error details, fix the error, and restart the **move** operation.
+
+  :::image type="content" source="media/move/move-validation.png" alt-text="Screenshot of Move to another subscription with validation." lightbox="media/move/move-validation.png":::
+
+3. Review and confirm the move operation
+ 
+After reviewing the move operation summary, select the confirmation checkbox at the bottom of the screen and press the Move button to complete the operation.
+
+  :::image type="content" source="media/move/move-review.png" alt-text="Screenshot of Move to another subscription with confirmation." lightbox="media/move/move-review.png":::
+
+Optionally, you can check the activity log in the source subscription and target subscription.
+
+## Move to another resource group
+
+The process works similarly to **Move to another subscription**, except the selected FHIR service will be moved to a  different resource group in the same subscription.
+
+## Next steps
+
+In this article, you've learned how to move the FHIR service. For more information about the FHIR service, see
+
+>[!div class="nextstepaction"]
+>[Supported FHIR Features](fhir-features-supported.md)
+

articles/healthcare-apis/azure-api-for-fhir/media/move/move-source-target.png

@@ -152,6 +152,8 @@ items:
     href: get-healthcare-apis-access-token-cli.md
   - name: Troubleshoot failures in Azure IoT Connector for FHIR (preview)
     href: iot-troubleshoot-guide.md
+  - name: Move FHIR service
+    href: move-fhir-service.md
 - name: Concepts
   expanded: true
   items:

articles/healthcare-apis/azure-api-for-fhir/media/move/move-validation.png

@@ -5,7 +5,8 @@ author: ranvijaykumar
 ms.service: healthcare-apis
 ms.subservice: fhir
 ms.topic: reference
-ms.date: 12/16/2021
+ms.custom: references_regions
+ms.date: 01/14/2022
 ms.author: cavoeg
 ---
 
@@ -56,9 +57,104 @@ After you've completed this final step, you're ready to export the data using $e
 > [!Note]
 > Only storage accounts in the same subscription as that for FHIR service are allowed to be registered as the destination for $export operations.
 
+## Use Azure storage accounts behind firewalls
+
+FHIR service supports a secure export operation. Choose one of the two options below:
+
+* Allowing FHIR service as a Microsoft Trusted Service to access the Azure storage account.
+
+* Allowing specific IP addresses associated with FHIR service to access the Azure storage account. 
+This option provides two different configurations depending on whether the storage account is in the same location as, or is in a different location from that of the FHIR service.
+
+### Allowing FHIR service as a Microsoft Trusted Service
+
+Select a storage account from the Azure portal, and then select the **Networking** blade. Select **Selected networks** under the **Firewalls and virtual networks** tab.
+
+  :::image type="content" source="media/export-data/storage-networking-1.png" alt-text="Screenshot of Azure Storage Networking Settings." lightbox="media/export-data/storage-networking-1.png":::
+  
+Select **Microsoft.HealthcareApis/workspaces** from the **Resource type** dropdown list and your workspace from the **Instance name** dropdown list.
+
+Under the **Exceptions** section, select the box **Allow trusted Microsoft services to access this storage account** and save the setting. 
+
+:::image type="content" source="media/export-data/exceptions.png" alt-text="Allow trusted Microsoft services to access this storage account.":::
+
+Next, specify the FHIR service instance in the selected workspace instance for the storage account using the PowerShell command. 
+
+```
+$subscription="xxx"
+$tenantId = "xxx"
+$resourceGroupName = "xxx"
+$storageaccountName = "xxx"
+$workspacename="xxx"
+$fhirname="xxx"
+$resourceId = "/subscriptions/$subscription/resourceGroups/$resourcegroup/providers/Microsoft.HealthcareApis/workspaces/$workspacename/fhirservices/$fhirname"
+
+Add-AzStorageAccountNetworkRule -ResourceGroupName $resourceGroupName -Name $storageaccountName -TenantId $tenantId -ResourceId $resourceId
+```
+
+You can see that the networking setting for the storage account shows **two selected** in the **Instance name** dropdown list. One is linked to the workspace instance and the second is linked to the FHIR service instance.
+
+  :::image type="content" source="media/export-data/storage-networking-2.png" alt-text="Screenshot of Azure Storage Networking Settings with resource type and instance names." lightbox="media/export-data/storage-networking-2.png":::
+
+Note that you'll need to install "Add-AzStorageAccountNetworkRule" using an administrator account. For more information, see [Configure Azure Storage firewalls and virtual networks](../../storage/common/storage-network-security.md)
+
+`
+Install-Module Az.Storage -Repository PsGallery -AllowClobber -Force 
+` 
+
+You're now ready to export FHIR data to the storage account securely. Note that the storage account is on selected networks and is not publicly accessible. To access the files, you can either enable and use private endpoints for the storage account, or enable all networks for the storage account to access the data there if possible.
+
+> [!IMPORTANT]
+> The user interface will be updated later to allow you to select the Resource type for FHIR service and a specific service instance.
+
+### Allowing specific IP addresses for the Azure storage account in a different region
+
+Select **Networking** of the Azure storage account from the
+portal. 
+   
+Select **Selected networks**. Under the Firewall section, specify the IP address in the **Address range** box. Add IP ranges to
+allow access from the internet or your on-premises networks. You can
+find the IP address in the table below for the Azure region where the
+FHIR service is provisioned.
+
+|**Azure Region**         |**Public IP Address** |
+|:----------------------|:-------------------|
+| Australia East       | 20.53.44.80       |
+| Canada Central       | 20.48.192.84      |
+| Central US           | 52.182.208.31     |
+| East US              | 20.62.128.148     |
+| East US 2            | 20.49.102.228     |
+| East US 2 EUAP       | 20.39.26.254      |
+| Germany North        | 51.116.51.33      |
+| Germany West Central | 51.116.146.216    |
+| Japan East           | 20.191.160.26     |
+| Korea Central        | 20.41.69.51       |
+| North Central US     | 20.49.114.188     |
+| North Europe         | 52.146.131.52     |
+| South Africa North   | 102.133.220.197   |
+| South Central US     | 13.73.254.220     |
+| Southeast Asia       | 23.98.108.42      |
+| Switzerland North    | 51.107.60.95      |
+| UK South             | 51.104.30.170     |
+| UK West              | 51.137.164.94     |
+| West Central US      | 52.150.156.44     |
+| West Europe          | 20.61.98.66       |
+| West US 2            | 40.64.135.77      |
+
+> [!NOTE]
+> The above steps are similar to the configuration steps described in the document How to convert data to FHIR (Preview). For more information, see [Host and use templates](./convert-data.md#host-and-use-templates)
+
+### Allowing specific IP addresses for the Azure storage account in the same region
+
+The configuration process is the same as above except a specific IP
+address range in Classless Inter-Domain Routing (CIDR) format is used instead, 100.64.0.0/10. The reason why the IP address range, which includes 100.64.0.0 – 100.127.255.255, must be specified is because the actual IP address used by the service varies, but will be within the range, for each $export request.
+
+> [!Note] 
+> It is possible that a private IP address within the range of 10.0.2.0/24 may be used instead. In that case, the $export operation will not succeed. You can retry the $export request, but there is no guarantee that an IP address within the range of 100.64.0.0/10 will be used next time. That's the known networking behavior by design. The alternative is to configure the storage account in a different region.
+
 ## Next steps
 
-In this article, you learned about the three steps in configuring export settings that allows you to export data out of FHIR service account to a storage account. For more information about the Bulk Export feature that allows data to be exported from the FHIR service, see 
+In this article, you learned about the three steps in configuring export settings that allow you to export data out of FHIR service account to a storage account. For more information about the Bulk Export feature that allows data to be exported from the FHIR service, see 
 
 >[!div class="nextstepaction"]
->[How to export FHIR data](export-data.md)
+>[How to export FHIR data](export-data.md)

articles/healthcare-apis/azure-api-for-fhir/move-fhir-service.md

@@ -6,7 +6,7 @@ author: ranvijaykumar
 ms.service: healthcare-apis
 ms.subservice: fhir
 ms.topic: overview
-ms.date: 12/10/2021
+ms.date: 01/14/2022
 ms.author: ranku
 ---
 
@@ -198,7 +198,7 @@ In the table below, you'll find the IP address for the Azure region where the FH
 
 
 > [!NOTE]
-> The above steps are similar to the configuration steps described in the document How to export FHIR data. For more information, see [Secure Export to Azure Storage](./export-data.md#secure-export-to-azure-storage)
+> The above steps are similar to the configuration steps described in the document How to configure FHIR export settings. For more information, see [Configure export settings](./configure-export-data.md)
 
 For a private network access (i.e. private link), you can also disable the public network access of ACR.
 * Select Networking blade of the Azure storage account from the portal.

articles/healthcare-apis/azure-api-for-fhir/toc.yml

@@ -44,6 +44,7 @@ Currently we support $export for ADLS Gen2 enabled storage accounts, with the fo
 - User cannot take advantage of [hierarchical namespaces](../../storage/blobs/data-lake-storage-namespace.md), yet there isn't a way to target export to a specific subdirectory within the container. We only provide the ability to target a specific container (where we create a new folder for each export).
 - Once an export is complete, we never export anything to that folder again, since subsequent exports to the same container will be inside a newly created folder.
 
+To export data to storage accounts behind the firewalls, see [Configure settings for export](configure-export-data.md).
 
 ## Settings and parameters
 
@@ -65,78 +66,6 @@ The FHIR service supports the following query parameters. All of these parameter
 
 > [!Note]
 > Only storage accounts in the same subscription as that for FHIR service are allowed to be registered as the destination for $export operations.
-
-## Secure Export to Azure Storage
-
-FHIR service supports a secure export operation. Choose one of the two options below:
-
-* Allowing FHIR service as a Microsoft Trusted Service to access the Azure storage account.
- 
-* Allowing specific IP addresses associated with FHIR service to access the Azure storage account. 
-This option provides two different configurations depending on whether the storage account is in the same location as, or is in a different location from that of the FHIR service.
-
-### Allowing FHIR service as a Microsoft Trusted Service
-
-Select a storage account from the Azure portal, and then select the **Networking** blade. Select **Selected networks** under the **Firewalls and virtual networks** tab.
-
-> [!IMPORTANT]
-> Ensure that you’ve granted access permission to the storage account for FHIR service using its managed identity. For more details, see [Configure export setting and set up the storage account](./configure-export-data.md).
-
-  :::image type="content" source="media/export-data/storage-networking.png" alt-text="Azure Storage Networking Settings." lightbox="media/export-data/storage-networking.png":::
-
-Under the **Exceptions** section, select the box **Allow trusted Microsoft services to access this storage account** and save the setting. 
-
-:::image type="content" source="media/export-data/exceptions.png" alt-text="Allow trusted Microsoft services to access this storage account.":::
-
-You're now ready to export FHIR data to the storage account securely. Note that the storage account is on selected networks and is not publicly accessible. To access the files, you can either enable and use private endpoints for the storage account, or enable all networks for the storage account for a short period of time.
-
-> [!IMPORTANT]
-> The user interface will be updated later to allow you to select the Resource type for FHIR service and a specific service instance.
-
-### Allowing specific IP addresses for the Azure storage account in a different region
-
-Select **Networking** of the Azure storage account from the
-portal. 
-   
-Select **Selected networks**. Under the Firewall section, specify the IP address in the **Address range** box. Add IP ranges to
-allow access from the internet or your on-premises networks. You can
-find the IP address in the table below for the Azure region where the
-FHIR service service is provisioned.
-
-|**Azure Region**         |**Public IP Address** |
-|:----------------------|:-------------------|
-| Australia East       | 20.53.44.80       |
-| Canada Central       | 20.48.192.84      |
-| Central US           | 52.182.208.31     |
-| East US              | 20.62.128.148     |
-| East US 2            | 20.49.102.228     |
-| East US 2 EUAP       | 20.39.26.254      |
-| Germany North        | 51.116.51.33      |
-| Germany West Central | 51.116.146.216    |
-| Japan East           | 20.191.160.26     |
-| Korea Central        | 20.41.69.51       |
-| North Central US     | 20.49.114.188     |
-| North Europe         | 52.146.131.52     |
-| South Africa North   | 102.133.220.197   |
-| South Central US     | 13.73.254.220     |
-| Southeast Asia       | 23.98.108.42      |
-| Switzerland North    | 51.107.60.95      |
-| UK South             | 51.104.30.170     |
-| UK West              | 51.137.164.94     |
-| West Central US      | 52.150.156.44     |
-| West Europe          | 20.61.98.66       |
-| West US 2            | 40.64.135.77      |
-
-> [!NOTE]
-> The above steps are similar to the configuration steps described in the document How to convert data to FHIR (Preview). For more information, see [Host and use templates](./convert-data.md#host-and-use-templates)
-
-### Allowing specific IP addresses for the Azure storage account in the same region
-
-The configuration process is the same as above except a specific IP
-address range in CIDR format is used instead, 100.64.0.0/10. The reason why the IP address range, which includes 100.64.0.0 – 100.127.255.255, must be specified is because the actual IP address used by the service varies, but will be within the range, for each $export request.
-
-> [!Note] 
-> It is possible that a private IP address within the range of 10.0.2.0/24 may be used instead. In that case, the $export operation will not succeed. You can retry the $export request, but there is no guarantee that an IP address within the range of 100.64.0.0/10 will be used next time. That's the known networking behavior by design. The alternative is to configure the storage account in a different region.
     
 ## Next steps
 
@@ -146,4 +75,4 @@ In this article, you've learned how to export FHIR resources using the $export c
 >[Export de-identified data](de-identified-export.md)
 
 >[!div class="nextstepaction"]
->[Export to Synapse](move-to-synapse.md)
+>[Export to Synapse](move-to-synapse.md)