You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/healthcare-apis/fhir/configure-import-data.md
+96-14Lines changed: 96 additions & 14 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -15,11 +15,11 @@ The FHIR service supports $import operation that allows you to import data into
15
15
16
16
The three steps below are used in configuring import settings in the FHIR service:
17
17
18
-
- Enable managed identity for the FHIR service.
19
-
- Create an Azure storage account or use an existing storage account, and then grant permissions to the FHIR service to access it.
20
-
- Set the import configuration in the FHIR service.
18
+
* Step 1: Enable managed identity for the FHIR service.
19
+
* Step 2: Create an Azure storage account or use an existing storage account, and then grant permissions to the FHIR service to access it.
20
+
* Step 3: Set the import configuration in the FHIR service.
21
21
22
-
## Enable managed identity on the FHIR service
22
+
## Step 1: Enable managed identity on the FHIR service
23
23
24
24
The first step in configuring the FHIR service for import is to enable system wide managed identity on the service, which will be used to grant the service to access the storage account. For more information about managed identities in Azure, see [About managed identities for Azure resources](../../active-directory/managed-identities-azure-resources/overview.md).
25
25
@@ -28,7 +28,7 @@ In this step, browse to your FHIR service in the Azure portal, and select the **
## Assign permissions to the FHIR service to access the storage account
31
+
## Step 2: Assign permissions to the FHIR service to access the storage account
32
32
33
33
Browse to the **Access Control (IAM)** in the storage account, and then select **Add role assignment**. If the add role assignment option is grayed out, you'll need to ask your Azure Administrator to assign you permission to perform this task.
34
34
@@ -40,7 +40,7 @@ Add the role [Storage Blob Data Contributor](../../role-based-access-control/bui
40
40
41
41
Now you're ready to select the storage account in the FHIR service as a default storage account for import.
42
42
43
-
## Set import configuration of the FHIR service
43
+
## Step 3: Set import configuration of the FHIR service
44
44
45
45
The final step is to set the import configuration of the FHIR service, which contains specify storage account, enable import and enable initial import mode.
46
46
@@ -69,21 +69,103 @@ You can also use the **Deploy to Azure** button below to open custom Resource Ma
69
69
70
70
[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2Fquickstarts%2Fmicrosoft.healthcareapis%2Ffhir-import%2Fazuredeploy.json)
71
71
72
+
## Securing the FHIR service $import operation
73
+
For securely importing FHIR data into the FHIR service from an ADLS Gen2 account, there are two options:
74
+
75
+
* Option 1: Enabling FHIR service as a Microsoft Trusted Service.
76
+
77
+
* Option 2: Allowing specific IP addresses associated with the FHIR service to access the storage account.
78
+
This option permits two different configurations depending on whether or not the storage account is in the same Azure region as the FHIR service.
79
+
80
+
### Option 1: Enabling FHIR service as a Microsoft Trusted Service.
81
+
82
+
Go to your ADLS Gen2 account in the Azure portal and select the **Networking** blade. Select **Enabled from selected virtual networks and IP addresses** under the **Firewalls and virtual networks** tab.
83
+
84
+
[](media/export-data/storage-networking-1.png#lightbox)
85
+
86
+
Select **Microsoft.HealthcareApis/workspaces** from the **Resource type** dropdown list and then select your workspace from the **Instance name** dropdown list.
87
+
88
+
Under the **Exceptions** section, select the box **Allow Azure services on the trusted services list to access this storage account**. Make sure to click **Save** to retain the settings.
89
+
90
+
[](media/export-data/exceptions.png#lightbox)
91
+
92
+
Next, run the following PowerShell command to install the `Az.Storage` PowerShell module in your local environment. This will allow you to configure your Azure storage account(s) using PowerShell.
Now, use the PowerShell command below to set the selected FHIR service instance as a trusted resource for the storage account. Make sure that all listed parameters are defined in your PowerShell environment.
99
+
100
+
Note that you'll need to run the `Add-AzStorageAccountNetworkRule` command as an administrator in your local environment. For more information, see [Configure Azure Storage firewalls and virtual networks](../../storage/common/storage-network-security.md).
After running this command, in the **Firewall** section under **Resource instances** you will see **2 selected** in the **Instance name** dropdown list. These are the names of the workspace instance and FHIR service instance that you just registered as Microsoft Trusted Resources.
115
+
116
+
[](media/export-data/storage-networking-2.png#lightbox)
117
+
118
+
You're now ready to securely import FHIR data from the storage account. Note that the storage account is on selected networks and isn't publicly accessible. To securely access the files, you can enable [private endpoints](../../storage/common/storage-private-endpoints.md) for the storage account.
119
+
120
+
### Option 2: Allowing specific IP addresses to access the Azure storage account
121
+
#### Option 2.1 : Access storage account provisioned in different Azure region than FHIR service
122
+
123
+
In the Azure portal, go to the ADLS Gen2 account and select the **Networking** blade.
124
+
125
+
Select **Enabled from selected virtual networks and IP addresses**. Under the Firewall section, specify the IP address in the **Address range** box. Add IP ranges to allow access from the internet or your on-premises networks. You can find the IP address in the table below for the Azure region where the FHIR service is provisioned.
126
+
127
+
|**Azure Region**|**Public IP Address**|
128
+
|:----------------------|:-------------------|
129
+
| Australia East | 20.53.44.80 |
130
+
| Canada Central | 20.48.192.84 |
131
+
| Central US | 52.182.208.31 |
132
+
| East US | 20.62.128.148 |
133
+
| East US 2 | 20.49.102.228 |
134
+
| East US 2 EUAP | 20.39.26.254 |
135
+
| Germany North | 51.116.51.33 |
136
+
| Germany West Central | 51.116.146.216 |
137
+
| Japan East | 20.191.160.26 |
138
+
| Korea Central | 20.41.69.51 |
139
+
| North Central US | 20.49.114.188 |
140
+
| North Europe | 52.146.131.52 |
141
+
| South Africa North | 102.133.220.197 |
142
+
| South Central US | 13.73.254.220 |
143
+
| Southeast Asia | 23.98.108.42 |
144
+
| Switzerland North | 51.107.60.95 |
145
+
| UK South | 51.104.30.170 |
146
+
| UK West | 51.137.164.94 |
147
+
| West Central US | 52.150.156.44 |
148
+
| West Europe | 20.61.98.66 |
149
+
| West US 2 | 40.64.135.77 |
150
+
151
+
> [!NOTE]
152
+
> The above steps are similar to the configuration steps described in the document **Converting your data to FHIR**. For more information, see [Configure the ACR firewall](./convert-data.md#step-6-optional-configure-the-azure-container-registry-firewall-for-secure-access).
153
+
154
+
#### Option 2.2 : Access storage account provisioned in same Azure region as FHIR service
155
+
156
+
The configuration process for IP addresses in the same region is just like above except a specific IP address range in Classless Inter-Domain Routing (CIDR) format is used instead (i.e., 100.64.0.0/10). The reason why the IP address range (100.64.0.0 – 100.127.255.255) must be specified is because an IP address for the FHIR service will be allocated each time an `$import` request is made.
157
+
158
+
> [!Note]
159
+
> It is possible that a private IP address within the range of 10.0.2.0/24 may be used, but there is no guarantee that the `$import` operation will succeed in such a case. You can retry if the `$import` request fails, but until an IP address within the range of 100.64.0.0/10 is used, the request will not succeed. This network behavior for IP address ranges is by design. The alternative is to configure the storage account in a different region.
160
+
72
161
73
162
## Next steps
74
163
75
-
In this article, you've learned the FHIR service supports $import operation and how it allows you to import data into FHIR service account from a storage account. You also learned about the three steps used in configuring import settings in the FHIR service. For more information about converting data to FHIR, exporting settings to set up a storage account, and moving data to Azure Synapse, see
164
+
In this article, you've learned the FHIR service supports $import operation and learned on the steps used in configuring import settings. For more information on using $import in the FHIR service, see
76
165
77
166
>[!div class="nextstepaction"]
78
167
>[Use $import](import-data.md)
79
168
80
-
>[!div class="nextstepaction"]
81
-
>[Converting your data to FHIR](convert-data.md)
82
169
83
-
>[!div class="nextstepaction"]
84
-
>[Configure export settings and set up a storage account](configure-export-data.md)
85
-
86
-
>[!div class="nextstepaction"]
87
-
>[Copy data from FHIR service to Azure Synapse Analytics](copy-to-synapse.md)
88
170
89
171
FHIR® is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7.
0 commit comments