Configure export settings and set up a storage account

The FHIR® service supports the $export operation specified by HL7 for exporting FHIR data from a FHIR server. In the FHIR service implementation, when you call the $export endpoint, the FHIR service exports data into a preconfigured Azure storage account. The storage account must be a Blob or Azure Data Lake Storage Gen2 (ADLS Gen2) account.

This article describes how to configure export settings for the FHIR service and give the FHIR service permission to access your storage account. If your FHIR service is outside the network boundary of your storage account, you can configure access by allowing the FHIR service as a Microsoft trusted service or by allowing specific IP addresses to access the storage account. For more information, see Secure the FHIR service $export operation.

Prerequisites

• A FHIR service. To create one, see Deploy the FHIR service.
• An Azure Blob or Azure Data Lake Storage Gen2 (ADLS Gen2) account.
• You need the FHIR Data exporter role application role. To learn more about application roles, see Authentication and Authorization for FHIR service.

Step 1: Enable managed identity for the FHIR service

The first step in configuring your environment for FHIR data export is to enable a system-assigned managed identity for the FHIR service. The FHIR service uses this managed identity to authenticate and access the ADLS Gen2 account during an $export operation. For more information about managed identities in Azure, see About managed identities for Azure resources.

1. In the Azure portal, browse to your FHIR service.

2. On the left menu, select Identity.

3. In the System assigned tab, set the Status option to On, and then select Save.

   

4. When the Yes and No buttons display, select Yes to enable the managed identity for the FHIR service. After you enable the system identity, you see an Object (principal) ID value for your FHIR service.

   

Step 2: Give permission in the storage account for FHIR service access

1. Go to your storage account in the Azure portal.

2. In your storage account, select Access control (IAM).

3. Select Add > Add role assignment. If Add role assignment is grayed out, ask your Azure administrator for help with this step.

   

4. On the Role tab, select the Storage Blob Data Contributor role.

   

5. On the Members tab, select Managed identity, and then select Select members.

6. Select your Azure subscription.

7. Select System-assigned managed identity, and then select the managed identity that you previously enabled for your FHIR service.

8. On the Review + assign tab, select Review + assign to assign the Storage Blob Data Contributor role to your FHIR service.

For more information about assigning roles in the Azure portal, see Azure built-in roles.

Now you're ready to configure the FHIR service by setting the ADLS Gen2 account as the default storage account for export.

Step 3: Specify the storage account for FHIR service export

Specify the storage account that the FHIR service uses when exporting data.

1. Go to your FHIR service settings.

2. Select Export.

3. Select the name of the storage account from the list. If you need to search for your storage account, use the Name, Resource group, or Region filters.

   

Secure the FHIR service $export operation

To securely export data from the FHIR service outside the network boundary of your storage account, use one of the following options:

• Allow the FHIR service to access the storage account as a Microsoft trusted service.
• Allow specific IP addresses associated with the FHIR service to access the storage account. This option permits two different configurations depending on whether the storage account is in the same Azure region as the FHIR service.

Allow the FHIR service as a Microsoft trusted service

To enable the FHIR workspace as a trusted Microsoft service, follow these steps:

1. In the Azure portal, go to your storage account.

2. On the left menu, select Security + Networking > Networking.

3. On the Public access tab, under Public network access, select Manage.

   

4. Select Enable from selected networks.

5. In the Resource type dropdown list, select Microsoft.HealthcareApis/workspaces. In the Instance name dropdown list, select your workspace.

6. In the Exceptions section, select the Allow trusted Microsoft services to access this storage account checkbox.

7. Select Save to retain the settings.

To enable the FHIR service as a trusted Microsoft service, use the following PowerShell commands:

1. Run the following PowerShell command to install the Az.Storage PowerShell module in your local environment. Use this module to configure your Azure storage accounts by using PowerShell.

   Install-Module Az.Storage -Repository PsGallery -AllowClobber -Force 
   

2. Use the following PowerShell command to set the selected FHIR service instance as a trusted resource for the storage account. Make sure that all listed parameters are defined in your PowerShell environment.

   You need to run the Add-AzStorageAccountNetworkRule command as an administrator in your local environment. For more information, see Configure Azure Storage firewalls and virtual networks.

   $subscription="xxx"
   $tenantId = "xxx"
   $resourceGroupName = "xxx"
   $storageaccountName = "xxx"
   $workspacename="xxx"
   $fhirname="xxx"
   $resourceId = "/subscriptions/$subscription/resourceGroups/$resourceGroupName/providers/Microsoft.HealthcareApis/workspaces/$workspacename/fhirservices/$fhirname"
   
   Add-AzStorageAccountNetworkRule -ResourceGroupName $resourceGroupName -Name $storageaccountName -TenantId $tenantId -ResourceId $resourceId
   

3. To verify that the FHIR service is added as a trusted Microsoft service for the storage account, go to the storage account in the Azure portal, and select JSON view. Verify that the FHIR service is listed in the properties.networkAcls.resourceAccessRules.

You're now ready to securely export FHIR data to the storage account.

The storage account is on selected networks and isn't publicly accessible. To securely access the files, you can enable private endpoints for the storage account.

Allow specific IP addresses to access the Azure storage account from other Azure regions

1. In the Azure portal, go to the storage account.
2. On the left menu, select Security + Networking > Networking.
3. On the Public access tab under Public network access, select Manage.
4. Select Enabled from selected networks.
5. Enter the IP addresses in the IPv4 Addresses section.

The following table lists the public IP addresses for the FHIR service in different Azure regions. You can use these IP addresses to allow access to the storage account from the FHIR service in other regions.

Allow specific IP addresses to access the Azure storage account in the same region

The configuration process for IP addresses in the same region is just like the previous procedure, except that you use a specific IP address range in Classless Inter-Domain Routing (CIDR) format (for example, 100.64.0.0/10). You must specify the IP address range (100.64.0.0 to 100.127.255.255) because the FHIR service allocates an IP address each time you make an operation request.

Next steps