Manage network access security in Azure Health Data Services

Azure Health Data Services provides multiple options for securing network access to its features and for managing outbound connections made by the FHIR®, DICOM®, or MedTech services.

Private Link

Private Link is a network isolation technique that allows access to Azure services, including Azure Health Data Services. Private Link allows data to flow over private Microsoft networks instead of the public internet. By using Private Link, you can allow access only to specified virtual networks, and lock down access to provisioned services. For more information, see Configure Private Link.

Microsoft Trusted Services

Although most interactions with Azure Health Data Services are inbound requests, there are a few features of the services that need to make outbound connections to other resources. To control access from outbound connections, we recommend that you use the Microsoft Trusted Service connections in the network settings of the target resource. Each outbound feature can have slightly different setup steps and intended target resources.

Here's a list of features that can make outbound connections from Azure Health Data Services:

FHIR service

• Export: Allow FHIR service export as a Microsoft Trusted Service
• Import: Allow FHIR service import as a Microsoft Trusted Service
• Convert: Allow trusted services access to Azure Container Registry
• Events: Allow trusted services access to Azure Event Hubs
• Customer-managed keys: Allow trusted services access to Azure Key Vault

DICOM service

• Import, export, and analytical support: Allow trusted services access to Azure Storage accounts
• Events: Allow trusted services access to Azure Event Hubs
• Customer-managed keys: Allow trusted services access to Azure Key Vault

MedTech service

• Events: Allow trusted services access to Azure Event Hubs

De-identification service (preview)

• De-identify documents in Azure Storage: Allow trusted services access to Azure Storage accounts

Service tags

Service tags are sets of IP addresses that correspond to an Azure Service, for example Azure Health Data Services. You can use tags to control access on several Azure networking offerings such as Network Security Groups, Azure Firewall, and more.

Azure Health Data Services offers a service tag AzureHealthcareAPIs that you can use to control access to and from the services. However, there are a few caveats that come with using service tags for network isolation, and we don't recommend relying on them. Instead, use the approaches described in this article for more granular controls. Service tags are shared across all users of a service, and all provisioned instances. Tags provide no isolation between customers within Azure Health Data Services, between separate instances of the workspaces, nor between the different service offerings.

If you use service tags, keep in mind that they're a convenient way of keeping track of sets of IP addresses. However, tags aren't a substitute for proper network security measures.

Note

FHIR® is a registered trademark of HL7 and is used with the permission of HL7.

DICOM® is the registered trademark of the National Electrical Manufacturers Association for its Standards publications relating to digital communications of medical information.