Megosztás a következőn keresztül:

Configure FHIR import settings

This article walks you through the steps to configure settings on the FHIR® service for import operations. To configure settings, you need to:

  1. Enable a managed identity on the FHIR service.
  2. Create an Azure storage account or use an existing storage account, and grant permissions for the FHIR service to access it.
  3. Set the import configuration of the FHIR service.
  4. Use one of the options to securely import FHIR data into the FHIR service from an Azure Data Lake Storage Gen2 account.

Step 1: Enable a managed identity on the FHIR service

The first step is to enable a system-wide managed identity on the service. This identity is used to grant FHIR service access to the storage account. Az Azure-beli felügyelt identitásokról további információt az Azure-erőforrások felügyelt identitásairól szóló cikkben talál.

To enable a managed identity on the FHIR service:

  1. In the Azure portal, browse to your FHIR service.
  2. A bal oldali menüben válassza az Identitás lehetőséget.
  3. Állítsa be az Állapot beállítást Be értékre, majd válassza a Mentés lehetőséget.
  4. Válassza Igenlehetőséget.

After you enable the managed identity, a system-assigned GUID value appears.

Screenshot that shows selections for enabling a managed identity for the FHIR service.

Step 2: Assign permissions to the FHIR service

Use the following steps to assign permissions to access the storage account.

  1. In the storage account, browse to Access Control (IAM).

  2. Válassza a Szerepkör-hozzárendelés hozzáadása lehetőséget. If the option for adding a role assignment is unavailable, ask your Azure administrator to assign you permission to perform this step.

    For more information about assigning roles in the Azure portal, see Azure built-in roles.

  3. Add the Storage Blob Data Contributor role to the FHIR service.

  4. Válassza az Mentésgombot.

Screenshot of the page for adding a role assignment.

Now you're ready to select the storage account for import.

Step 3: Set the import configuration of the FHIR service

Megjegyzés:

If you haven't assigned storage access permissions to the FHIR service, the import operation will fail.

For this step, you need to get the request URL and JSON body.

  1. In the Azure portal, browse to your FHIR service.
  2. Válassza az Áttekintés lehetőséget.
  3. Select JSON View.
  4. Select the API version as 2022-06-01 or later.

To specify the Azure storage account in JSON view which is in READ mode, you need to use the REST API to update the FHIR service.

Screenshot of selections for opening the JSON view.

The following steps walk you through setting configurations for initial and incremental import modes. Choose the right import mode for your use case.

Set the import configuration for initial import mode

Make the following changes to JSON.

  1. In importConfiguration, set enabled to true.
  2. Update integrationDataStore with the target storage account name.
  3. In importConfiguration, set initialImportMode to true.
  4. Delete the provisioningState line.

Screenshot of a code example for import configuration.

You're now ready to perform initial-mode import by using import.

Set the import configuration for incremental import mode

Make the following changes to JSON.

  1. In importConfiguration, set enabled to true.
  2. Update integrationDataStore with the target storage account name.
  3. In importConfiguration, set initialImportMode to false.
  4. Delete the provisioningState line.

You're now ready to perform incremental-mode import by using import.

You can also use the Deploy to Azure button to open a custom Azure Resource Manager template that updates the configuration for import.

Screenshot that shows the Deploy to Azure button.

Step 4: Secure the FHIR service's import operation

To securely import FHIR data into the FHIR service from an Azure Data Lake Storage Gen2 account, you have three options:

  • Enable the FHIR service as a trusted Microsoft service.
  • Allow specific IP addresses associated with the FHIR service to access the storage account from other Azure regions.
  • Allow specific IP addresses associated with the FHIR service to access the storage account in the same region as the FHIR service.

Enable the FHIR service as a trusted Microsoft service

  1. In the Azure portal, go to your Data Lake Storage Gen2 account.

  2. On the left menu, select Networking.

  3. On the Firewalls and virtual networks tab, select Enabled from selected virtual networks and IP addresses.

    Screenshot of Azure Storage networking settings.

  4. In the Resource type dropdown list, select Microsoft.HealthcareApis/workspaces. In the Instance name dropdown list, select your workspace.

  5. In the Exceptions section, select the Allow trusted Microsoft services to access this storage account checkbox.

    Screenshot that shows the option to allow trusted Microsoft services to access this storage account.

  6. Select Save to retain the settings.

  7. Run the following PowerShell command to install the Az.Storage PowerShell module in your local environment. You can use this module to configure your Azure storage accounts by using PowerShell.

    Install-Module Az.Storage -Repository PsGallery -AllowClobber -Force

  8. Use the following PowerShell command to set the selected FHIR service instance as a trusted resource for the storage account. Make sure that all listed parameters are defined in your PowerShell environment.

    You need to run the Add-AzStorageAccountNetworkRule command as an administrator in your local environment. További információ: Azure Storage-tűzfalak és virtuális hálózatok konfigurálása.

    $subscription="xxx"
$tenantId = "xxx"
$resourceGroupName = "xxx"
$storageaccountName = "xxx"
$workspacename="xxx"
$fhirname="xxx"
$resourceId = "/subscriptions/$subscription/resourceGroups/$resourceGroupName/providers/Microsoft.HealthcareApis/workspaces/$workspacename/fhirservices/$fhirname"

Add-AzStorageAccountNetworkRule -ResourceGroupName $resourceGroupName -Name $storageaccountName -TenantId $tenantId -ResourceId $resourceId

  9. Confirm that under Resource instances, 2 selected appears in the Instance name dropdown list. The two selected instances are the name of the workspace instance and the name of the FHIR service instance that you registered as trusted Microsoft resources.

    Screenshot of Azure Storage networking settings with resource type and instance names.

You're now ready to securely import FHIR data from the storage account. The storage account is on selected networks and isn't publicly accessible. To securely access the files, you can use private endpoints for the storage account.

Allow specific IP addresses to access the Azure storage account from other Azure regions

  1. In the Azure portal, go to the Azure Data Lake Storage Gen2 account.

  2. On the left menu, select Networking.

  3. Select Enabled from selected virtual networks and IP addresses.

  4. In the Firewall section, in the Address range box, specify the IP address. Add IP ranges to allow access from the internet or your on-premises networks. You can find the IP address in the following table for the Azure region where the FHIR service is provisioned.

    Azure-régió Nyilvános IP-cím
    Kelet-Ausztrália 20.53.44.80
    Kanada középső régiója 20.48.192.84
    Usa középső régiója 52.182.208.31
    USA keleti régiója 20.62.128.148
    Keleti USA 2 20.49.102.228
    Kelet-USA 2 EUAP 20.39.26.254
    Észak-Németország 51.116.51.33
    Németország nyugati középső régiója 51.116.146.216
    Kelet-Japán 20.191.160.26
    Korea középső régiója 20.41.69.51
    USA északi középső régiója 20.49.114.188
    Észak-Európa 52.146.131.52
    Dél-Afrika északi régiója 102.133.220.197
    USA déli középső régiója 13.73.254.220
    Délkelet-Ázsia 23.98.108.42
    Észak-Svájc 51.107.60.95
    Egyesült Királyság déli régiója 51.104.30.170
    Egyesült Királyság nyugati régiója 51.137.164.94
    USA nyugati középső régiója 52.150.156.44
    Nyugat-Európa 20.61.98.66
    Nyugat-Amerika 2 40.64.135.77

Allow specific IP addresses to access the Azure storage account in the same region

The configuration process for IP addresses in the same region is just like the previous procedure, except that you use a specific IP address range in Classless Inter-Domain Routing (CIDR) format instead (that is, 100.64.0.0/10). You must specify the IP address range (100.64.0.0 to 100.127.255.255) because an IP address for the FHIR service is allocated each time you make an operation request.

Megjegyzés:

It's possible to use a private IP address within the range of 10.0.2.0/24, but there's no guarantee that the operation will succeed in such a case. You can retry if the operation request fails, but until you use an IP address within the range of 100.64.0.0/10, the request won't succeed.

This network behavior for IP address ranges is by design. The alternative is to configure the storage account in a different region.

Következő lépések

In this article, you learned how the FHIR service supports the import operation, and how you can import data into the FHIR service from a storage account. You also learned about the steps for configuring import settings in the FHIR service. For more information about converting data to FHIR, exporting settings to set up a storage account, and moving data to Azure Synapse Analytics, see:

Import FHIR data

Megjegyzés:

Az FHIR® a HL7 bejegyzett védjegye, amelyet a HL7 engedélyével használnak.