InfrastructureUpdated July 3, 2026
ANF Deployment Standards
infrastructureanfazure-netapp-filesterraformiacstandardsstorageepichipaacompliancebackup
ANF Deployment Standards
Terraform-based Azure NetApp Files deployment standards for OHEMR Epic healthcare infrastructure.
๐ฏ Overview
All Azure NetApp Files supporting Epic healthcare systems are deployed through Infrastructure as Code (IaC) using Terraform. This standardized approach ensures consistent security controls, backup strategies, and compliance requirements across all healthcare environments.
Benefits
- Epic Certification Compliance: Maintains Epic-required infrastructure standards
- HIPAA Audit Readiness: Consistent security controls and logging
- Clinical Uptime: Standardized backup and disaster recovery
- Operational Efficiency: Automated deployment with validation gates
๐ Terraform Configuration Structure
Required Configuration Blocks
All VM deployments must include the following standardized blocks:
| Block | Purpose | Healthcare Requirement |
|---|---|---|
tags | Standard resource tagging | HIPAA audit trail and cost tracking |
rgs | Resource group configuration | Environment isolation and access control |
vnet | Virtual network assignment | Network segmentation for PHI protection |
backup | Recovery services vault | Clinical data protection and DR |
deployments | ANF grouping and configuration | Epic application tier organization |
๐ฅ Epic-Specific Deployment Patterns
Epic Production Environment
# Epic Production ANF Deployment
"netapp": {
"accounts": {
"epic-anf-prod": {
"existing": false,
"location": "East US",
"rg": "epic-anf-rg",
"aes_encryption_enabled": true,
"dns_servers": [
"0.0.0.0"
],
tags = {
SolutionName = "epic-app"
epic-app = "hyperspace"
epic-stamp = "production"
Component = "Epic VDA"
DataClassification = "PHI"
}
"domain": "ms.ds.uhc.com",
"ldap_over_tls_enabled": false,
"ldap_signing_enabled": true,
"local_nfs_users_with_ldap_allowed": false,
"kerberos_ad_name": "epic.ms.ds.uhc.com",
"kerberos_kdc_ip": "0.0.0.0",
"organizational_unit": "",
"server_root_ca_certificate": "",
"site_name": "epic-EastUS",
"smb_server_name": "epic-pro"
}
}
}
Epic Infrastructure Services
# Policies, pools and volumes in ANF
"netapp": {
"accounts": {
"epic-anf-prod": {
"existing": false,
"location": "East US",
"rg": "epic-anf-rg",
"aes_encryption_enabled": true,
"dns_servers": [
"0.0.0.0"
],
tags = {
SolutionName = "epic-app"
epic-app = "hyperspace"
epic-stamp = "production"
Component = "Epic VDA"
DataClassification = "PHI"
}
"domain": "ms.ds.uhc.com",
"ldap_over_tls_enabled": false,
"ldap_signing_enabled": true,
"local_nfs_users_with_ldap_allowed": false,
"kerberos_ad_name": "epic.ms.ds.uhc.com",
"kerberos_kdc_ip": "0.0.0.0",
"organizational_unit": "",
"server_root_ca_certificate": "",
"site_name": "epic-EastUS",
"smb_server_name": "epic-pro"
}
},
"policies": {
"Snapshot_test": {
"existing": false,
"account": "epic-anf-prod",
"location": "West US3",
"rg": "epic-anf-rg",
"daily_schedule": {
"snapshots_to_keep": 1,
"hour": 5,
"minute": 10
},
"weekly_schedule": {
"snapshots_to_keep": 1,
"days_of_week": [
"Sunday",
"Friday"
],
"hour": 0,
"minute": 0
}
}
},
"pools": {
"standard_pool_test": {
"existing": false,
"account": "epic-anf-prod",
"location": "West US3",
"rg": "rg-testsandbox-001",
"size": 4,
"service_level": "Standard",
"tags": {
"AppName": "Launchpad",
"TechOwner": ".",
"AccountOwner": ".",
"PatchSchedule": "."
}
}
},
"volumes": {
"test-volume": {
"account": "epic-anf-prod",
"pool": "robo_fw_test",
"sid": "anf",
"rg": "rg-testsandbox-001",
"subnet": "epic-prod-subnet",
"policy_name": "Snapshot_test",
"volume_path": "smbtestshare",
"number": 1,
"zones": "1",
"snapshot_directory_visible": true,
"storage_quota_in_gb": 100,
"protocols": [
"CIFS"
],
"service_level": "Standard"
}
}
}
๐ง Standard Configuration Requirements
1. Resource Tagging Standards
Global Tags (required on all resources):
tags = {
# Standard organizational tags
aide-id = "AIDE_0085665"
item-assignment-group = "EPIC NATIONAL INSTANCE โ SPT"
Division = "Optum Health"
Product = "Epic EMR"
environment = "prd"
GL_Code = "44770-01530-USASS800-169950"
service-tier = "p1"
platform-managed = "true"
# Compliance and security
DataClassification = "PHI"
DR = "Yes"
# Deployment tracking
workspace-id = "ohemr-epic-pro-001"
working-directory = "westepicpro/netappwestus3"
source-code-repo = "https://github.com/optum-tech-compute/ohemr-epic-pro-001"
}
See the page Tagging Strategy for the complete list: Tagging Strategy for EoA Servers
2. Network Configuration
Virtual Network Requirements:
vnet = {
name = "vnet-epic-prod-westus3"
resource_group_name = "rg-epic-network-prod-westus3"
# Epic network segmentation
subnets = {
epic-app-subnet = {
address_prefixes = ["10.1.1.0/24"]
nsg_name = "nsg-epic-app-prod"
}
epic-data-subnet = {
address_prefixes = ["10.1.2.0/24"]
nsg_name = "nsg-epic-data-prod"
}
}
}
๐ Validation Requirements
Terraform Validation Commands
# Initialize and validate Terraform configuration
terraform init
terraform validate
# Plan deployment with target resource verification
terraform plan -target="module.anf_deployment"
# Apply with Epic-specific validation
terraform apply -var="validate_epic_compliance=true"