Navigation
InfrastructureUpdated July 3, 2026

ANF Deployment Standards

infrastructureanfazure-netapp-filesterraformiacstandardsstorageepichipaacompliancebackup

ANF Deployment Standards

Terraform-based Azure NetApp Files deployment standards for OHEMR Epic healthcare infrastructure.


๐ŸŽฏ Overview

All Azure NetApp Files supporting Epic healthcare systems are deployed through Infrastructure as Code (IaC) using Terraform. This standardized approach ensures consistent security controls, backup strategies, and compliance requirements across all healthcare environments.

Benefits

  • Epic Certification Compliance: Maintains Epic-required infrastructure standards
  • HIPAA Audit Readiness: Consistent security controls and logging
  • Clinical Uptime: Standardized backup and disaster recovery
  • Operational Efficiency: Automated deployment with validation gates

๐Ÿ“‹ Terraform Configuration Structure

Required Configuration Blocks

All VM deployments must include the following standardized blocks:

BlockPurposeHealthcare Requirement
tagsStandard resource taggingHIPAA audit trail and cost tracking
rgsResource group configurationEnvironment isolation and access control
vnetVirtual network assignmentNetwork segmentation for PHI protection
backupRecovery services vaultClinical data protection and DR
deploymentsANF grouping and configurationEpic application tier organization

๐Ÿฅ Epic-Specific Deployment Patterns

Epic Production Environment

# Epic Production ANF Deployment
"netapp": {
  "accounts": {
    "epic-anf-prod": {
      "existing": false,
      "location": "East US",
      "rg": "epic-anf-rg",
      "aes_encryption_enabled": true,
      "dns_servers": [
        "0.0.0.0"
      ],
      tags = {
        SolutionName     = "epic-app"
        epic-app         = "hyperspace"
        epic-stamp       = "production"
        Component        = "Epic VDA"
        DataClassification = "PHI"
      }
      "domain": "ms.ds.uhc.com",
      "ldap_over_tls_enabled": false,
      "ldap_signing_enabled": true,
      "local_nfs_users_with_ldap_allowed": false,
      "kerberos_ad_name": "epic.ms.ds.uhc.com",
      "kerberos_kdc_ip": "0.0.0.0",
      "organizational_unit": "",
      "server_root_ca_certificate": "",
      "site_name": "epic-EastUS",
      "smb_server_name": "epic-pro"
    }
  }
}

Epic Infrastructure Services

# Policies, pools and volumes in ANF
"netapp": {
  "accounts": {
    "epic-anf-prod": {
      "existing": false,
      "location": "East US",
      "rg": "epic-anf-rg",
      "aes_encryption_enabled": true,
      "dns_servers": [
        "0.0.0.0"
      ],
      tags = {
        SolutionName     = "epic-app"
        epic-app         = "hyperspace"
        epic-stamp       = "production"
        Component        = "Epic VDA"
        DataClassification = "PHI"
      }
      "domain": "ms.ds.uhc.com",
      "ldap_over_tls_enabled": false,
      "ldap_signing_enabled": true,
      "local_nfs_users_with_ldap_allowed": false,
      "kerberos_ad_name": "epic.ms.ds.uhc.com",
      "kerberos_kdc_ip": "0.0.0.0",
      "organizational_unit": "",
      "server_root_ca_certificate": "",
      "site_name": "epic-EastUS",
      "smb_server_name": "epic-pro"
    }
  },
  "policies": {
    "Snapshot_test": {
      "existing": false,
      "account": "epic-anf-prod",
      "location": "West US3",
      "rg": "epic-anf-rg",
      "daily_schedule": {
        "snapshots_to_keep": 1,
        "hour": 5,
        "minute": 10
      },
      "weekly_schedule": {
        "snapshots_to_keep": 1,
        "days_of_week": [
          "Sunday",
          "Friday"
        ],
        "hour": 0,
        "minute": 0
      }
    }
  },
  "pools": {
    "standard_pool_test": {
      "existing": false,
      "account": "epic-anf-prod",
      "location": "West US3",
      "rg": "rg-testsandbox-001",
      "size": 4,
      "service_level": "Standard",
      "tags": {
        "AppName": "Launchpad",
        "TechOwner": ".",
        "AccountOwner": ".",
        "PatchSchedule": "."
      }
    }
  },
  "volumes": {
    "test-volume": {
      "account": "epic-anf-prod",
      "pool": "robo_fw_test",
      "sid": "anf",
      "rg": "rg-testsandbox-001",
      "subnet": "epic-prod-subnet",
      "policy_name": "Snapshot_test",
      "volume_path": "smbtestshare",
      "number": 1,
      "zones": "1",
      "snapshot_directory_visible": true,
      "storage_quota_in_gb": 100,
      "protocols": [
        "CIFS"
      ],
      "service_level": "Standard"
    }
  }
}

๐Ÿ”ง Standard Configuration Requirements

1. Resource Tagging Standards

Global Tags (required on all resources):

tags = {
  # Standard organizational tags
  aide-id               = "AIDE_0085665"
  item-assignment-group = "EPIC NATIONAL INSTANCE โ€“ SPT"
  Division              = "Optum Health"
  Product               = "Epic EMR"
  environment           = "prd"
  GL_Code               = "44770-01530-USASS800-169950"
  service-tier          = "p1"
  platform-managed      = "true"

  # Compliance and security
  DataClassification    = "PHI"
  DR                    = "Yes"

  # Deployment tracking
  workspace-id          = "ohemr-epic-pro-001"
  working-directory     = "westepicpro/netappwestus3"
  source-code-repo      = "https://github.com/optum-tech-compute/ohemr-epic-pro-001"
}

See the page Tagging Strategy for the complete list: Tagging Strategy for EoA Servers

2. Network Configuration

Virtual Network Requirements:

vnet = {
  name                = "vnet-epic-prod-westus3"
  resource_group_name = "rg-epic-network-prod-westus3"

  # Epic network segmentation
  subnets = {
    epic-app-subnet = {
      address_prefixes = ["10.1.1.0/24"]
      nsg_name = "nsg-epic-app-prod"
    }
    epic-data-subnet = {
      address_prefixes = ["10.1.2.0/24"]
      nsg_name = "nsg-epic-data-prod"
    }
  }
}

๐Ÿ” Validation Requirements

Terraform Validation Commands

# Initialize and validate Terraform configuration
terraform init
terraform validate

# Plan deployment with target resource verification
terraform plan -target="module.anf_deployment"

# Apply with Epic-specific validation
terraform apply -var="validate_epic_compliance=true"