Navigation
OperationsUpdated July 3, 2026

Epic Storage Operations - SOP

operationssopinfrastructurestorageazure-storageblob-storageprivate-endpointsqlepiccompliance

Standard Operating Procedure (SOP)

Epic Storage


1. Purpose

This SOP outlines deployment, operational, and compliance procedures for the Epic storage account.


2. Scope

Applies to cloud engineering, operations, database, and audit teams supporting Epic shared infrastructure production SQL workloads.


Example Code Structure Explanation

3. Storage Account Configuration

a. Storage Account: epicsto01

PropertyValue
Shared Access Key Enabledtrue
Private EndpointsYes
PE Subnetohemr-snet-west_epic_pe-shared-wus3-001
Private Service Connectionmpsql_st-pro-cus-001
Subresources["blob"]
Private DNS Zonespriva.blob.core.windows.net (see ID below)

Private DNS Zone ID Example: /subscriptions/1234-1234-1234/resourceGroups/ohemr-rg-core_network-pro-wus3-001/providers/Microsoft.Network/privateDnsZones/priva.blob.core.windows.net


b. Blob Subresource Details

  • Blob Subresource: The "blob" subresource refers to Azure Blob Storage, which is used for storing unstructured data such as documents, backups, logs, and database files. In this deployment, the private endpoint specifically exposes only blob storage functionality, ensuring secure access to blobs from within your VNet.

  • Operational Need: SQL VMs commonly use blob storage for backup, archival, or integration with other services. Restricting the endpoint to "blob" enhances security and limits exposure to only necessary storage features.


c. Need for Private DNS Zone

  • Why Private DNS Zone is Needed: When a private endpoint is configured for a storage account, Azure maps the account’s public FQDN (such as <stoargeaccountname>.blob.core.windows.net) to a private IP address within your VNet. The private DNS zone (priva.blob.core.windows.net) ensures seamless name resolution for blob storage endpoints from within the network, so applications and VMs use the same FQDN as public access, but get routed privately.

  • Operational Impact:

    • Ensures storage traffic remains on the Azure backbone, never traversing the public internet.
    • Simplifies application configuration; no need to change connection strings or endpoints.
    • Supports compliance by restricting access to authorized and internal resources only.

d. Operational Guidance

  • Shared Access Key: Ensure secure management and periodic rotation of shared access keys. Audit key usage and restrict via policies where possible.
  • Private Endpoints: Validate connectivity from VM subnet to storage account via private endpoint for all blob operations. Confirm the private DNS zone is associated with the VNet to ensure name resolution to private IP.
  • Security: Disable public network access for the storage account; use only private endpoints for access. Limit access policies to least privilege.
  • Monitoring: Enable diagnostic logging for storage account access and configuration changes.
  • Compliance: Ensure all storage objects are tagged according to standards above.

5. Storage Deployment Steps

  1. Provision storage account with shared access key enabled and configure private endpoint in designated subnet.
  2. Associate private DNS zone for blob access name resolution.
  3. Test SQL connectivity and storage access from VM.
  4. Apply and validate tags on all resources.
  5. Enable monitoring and alerting for VM and storage account usage/events.

6. Audit & Review

  • Quarterly review of VM and storage account configuration, access, and compliance.
  • Annual update of SOP and documentation.

7. Contacts

RoleContact
Tech Owner[add contact]
Account Owner[add contact]
Operations[add contact]

 "deployment": {
  "storage" : {
    "stepicmpsqlsharedwus01": {
      "shared_access_key_enabled": true,
      "private_endpoints": {
        "ohemr-pe-mpsql_ct_st-pro-cus-001": {
          "pe_subnet": "ohemr-snet-west_epic_pe-shared-wus3-001",
          "psc_name": "mpsql_st-pro-cus-001",
          "subresource_names": ["blob"],
          "private_dns_zones": [
            {
              "id": "/subscriptions/6ad81c44-89ef-46b7-b8c8-a9ae34e3fe13/resourceGroups/ohemr-rg-core_network-pro-wus3-001/providers/Microsoft.Network/privateDnsZones/privatelink.blob.core.windows.net"
            }
          ]
        }
      }
    }
  }
}