Architecture overview
This document provides an architectural overview of the Schoolyear AVD solution. It assumes you are familiar with the goal and end-user perspective of the solution. If not, please refer to the Product Introduction page first.
Schoolyear AVD, a feature of Safe Exam Workspace (SEW), integrates with your Azure infrastructure to provide a secure virtual desktop environment specifically designed for exams and assessments.
Desktop environment
Section titled “Desktop environment”In Safe Exam Workspace, teachers can configure the websites and files students are allowed to access during their exam. The goal of Schoolyear AVD is to allow them to add desktop applications as well.
When desktop use is enabled for an exam, Schoolyear AVD will deploy a virtual desktop in your Azure infrastructure for each student. Students get access to this secured desktop for the duration of the exam, after which Schoolyear AVD will delete it again. Within the desktop environment, students can access the software that your IT team installed in addition to the websites and files the teacher configured for that exam.
The desktop environment is locked down by default but can be fully customized by your IT team. You can install your own software on it and configure it to meet your requirements. Your IT team can configure multiple desktop environments from which teachers can choose when configuring an exam.
Because Schoolyear AVD creates a new VM for each student, there is a limit to how many concurrent exam sessions can be held. This limit is caused by the capacity limit of your Azure infrastructure (also known as quotas). To prevent exceeding this capacity, Schoolyear AVD enforces this limit when exams are scheduled.
Resource Orchestration
Section titled “Resource Orchestration”Schoolyear AVD will deploy a new resource group in your Azure Subscription for each exam. Within that resource group, Schoolyear AVD will deploy all the resources necessary to host a virtual desktop for each student.
Schoolyear AVD will start deploying the necessary resources ahead of the scheduled exam start time automatically. The lead time for this deployment is configurable.
At the end of an exam, Schoolyear AVD will delete the resource group and all the resources in it. This means that Schoolyear AVD has negligible ongoing costs in Azure (see Base infrastructure).
If any of these deployments or deletions fail, your IT team is notified by email so they can respond appropriately.
AVD add-on
Section titled “AVD add-on”The Schoolyear AVD integration is highly customizable through the Azure Virtual Desktop add-on in the Schoolyear Admin dashboard.
Your IT team has full control over the desktop environments that teachers can select for their exams
and how/when they are deployed in your Azure infrastructure.
Azure Virtual Desktop
Section titled “Azure Virtual Desktop”Schoolyear AVD uses the Azure Virtual Desktop (AVD) service of Azure to host the virtual desktops. For each exam, a new Host pool, Workspace and Application Group is deployed. For each student, a dedicated session host is deployed. This is a virtual machine connected to AVD on which the student has access during their exam.
avdcli
Section titled “avdcli”The golden image from which the session hosts are deployed can be fully customized by you.
Schoolyear AVD includes a specialized avdcli tool which can be used to secure and customize these images.
Because students get a fresh, locked-down, and internet-limited machine for each exam,
we recommend against using your existing image provisioning tools,
as they are not specialized for this high-security context.
The avdcli tool leverages the Azure VM Image Builder service to automate image creation.
It systematically applies a lockdown script that removes unnecessary applications from Windows, secures the firewall, and installs the Schoolyear VDI Browser.
After this, it applies any installation or customization scripts you may want to apply to the machine,
before sysprepping it.
VDI Browser
Section titled “VDI Browser”The Schoolyear VDI Browser is a software application that is installed in the virtual desktop environment.
This browser fully integrates with Safe Exam Workspace such that the websites and files are automatically configured for each exam.
IT no longer has to configure the whitelist of websites manually, as this is done automatically through the assessment platform integrations of Safe Exam Workspace. Furthermore, teachers can configure the files available during the exam themselves, without the help of IT or a shared network drive.
Trusted Proxy
Section titled “Trusted Proxy”The core security component of Schoolyear AVD is the Trusted Proxy.
This proxy operates between the students’ endpoint devices and the AVD Host Pool they are interacting with.
This Trusted Proxy authenticates the incoming connections to make sure they are coming from locked-down endpoint devices.
This ensures students are only able to access their exam through the Safe Exam Workspace client and not from other, insecure, devices.
The Trusted Proxy is deployed for each exam and is hosted in your Azure infrastructure. This way, you are not dependent on the availability of Schoolyear’s services for the routing of this traffic.
Network security
Section titled “Network security”Students have full, but unprivileged, access to their dedicated virtual desktop environment. By default, this desktop environment imposes no restrictions on the applications students can start or files they can edit other than not having Administrator rights.
The security of the desktop environment is enforced by the network restrictions applied to it. By default, the desktop environment has no internet access other than the exceptions mentioned below. This is by design, as everything the student should have access to must be preinstalled on the desktop environment.
Outgoing network exceptions:
- AVD traffic: communication to the Azure Virtual Desktop Host Pool to make the remote desktop connection possible.
- Application traffic: connections required by the software on the machine. E.g., license activation servers.
- VDI Browser: the browser that integrates with Safe Exam Workspace to enforce a strict website and file whitelist.
Network architecture
Section titled “Network architecture”During the implementation of Schoolyear AVD, you will deploy a new Azure Virtual Network. This network is isolated from your existing Azure network, except for any license server peering you may need to implement.
All the outgoing traffic from this network goes through a single NAT Gateway. This allows you to use the public IP address of this NAT for whitelisting purposes (e.g., MFA exceptions).