Base infrastructure architecture
This page provides an overview of the base infrastructure. The base infrastructure is the set of Azure resources that remain in place between exams.
They are deployed when you install the Azure Virtual Desktop add-on and are reused by exam deployments and image-building jobs.
Overview
Section titled “Overview”architecture-beta
group tenant(azure:tenant-properties)[Your Azure tenant]
service appRegistration(azure:app-registrations)[App registration] in tenant
group subscription(azure:subscriptions)[Dedicated subscription] in tenant
group baseRg(azure:resource-groups)[Base resource group] in subscription
service baseResources(azure:all-resources)[resources] in baseRg
group imageRg(azure:resource-groups)[Image building resource group] in subscription
service imageResources(azure:all-resources)[resources] in imageRg
group networkRg(azure:resource-groups)[Exam network resource group] in subscription
service networkResources(azure:all-resources)[resources] in networkRg
This overview shows the Schoolyear AVD app registration in Entra, the dedicated Azure subscription, and the three resource groups. The diagrams below then show the resources in each resource group in more detail.
Resource groups
Section titled “Resource groups”Base installation resource group
Section titled “Base installation resource group”architecture-beta
service keyVault(azure:key-vaults)[Wildcard certificate Key Vault]
service publicDnsZone(azure:dns-zones)[Public DNS zone]
- The public DNS zone hosts the AVD subdomain delegated during installation. It routes the students to the correct exam.
- The Key Vault stores the wildcard certificate used during exams.
Image building resource group
Section titled “Image building resource group”architecture-beta
service storageAccount(azure:storage-accounts)[Storage account]
service managedIdentity(azure:managed-identities)[Managed identity]
service computeGallery(azure:azure-compute-galleries)[Azure Compute Gallery]
service imageDefinitions(azure:images)[Image definitions]
service imageVersions(azure:vm-image-version)[Image versions]
service imageTemplates(azure:image-templates)[Image templates]
computeGallery:R -- L:imageDefinitions
imageDefinitions:R -- L:imageVersions
This resource group supports image creation with the avdcli and Azure Image Builder.
- The storage account stores image building scripts and metadata.
- The managed identity is used by automation during image builds.
- The Azure Compute Gallery stores the image definitions and image versions used for the student session hosts.
- Image templates are the instruction manuals for the Azure Image Builder, they are image version specific. They also store the build logs after a build.
Exam network resource group
Section titled “Exam network resource group”architecture-beta
service natGateway(azure:nat)[NAT gateway]
service publicIp(azure:public-ip-addresses)[Public IP address]
service privateDnsZone(azure:dns-zones)[Private DNS zone]
group vnet(azure:virtual-networks)[Virtual exam network]
service sessionHostSubnet(azure:subnet)[Session hosts subnet] in vnet
service servicesSubnet(azure:subnet)[Services subnet] in vnet
service avdEndpointsSubnet(azure:subnet)[AVD endpoints subnet] in vnet
publicIp:L -- R:natGateway
sessionHostSubnet:R -- L:natGateway
servicesSubnet:R -- L:natGateway
avdEndpointsSubnet:R -- L:natGateway
privateDnsZone:R -- L:avdEndpointsSubnet
This resource group contains the persistent virtual network used by exam deployments.
- The NAT gateway provides predictable outbound traffic through the attached public IP address.
- The virtual network contains the subnets used for session hosts, services, and AVD private endpoints.
- The private DNS zone lets session hosts reach the AVD host pool connection and workspace feed privately.