Skip to content
Schoolyear AVD

Exam network architecture

This page provides a simplified overview of the network architecture during an exam. Most components are provisioned before the exam and removed afterwards.

Student endpoint to virtual machine

Section titled “Student endpoint to virtual machine”

This diagram shows the route a student connection takes during an exam to access a virtual machine.

%%{init: {
  "flowchart": {
    "subGraphTitleMargin": {
      "top": 0,
      "bottom": 0
    }
}}}%%

flowchart TB
    classDef routeBlue fill:#dbeafe,stroke:#2563eb,color:#111827
    classDef routeGreen fill:#dcfce7,stroke:#16a34a,color:#111827

    A["Student endpoint"]

    subgraph ExamNetwork[" "]
        NetworkLabel["Azure exam network"]
        B["Load balancer of exam"]
        C["A trusted proxy server of exam"]
        D["NAT gateway"]
        F["Host pool"]
        G["Virtual machine"]

        NetworkLabel ~~~ B
    end

    E["AVD web client"]


    A -->|"variable public entry IP"| B -->|"routes traffic to"| C
    C --> |"Route 1"| D -->|"from static public IP"| E
    C --> |"Route 2"| F --> G

    style NetworkLabel fill:transparent,stroke:transparent,font-weight:bold

    class D,E routeBlue
    class F,G routeGreen

    linkStyle 3,4 stroke:#2563eb,stroke-width:3px
    linkStyle 5,6 stroke:#16a34a,stroke-width:3px
  • Route 1: The connection from the student endpoint, through the Trusted Proxy, to the AVD web client. This loads the AVD client and starts the session.
  • Route 2: The connection from the student endpoint, through the Trusted Proxy, to the host pool and assigned virtual machine. This carries the actual exam desktop session.

The Host Pool is configured to only accept private access connections. The Trusted Proxy only accepts Schoolyear Browsers or Chromebooks running Schoolyear. Together, these controls ensure that only students taking an exam can access the virtual machines.

Virtual machine outbound traffic

Section titled “Virtual machine outbound traffic”

This diagram shows the outbound paths for traffic that starts from the virtual machine. It only includes useful outbound routes for the student. All other routes are disabled in the firewall.

%%{init: {
  "flowchart": {
    "subGraphTitleMargin": {
      "top": 0,
      "bottom": 0
    }
}}}%%

flowchart TB
    classDef routeBlue fill:#dbeafe,stroke:#2563eb,color:#111827
    classDef routeAmber fill:#fef3c7,stroke:#d97706,color:#111827
    classDef routeGreen fill:#dcfce7,stroke:#16a34a,color:#111827
    classDef routeNeutral fill:#f3f4f6,stroke:#6b7280,color:#111827

    subgraph VirtualMachine["Virtual machine"]
        direction TB

        Browser["Schoolyear VDI Browser"]
        OtherApps["OS / Other applications"]
        FW["Windows Firewall"]

        Browser -->|"Outbound 1"| FW
        OtherApps -->|"Outbound 2"| FW
        OtherApps -->|"Outbound 3"| FW
    end

    LoadBalancer["Load balancer"]
    ProxyServer["Session host proxy server"]
    NatGateway["NAT Gateway"]
    StaticIp[" "]

    FW -->|"Outbound 1"| NatGateway
    FW -->|"Outbound 2"| LoadBalancer
    LoadBalancer -->|"routes traffic to"| ProxyServer
    ProxyServer --> NatGateway
    FW -->|"Outbound 3"| NatGateway
    NatGateway -->|"Static IP"| StaticIp

    style StaticIp fill:transparent,stroke:transparent

    class Browser routeBlue
    class OtherApps routeNeutral
    class LoadBalancer,ProxyServer,NatGateway routeGreen

    linkStyle 0 stroke:#2563eb,stroke-width:3px
    linkStyle 1 stroke:#16a34a,stroke-width:3px
    linkStyle 2 stroke:#d97706,stroke-width:3px
    linkStyle 3 stroke:#2563eb,stroke-width:3px
    linkStyle 4 stroke:#16a34a,stroke-width:3px
    linkStyle 5 stroke:#16a34a,stroke-width:3px
    linkStyle 6 stroke:#16a34a,stroke-width:3px
    linkStyle 7 stroke:#d97706,stroke-width:3px
    linkStyle 8 stroke:#6b7280,stroke-width:3px
  • Outbound 1: The Schoolyear VDI Browser uses the exam whitelist configured in the Schoolyear Dashboard. This is commonly used by teachers or the exam organization to add websites students can access during their exam. It is configured per exam and independent of the exam image.
  • Outbound 2: Public HTTP(S) traffic from installed applications can use the Session Host Proxy and its domain whitelist. This is used when installed software needs HTTP(S) access to specific public domains, for example to download software packages or help center articles.
  • Outbound 3: Direct TCP/UDP traffic must pass through a custom firewall rule scoped to a specific IP address and port. This is used for non-HTTP(S) application traffic to a fixed destination, such as a license server.

Outbound 2 and Outbound 3 are configured in the exam image. For the implementation steps, see Configure network requirements.