Overview

This chapter describes how the networking is set up in the default deployment template of Schoolyear AVD. This template is open-source and can be adjusted anyway you like. This chapter only describes how the default template handles networking.

We recommend not deviating from the network setup of the default deployment template too much, as the security of Schoolyear AVD solution depends on the network being configured correctly.

Each exam gets its own isolated VNET. This simplifies the firewall configuration tremendously. Therefore, we strongly discourage the sharing of VNETs between multiple exams.

Security goals

The default network and firewall configuration of Schoolyear AVD serves the following goals:

1. Regulate access to the sessionhosts: make sure students can only access their session through the Schoolyear Safe Exam Workspace.

2. Filter outgoing traffic: Only allow specific internet connections, required by the software used during the exam.

3. Whitelist exam content: Allow students to access the configured websites and files for one specific exam.

We make a distinction between outgoing traffic required by software and outgoing traffic required to fetch exam content, as the exam content may be dynamically configured for each exam.

When making changes to the default deployment template, make sure you still meet these goals.

Sessionhost access

Filter outgoing traffic

Components and responsibilities

The following network components are included in the default deployment template and have the following responsibilities:

• Schoolyear Trusted Proxy: Enforces the use of Schoolyear Safe Exam Workspace when accessing the sessionhosts.

• Schoolyear Sessionhost proxy: Filters the HTTP(s) traffic coming from the sessionhosts.

• Azure NAT Gateway: Provides an outgoing internet connection to the VNET.

• Windows Firewall: The Windows Firewall enforces the use of the sessionhost proxy for outgoing internet connections.

• Schoolyear VDI Browser: The browser installed on the sessionhosts that only shows content that is allowed during the exam. This browser is trusted, so it is allowed to bypass the Windows Firewall and the Sessionhost proxy.

These components are described in further detail in this chapter.

VNET configuration

The VNET that is deployed for each exam has the following configuration by default:

Network	CIDR	Note
VNET range	10.0.0.0/19
Sessionhost subnet	10.0.0.0/20	Room for 4094 sessionhosts
Services subnet	10.0.16.0/20	Used for Private Links and proxy servers

Because the VNET range is the same for each exam, these exam VNETs cannot be peered to another network.

The number of sessionhosts is limited to 4094. That means that the number of students in one exam is limited to this number unless you expand the range of this subnet.

Caution

Make sure to update the Windows Firewall configuration when you change the VNET or subnet ranges.