Base Resource Group

We begin by deploying a resource group with a set of permanent resources. These resources do not get created or deleted for each exam. Instead, they are shared between exam deployments.

1. Create the Resource Group

Create a new Resource Group named schoolyear-base. You can do this through the Azure portal. Deploy the Resource Group in the region you plan on using for this Schoolyear AVD implementation.

The resources you deploy in the following steps, should be created in this Resource Group.

2. Create a DNS zone

This guide, like many Microsoft provided guides, assumes syproxy.contoso.com is the domain you are going to use for this Schoolyear AVD implementation.

Create a new Public DNS Zone named syproxy.contoso.com.

If the DNS zone of the parent domain (contoso.com) is also hosted in Azure, Azure can automatically set up your nameservers. Make sure you check This zone is a child of an existing zone already hosted in Azure DNS in the DNS Zone creation wizard.

If the parent DNS zone is hosted elsewhere, you must set up the nameservers manually:

1. Navigate to your newly created DNS Zone.

2. Note down the 4 name servers (e.g. ns*-**.azure-dns.com).

3. Navigate to the parent’s DNS zone. This may be managed in a tool completely disconnected from your Azure tenant.

4. Create a new NS record named syproxy.contoso.com and put in the 4 name servers you noted down in a previous step.

To validate if the DNS zone is deployed correctly, you can use this publicly available tool (or similar) to check if the SOA records that are automatically created by Azure are available using public DNS resolution.

1. Go to https://toolbox.googleapps.com/apps/dig/#SOA/

2. Enter your subdomain syproxy.contoso.com

3. Check if the returned SOA record matches the SOA displayed in the Azure Portal (DNS zone > DNS Management > Recordsets).

HTTPS wildcard certificate

You will need to request a wildcard certificate for *.syproxy.contoso.com and store it in a KeyVault. Your organisation may have specific rules and policies for requesting a certificate, so your steps may vary.

In this guide we explain how to request the certificate from Let’s Encrypt, one of the most widely used (and free) Certificate Authorities on the internet.

Regardless of how you obtain the certificate, it must be stored in a KeyVault, which we will create first.

Creating the KeyVault

Create a new KeyVault through the Azure Portal named sykeyvault Use the same region as you used for the Resource Group.

• Pricing tier: Standard
• Permission model: Azure role-based access control
• Enable public access: Yes
• Allow access from: All networks

By default, even users with an Owner role on a Subscription, do not have full access to a KeyVault. Grant yourself the Key Vault Administrator role on the Resource Group. Granting the role on the KeyVault itself does not work.

Using Let’s Encrypt

Note

This step guides you through requesting a wildcard certificate from Let’s Encrypt. If you obtained your certificate in a different way, you can skip this step. The rest of this guide assumes you created a certificate named proxycertificate in the KeyVault.

1. Install the certbot CLI tool on your machine. See https://certbot.eff.org/instructions for the most up-to-date installation instructions.

2. Install the openssl CLI tool on your machine. You can use brew or choco for this or use your preferred method.

   macOS (brew)

   brew install openssl

   Windows (choco)

   choco install openssl

3. Open a terminal in a temporary directory you can easily delete at the end.

4. Start the request process. Make sure you fill in your own domain (including the *.) and email.

    certbot \
        -d "*.syproxy.contoso.com" \
        --manual \
        --preferred-challenges dns \
        certonly \
        --agree-tos \
        --email "you@example.com" \
        --config-dir ./config \
        --work-dir ./work \
        --logs-dir ./logs

5. Certbot will instruct you to create a TXT DNS entry in your newly created DNS zone. Follow these instructions. Once you complete the instructions and the certificate is issued, Certbot will show you the path in which the certificate is stored. Note down this path, as you need it in the following step.

6. Run the following command to pack the two files created by Certbot into a single certificate file. that can be imported into the KeyVault. Replace path with the path Certbot gave you in the previous step. This command will ask you for a password. You can generate a temporary password using your preferred method. You will only need it in the following step.

    openssl pkcs12 -export \
        -out cert.pfx \
        -in path/cert.pem \
        -inkey path/privkey.pem \
        -certfile path/chain.pem

7. Navigate to the KeyVault you created earlier. Go to “Certificates” and click “Generate/Import”. Upload the cert.pfx you created using openssl and the password from the previous step. Name the certificate proxycertificate.

8. Delete the temporary directory you created in step 2.