Prior to deploying the Custom Image Build solution, you need to ensure you have met the following prerequisites:
- It is recommended to have already deployed an ALZ architecture (not mandatory) from a template reference implementation available. See [Deploying Enterprise-Scale Architecture in your own environment](https://github.com/Azure/
- If using an existing virtual network, the deployment will fail if the private endpoint or private link services network policies are enabled. See the following article on disabling them: Disable private endpoint network policy and Disable network policies for Private Link.
- Virtual network subnet used for deployment, needs access to the following URLs:
- Access to the AVD shared services Azure subscription with owner permissions.
- The Microsoft.VirtualMachineImages resource provider must be registered in the subscription to be used for deployment.
This section covers the high-level steps for planning a Custom Image Build deployment and the decisions that need to be made. The deployment will use the Microsoft provided Bicep/PowerShell/Azure CLI templates from this repository and the customer provided configuration files that contain the system specific information.
This solution supports deployment into greenfield scenarios (no AVD Azure infrastructure components exist) or brownfield scenarios (some AVD Azure infrastructure components exist).
In the Greenfield scenario, no Azure infrastructure components exist prior to deployment. The automation framework will create the Custom Image Build solution in the desired Azure region. When a build is executed on the image template, all the required resources will be deployed to support the deployment and communication of the build VM. If you have security requirements that do not allow the deployment of public IP addresses, use the Brownfield deployment option instead.
In the Brownfield scenario, the automation framework will deploy the solution using an existing virtual network. Other existing resources may exist as well, like a log analytics workspace. For customers that cannot deploy public IP addresses, when an existing virtual network is specified, AIB relies on the Private Link service to download "customizers" to your build VM. This allows tighter security controls to be enforced in your environment without breaking the build process.
The templates and scripts need to be executed from an execution environment. Here are the available options:
| Deployment Type | Link |
|---|---|
| Azure portal UI | |
| Command line (Bicep/ARM) |  |
| Terraform |  |
The Custom Image Build creates a new image from the Azure marketplace in an Azure compute gallery, optimized, patched and ready to be used. This deployment is optional and you can customize to extend functionality, like adding additional scripts to further customize your images.
It is preferable to have a new subscription, adhering to the Azure Landing Zone guidance. However, the solution can also be deployed to an existing subscription. See Resource Organization for further information.
This diagram is an example of the Azure resources and organization created with this reference implementation. The following input values were used in this example:
- Custom image deployment:
deploymentLocation: East US 2sharedServicesSubId: ID for Subscription name: Subscription AVD Shared ServicescustomNaming: false
The accelerator has built-in resource naming automation based on Microsoft Cloud Adoption Framework (CAF) best practices for naming convention, the recommended abbreviations for Azure resource types and suggested tags.
To learn more about the resource naming used in this accelerator take a look at the Naming Standard and Tagging page.
- Custom image deployment to build an updated image for your AVD session hosts.