Вы находитесь на странице: 1из 622

CCoonntteennttss

Cloud architecture models Microsoft Cloud Networking for Enterprise Architects Evolving your network for cloud connectivity Common elements of Microsoft cloud connectivity ExpressRoute for Microsoft cloud connectivity Designing networking for Microsoft SaaS Designing networking for Microsoft Azure PaaS Designing networking for Microsoft Azure IaaS Microsoft Hybrid Cloud for Enterprise Architects Hybrid cloud overview Architecture of Microsoft hybrid cloud scenarios Hybrid cloud scenarios for Microsoft SaaS (Office 365) Hybrid cloud scenarios for Azure PaaS Hybrid cloud scenarios for Azure IaaS Subscriptions, licenses, accounts, and tenants for Microsoft’s cloud offerings Architectural models for SharePoint, Exchange, Skype for Business, and Lync Plan for Office 365 Subscriptions, licenses, and tenants Plan for directory synchronization Plan for network devices that connect to Office 365 services Plan for third-party SSL certificates for Office 365 Understanding Office 365 identity and Azure Active Directory Choose between MDM and Intune Network and migration planning for Office 365 Network connectivity to Office 365 Deployment advisors for Office 365 services Integrated Apps and Azure AD for Office 365 administrators Office 365 integration Azure integration with Office 365

Azure ExpressRoute for Office 365 How modern authentication works for Office 2013 and Office 2016 client apps Office 365 inter-tenant collaboration Office 365 client support Conditional access Mobile application management Modern authentication Hybrid options Hybrid Modern Authentication and prereqs for Skype for Business Server and Exchange Server How to configure Exchange Server on-premises to use Hybrid Modern Authentication How to configure Skype for Business on-premises to use Hybrid Modern Authentication Removing or disabling Hybrid Modern Authentication from Skype for Business and Exchange Upgrade your Office Office 2010 Office 2010 desktop Exchange 2010 SharePoint 2010 Lync Server 2010 Project Server 2010 Office 2007 Office 2007 desktop Exchange 2007 SharePoint 2007 Office Communications Server PerformancePoint Server 2007 Project Server 2007 Test Office 365 Base Configuration dev/test environment Office 365 dev/test environment

Directory synchronization Multi-factor authentication Federated identity Cloud App Security Advanced Threat Protection Advanced eDiscovery Sensitive file protection Data classification and labeling Office 365 and Dynamics 365 Exchange Online integration The One Microsoft Cloud dev/test environment Simulated cross-premises virtual network in Azure Deploy Office 365 FastTrack Deploy Office 365 Enterprise for your organization Deployment planning checklist for Office 365 Security best practices for Office 365 Set up your network Office 365 networking connectivity overview Office 365 Network Connectivity Principles Network planning and performance tuning for Office 365 Network connectivity to Office 365 Office 365 Networking Partner Program Office 365 IP Addresses and URLs Managing Office 365 endpoints Worldwide endpoints U.S. Government DoD endpoints U.S. Government GCC High endpoints Office 365 operated by 21Vianet endpoints Office 365 Germany endpoints Network requests in Office for Mac Office 365 IP Address and URL Web service

Additional endpoints not included in the Web service Content delivery networks IPv6 support in Office 365 services NAT support with Office 365 Working with ExpressRoute for Office 365 Azure ExpressRoute for Office 365 Implementing ExpressRoute for Office 365 Network planning with ExpressRoute for Office 365 Routing with ExpressRoute for Office 365 Set up your subscription Prepare to provision users through directory synchronization to Office 365 Prepare directory attributes for synchronization with Office 365 by using the IdFix tool Install and run the IdFix tool IdFix excluded and supported objects and attributes IdFix transaction log Set up directory synchronization for Office 365 Protect your Office 365 global administrator accounts Activate Rights Management in the Office 365 admin center Domains Configuring release options in Office 365 Configure Office 365 Enterprise services and applications Migrate data to Office 365 Exchange Online SharePoint Online Skype for Business Microsoft Teams Yammer Configure device management with Intune Deploy applications Deploy Office 365 ProPlus Deploy the Skype for Business client Deploy and manage mobile apps

Train your users Multi-geo OneDrive for Business Multi-Geo Plan for OneDrive for Business Multi-Geo Administering a multi-geo environment Add or remove a geo administrator Delete a geo location User experience in a multi-geo environment Configure OneDrive for Business Multi-Geo Configure preferred data location Configure Search for OneDrive for Business Multi-Geo Move a OneDrive library to a different geo-location Multi-Geo capabilities in Exchange Online Move to a new Office 365 datacenter geo How to request your data move During and after your data move Data move general FAQ Hybrid solutions Use Azure Active Directory for SharePoint Server 2016 authentication Deploy Office 365 Directory Synchronization in Microsoft Azure Connect an on-premises network to a Microsoft Azure virtual network Deploy high availability federated authentication for Office 365 in Azure High availability federated authentication Phase 1: Configure Azure High availability federated authentication Phase 2: Configure domain controllers High availability federated authentication Phase 3: Configure AD FS servers High availability federated authentication Phase 4: Configure web application proxies High availability federated authentication Phase 5: Configure federated authentication for Office 365 Manage Office 365 Service health Monitor connectivity Support options

Management tools Tools to manage Office 365 accounts Add several users at the same time to Office 365 - Admin Help Recover deleted items in a user mailbox - Admin Help Manage workloads Exchange Online SharePoint Online Skype for Business Microsoft Teams Yammer Tune Office 365 performance Office 365 performance tuning using baselines and performance history Tune Exchange Online performance Tune SharePoint Online performance Introduction to performance tuning for SharePoint Online Diagnosing performance issues with SharePoint Online Tune Skype for Business Online performance Tune Project Online performance Performance troubleshooting plan for Office 365 Managing ExpressRoute for Office 365 connectivity Directory synchronization View directory synchronization status in Office 365 Identify directory synchronization errors in Office 365 Fixing problems with directory synchronization for Office 365 Turn off directory synchronization for Office 365 Manage devices Choose between MDM and Intune Manage device access settings Client connectivity Office 365 PowerShell Security & Compliance Office 365 for Business

Microsoft cloud IT architecture resources

3/11/2019 • 8 minutes to read • Edit Online

Summary: Learn core cloud architecture concepts for Microsoft identity, security, networking, and hybrid. Review prescriptive recommendations for protecting files, identities, and devices when using Microsoft's cloud. Learn how to deploy a modern and secure desktop with Windows 10 and Office ProPlus.

These architecture tools and posters give you information about Microsoft cloud services, including Office 365, Windows 10, Azure Active Directory, Microsoft Intune, Microsoft Dynamics 365, and hybrid on-premises and cloud solutions. IT decision makers and architects can use these resources to determine the ideal solutions for their workloads and to make decisions about core infrastructure components such as identity and security.

Microsoft cloud for enterprise architects seriesinfrastructure components such as identity and security. Microsoft cloud identity for enterprise architects Microsoft

Microsoft cloud identity for enterprise architectssecurity. Microsoft cloud for enterprise architects series Microsoft cloud security for enterprise architects Microsoft

Microsoft cloud security for enterprise architectsseries Microsoft cloud identity for enterprise architects Microsoft cloud networking for enterprise architects

Microsoft cloud networking for enterprise architectsMicrosoft cloud security for enterprise architects Microsoft hybrid cloud for enterprise architects Common

Microsoft hybrid cloud for enterprise architectsMicrosoft cloud networking for enterprise architects Common attacks and Microsoft capabilities that protect your

Common attacks and Microsoft capabilities that protect your organizationarchitects Microsoft hybrid cloud for enterprise architects Microsoft 365 enterprise solution series : Identity and

Microsoft 365 enterprise solution series: :

Identity and device protection for Office 365your organization Microsoft 365 enterprise solution series : File protection solutions in Office 365 Office 365

File protection solutions in Office 365series : Identity and device protection for Office 365 Office 365 Information Protection for GDPR Microsoft

Office 365 Information Protection for GDPRfor Office 365 File protection solutions in Office 365 Microsoft Security Guidance for Political Campaigns,

Microsoft Security Guidance for Political Campaigns, Nonprofits, and Other Agile Organizationsin Office 365 Office 365 Information Protection for GDPR Microsoft Telephony Solutions Deploy a modern and

Microsoft Telephony SolutionsCampaigns, Nonprofits, and Other Agile Organizations Deploy a modern and secure desktop with Microsoft Let us

Deploy a modern and secure desktop with Microsoftand Other Agile Organizations Microsoft Telephony Solutions Let us know what you think! Send us email

Let us know what you think! Send us email at cloudadopt@microsoft.com.

Microsoft cloud for enterprise architects series

These cloud architecture posters give you information about Microsoft cloud services, including Office 365, Azure Active Directory, Microsoft Intune, Microsoft Dynamics CRM Online, and hybrid on-premises and cloud solutions. IT decision makers and architects can use these resources to determine the ideal solutions for their workloads and to make decisions about core infrastructure components such as identity and security.

MMiiccrroossoofftt cclloouudd iiddeennttiittyy ffoorr eenntteerrpprriissee aarrcchhiitteeccttss What IT architects need to know about designing identity for organizations using Microsoft cloud services and platforms.

ITEM

DESCRIPTION

ITEM DESCRIPTION PDF | Visio | More languages This model contains: Introduction to identity with Microsoft’s

This model contains:

Introduction to identity with Microsoft’s cloudPDF | Visio | More languages This model contains: Azure AD IDaaS capabilities Integrating on-premises Active

Azure AD IDaaS capabilitiescontains: Introduction to identity with Microsoft’s cloud Integrating on-premises Active Directory Domain Services

Integrating on-premises Active Directory Domain Services accounts with Microsoft Azure Active Directorywith Microsoft’s cloud Azure AD IDaaS capabilities Putting directory components in Azure Domain services

Putting directory components in AzureServices accounts with Microsoft Azure Active Directory Domain services options for workloads in Azure IaaS

Domain services options for workloads in Azure IaaSAzure Active Directory Putting directory components in Azure MMiiccrroossoofftt cclloouudd sseeccuurriittyy ffoorr

MMiiccrroossoofftt cclloouudd sseeccuurriittyy ffoorr eenntteerrpprriissee aarrcchhiitteeccttss What IT architects need to know about security in Microsoft cloud services and platforms.

ITEM

DESCRIPTION

in Microsoft cloud services and platforms. ITEM DESCRIPTION PDF | Visio | More languages This model

This model contains:

Microsoft's role in providing secure services and platformsPDF | Visio | More languages This model contains: Customer responsibilities to mitigate security risks Top

Customer responsibilities to mitigate security risksrole in providing secure services and platforms Top security certifications Security offerings provided by

Top security certificationsCustomer responsibilities to mitigate security risks Security offerings provided by Microsoft consulting services

Security offerings provided by Microsoft consulting servicesto mitigate security risks Top security certifications MMiiccrroossoofftt cclloouudd nneettwwoorrkkiinngg ffoorr

MMiiccrroossoofftt cclloouudd nneettwwoorrkkiinngg ffoorr eenntteerrpprriissee aarrcchhiitteeccttss What IT architects need to know about networking for Microsoft cloud services and platforms.

ITEM

DESCRIPTION

ITEM

DESCRIPTION

ITEM DESCRIPTION PDF | Visio | Article More languages This model contains the following pages: Evolving

This model contains the following pages:

Evolving your network for cloud connectivity Cloud migration changes the volume and nature of traffic flows within and outside a corporate Cloud migration changes the volume and nature of traffic flows within and outside a corporate network. It also affects approaches to mitigating security risk.

Common elements of Microsoft cloud connectivity Integrating your networking with the Microsoft cloud provides optimal access to a broad range of Integrating your networking with the Microsoft cloud provides optimal access to a broad range of services.

ExpressRoute for Microsoft cloud connectivity ExpressRoute provides a private, dedicated, high- throughput network connection to Microsoft's cloud. ExpressRoute provides a private, dedicated, high- throughput network connection to Microsoft's cloud.

Designing networking for Microsoft SaaS (Office 365, Microsoft Intune, and Dynamics CRM Online) Optimizing your network for Microsoft SaaS services requires careful analysis of your Internet edge, your Optimizing your network for Microsoft SaaS services requires careful analysis of your Internet edge, your client devices, and typical IT operations.

Designing networking for Azure PaaS Optimizing networking for Azure PaaS apps requires adequate Internet bandwidth and can require the distribution Optimizing networking for Azure PaaS apps requires adequate Internet bandwidth and can require the distribution of network traffic across multiple sites or apps.

Designing networking for Azure IaaS Step through the design process to create an optimal Azure virtual network (VNet) for hosting Step through the design process to create an optimal Azure virtual network (VNet) for hosting server-based IT workloads, including subnets, address spaces, routing, DNS, load balancing, and connectivity to your on-premises network, other VNets, and the Internet.

Take Optimize Your Network for Microsoft Cloud Offerings, a new Microsoft Virtual Academy course based on this architecture poster.

MMiiccrroossoofftt hhyybbrriidd cclloouudd ffoorr eenntteerrpprriissee aarrcchhiitteeccttss What IT architects need to know about hybrid cloud for Microsoft services and platforms.

ITEM

DESCRIPTION

ITEM

DESCRIPTION

ITEM DESCRIPTION PDF | Visio | Article More languages This model contains the following pages: Hybrid

This model contains the following pages:

Hybrid cloud overview Microsoft's cloud offerings (SaaS, Azure PaaS, and Azure IaaS) and their common elements. Microsoft's cloud offerings (SaaS, Azure PaaS, and Azure IaaS) and their common elements.

Architecture of Microsoft hybrid cloud scenarios An architectural diagram of hybrid cloud for Microsoft's cloud offerings, showing the common layers of An architectural diagram of hybrid cloud for Microsoft's cloud offerings, showing the common layers of on-premises infrastructure, networking, and identity.

Hybrid cloud scenarios for Microsoft SaaS (Office 365) The SaaS hybrid scenario architecture and descriptions of key hybrid configurations for Skype for Business, The SaaS hybrid scenario architecture and descriptions of key hybrid configurations for Skype for Business, SharePoint Server, and Exchange Server.

Hybrid cloud scenarios for Azure PaaS The Azure PaaS hybrid scenario architecture, the description of an Azure PaaS hybrid application with The Azure PaaS hybrid scenario architecture, the description of an Azure PaaS hybrid application with an example, and the description of SQL Server 2016 Stretch Database.

Hybrid cloud scenarios for Azure IaaS The Azure IaaS hybrid scenario architecture and the description of a line of business (LOB) The Azure IaaS hybrid scenario architecture and the description of a line of business (LOB) application hosted in Azure IaaS.

CCoommmmoonn aattttaacckkss aanndd MMiiccrroossoofftt ccaappaabbiilliittiieess tthhaatt pprrootteecctt yyoouurr oorrggaanniizzaattiioonn Learn about the most common cyber attacks and how Microsoft can help your organization at every stage of an attack.

ITEM

DESCRIPTION

organization at every stage of an attack. ITEM DESCRIPTION PDF | Visio This poster illustrates the

This poster illustrates the path of common attacks and describes which capabilities help stop attackers at each stage of an attack.

Microsoft 365 enterprise solution series

The Microsoft 365 enterprise solution series provides guidance for implementing Microsoft 365 capabilities, especially where capabilities cross technologies.

IIddeennttiittyy aanndd ddeevviiccee pprrootteeccttiioonn ffoorr OOffffiiccee 336655 Recommended capabilities for protecting identities and devices that access Office 365, other SaaS services, and on-premises applications published with Azure AD Application Proxy.

ITEM

DESCRIPTION

ITEM DESCRIPTION PDF | Visio | More languages It's important to use consistent levels of protection

It's important to use consistent levels of protection across your data, identities, and devices. This document shows you which capabilities are comparable with more information on capabilities to protect identities and devices.

FFiillee pprrootteeccttiioonn ssoolluuttiioonnss iinn OOffffiiccee 336655 Recommended capabilities for protecting files in Office 365 based on three different sensitivity levels.

ITEM

DESCRIPTION

on three different sensitivity levels. ITEM DESCRIPTION PDF | Visio It's important to use consistent levels

It's important to use consistent levels of protection across your data, identities, and devices. This document shows you which capabilities are comparable with more information on capabilities to protect files in Office 365.

OOffffiiccee 336655 IInnffoorrmmaattiioonn PPrrootteeccttiioonn ffoorr GGDDPPRR Prescriptive recommendations for discovering, classifying, protecting, and monitoring personal data. This solution uses General Data Protection Regulation (GDPR) as an example, but you can apply the same process to achieve compliance with many other regulations.

ITEM

DESCRIPTION

compliance with many other regulations. ITEM DESCRIPTION PDF | Visio To see this content in article

MMiiccrroossoofftt SSeeccuurriittyy GGuuiiddaannccee ffoorr PPoolliittiiccaall CCaammppaaiiggnnss,, NNoonnpprrooffiittss,, aanndd OOtthheerr AAggiillee OOrrggaanniizzaattiioonnss This guidance describes how to implement a secure cloud environment. The solution guidance can be used by any organization. It includes extra help for agile organizations with BYOD access and guest accounts. You can use this guidance as a starting-point for designing your own environment.

ITEM

DESCRIPTION

Microsoft Security Guidance for Political Campaigns

Microsoft Security Guidance for Political Campaigns PDF | Visio This guidance uses a political campaign

This guidance uses a political campaign organization as an example. Use this guidance as a starting point for any environment.

Microsoft Security Guidance for Nonprofits

any environment. Microsoft Security Guidance for Nonprofits PDF | Visio This guide is slightly revised for

This guide is slightly revised for nonprofit organizations. For example, it references Office 365 Nonprofit plans. The technical guidance is the same as the political campaign solution guide.

MMiiccrroossoofftt TTeelleepphhoonnyy SSoolluuttiioonnss Microsoft supports several options as you begin your journey to Teams in the Microsoft cloud. This poster helps you decide which Microsoft telephony solution (Phone System in the cloud or Enterprise Voice on-premises) is right for users in your organization, and how your organization can connect to the Public Switched Telephone Network (PSTN).

can connect to the Public Switched Telephone Network (PSTN). PDF | Visio For more information, see

For more information, see the article for this poster: Microsoft Telephony Solutions.

DDeeppllooyy aa mmooddeerrnn aanndd sseeccuurree ddeesskkttoopp wwiitthh MMiiccrroossoofftt

What IT architects need to know about deploying and managing updates for Office 365 ProPlus on Windows

ITEM

DESCRIPTION

ITEM DESCRIPTION PDF | Visio This model contains: Deploying Windows 10 and Office ProPlus from the

This model contains:

Deploying Windows 10 and Office ProPlus from the Microsoft cloudITEM DESCRIPTION PDF | Visio This model contains: Deploying Windows 10 and Office ProPlus with System

Deploying Windows 10 and Office ProPlus with System Center Configuration ManagerWindows 10 and Office ProPlus from the Microsoft cloud Managing updates for Windows 10 and Office

Managing updates for Windows 10 and Office ProPlus from the Microsoft cloudand Office ProPlus with System Center Configuration Manager Managing updates for Windows 10 and Office ProPlus

Managing updates for Windows 10 and Office ProPlus with System Center Configuration Managerfor Windows 10 and Office ProPlus from the Microsoft cloud Out-of-the-box and additional protection capabilities of

Out-of-the-box and additional protection capabilities of Windows 10and Office ProPlus with System Center Configuration Manager See Also Architectural models for SharePoint, Exchange,

See Also

Architectural models for SharePoint, Exchange, Skype for Business, and Lync Cloud adoption Test Lab Guides (TLGs) Security solutions Hybrid solutions

Microsoft Cloud Networking for Enterprise Architects

3/13/2019 • 2 minutes to read • Edit Online

Summary: Design your networking for Microsoft cloud services and platforms.

This article links you to a set of articles that describe what IT architects need to know about designing networking for organizations using Microsoft cloud services and platforms. You can also view this information as a 12-page poster and print it in tabloid format (also known as ledger, 11 x 17, or A3).

it in tabloid format (also known as ledger, 11 x 17, or A3). PDF | Visio

You can also see all of the models in the Microsoft Cloud IT architecture resources.

See the following sections:

Evolving your network for cloud connectivityIT architecture resources . See the following sections: Cloud migration changes the volume and nature of

Cloud migration changes the volume and nature of traffic flows within and outside a corporate network. It also affects approaches to mitigating security risk.

Common elements of Microsoft cloud connectivityIt also affects approaches to mitigating security risk. Integrating your networking with the Microsoft cloud

Integrating your networking with the Microsoft cloud provides optimal access to a broad range of services.

ExpressRoute for Microsoft cloud connectivitycloud provides optimal access to a broad range of services. ExpressRoute provides a private, dedicated, high-throughput

ExpressRoute provides a private, dedicated, high-throughput network connection to Microsoft's cloud.

Designing networking for Microsoft SaaShigh-throughput network connection to Microsoft's cloud. Optimizing your network for Microsoft SaaS services requires

Optimizing your network for Microsoft SaaS services requires the configuration of internal and edge devices to route the different categories of traffic to Microsoft SaaS services.

Designing networking for Microsoft Azure PaaSdifferent categories of traffic to Microsoft SaaS services. Optimizing networking for Azure PaaS apps requires adequate

Optimizing networking for Azure PaaS apps requires adequate Internet bandwidth and can require the distribution of network traffic across multiple sites or apps.

Designing networking for Microsoft Azure IaaSof network traffic across multiple sites or apps. Step through the design process to create an

Step through the design process to create an optimal Azure virtual network (VNet) for hosting server- based IT workloads, including subnets, address spaces, routing, DNS, load balancing, and connectivity to your on-premises network, other VNets, and the Internet.

NNOOTTEE These articles reflect the December 2018 release of the Microsoft Cloud Networking for Enterprise Architects poster.

See also

Microsoft Cloud IT architecture resources

Evolving your network for cloud connectivity

11/28/2018 • 3 minutes to read • Edit Online

Summary: Understand how cloud adoption requires a new approach to network infrastructure investments.

Cloud migration changes the volume and nature of traffic flows within and outside a corporate network. It also affects approaches to mitigating security risk.

Before the cloudIt also affects approaches to mitigating security risk. Most networking infrastructure investments were spent on

Most networking infrastructure investments were spent on ensuring available, reliable, and performant connectivity to on-premises datacenters. For many organizations, Internet connectivity was not critical for internal business operations. Network boundaries were primary defenses against security breaches.

After the cloudboundaries were primary defenses against security breaches. With new and migrated productivity and IT workloads running

With new and migrated productivity and IT workloads running in the cloud, infrastructure investments shift from on-premises datacenters to Internet connectivity, which is now critical for internal business operations. Federated connectivity shifts security strategy to protecting identities and data as they flow through the network and points of connectivity to Microsoft cloud services.

Network infrastructure investments begin with connectivity. Additional investments depend on the category of cloud service.

Software as a Service (SaaS) Microsoft SaaS services include Office 365, Microsoft Intune, and Microsoft Dynamics 365. Successful adoption of Microsoft SaaS services include Office 365, Microsoft Intune, and Microsoft Dynamics 365. Successful adoption of SaaS services by users depends on highly-available and performant connectivity to the Internet, or directly to Microsoft cloud services.

Network architecture focuses on reliable, redundant connectivity and ample bandwidth. Ongoing investments include performance monitoring and tuning.

Azure Platform as a Service (PaaS) In addition to the investments for Microsoft SaaS services, multi-site or geographically distributed PaaS applications In addition to the investments for Microsoft SaaS services, multi-site or geographically distributed PaaS applications might require architecting Azure Traffic Manager to distribute client traffic. Ongoing investments include performance and traffic distribution monitoring and failover testing.

Azure Infrastructure as a Service (IaaS) In addition to the investments for Microsoft SaaS and PaaS services, running IT workloads in In addition to the investments for Microsoft SaaS and PaaS services, running IT workloads in IaaS requires the design and configuration of Azure virtual networks that host virtual machines, secure connectivity to applications running on them, routing, IP addressing, DNS, and load balancing. Ongoing investments include performance and security monitoring and troubleshooting.

Microsoft 365 is a combination of Office 365, Enterprise Management + Security (EMS), and Windows 10. Microsoft 365 combines multiple SaaS and Azure services for a complete, intelligent solution that empowers everyone to be creative and work together securely.

Areas of networking investment for success in the cloud

Enterprise organizations benefit from taking a methodical approach to optimizing network throughput across your intranet and to the Internet. You might also benefit from an ExpressRoute connection.

OOppttiimmiizzee iinnttrraanneett ccoonnnneeccttiivviittyy ttoo yyoouurr eeddggee nneettwwoorrkk Over the years, many organizations have optimized intranet connectivity and performance to applications running in on-premises datacenters. With productivity and IT workloads running in the Microsoft cloud, additional

investment must ensure high connectivity availability and that traffic performance between your edge network and your intranet users is optimal.

OOppttiimmiizzee tthhrroouugghhppuutt aatt yyoouurr eeddggee nneettwwoorrkk As more of your day-to-day productivity traffic travels to the cloud, you should closely examine the set of systems at your edge network to ensure that they are current, provide high availability, and have sufficient capacity to meet peak loads.

FFoorr aa hhiigghh SSLLAA ttoo AAzzuurree,, OOffffiiccee 336655,, aanndd DDyynnaammiiccss 336655,, uussee EExxpprreessssRRoouuttee Although you can use your current Internet connection from your edge network, traffic to and from Microsoft cloud services must share the pipe with other intranet traffic going to the Internet. Additionally, your traffic to Microsoft cloud services is subject to Internet traffic congestion.

For a high SLA and the best performance, use ExpressRoute, a dedicated WAN connection between your network and Azure, Office 365, Dynamics 365, or all three.

ExpressRoute can leverage your existing network provider for a dedicated connection. Resources connected by ExpressRoute appear as if they are on your WAN, even for geographically-distributed organizations.

For more information, see ExpressRoute for Microsoft cloud connectivity.

Scope of network investments

The scope of network investments depend on the category of cloud service. Investing across Microsoft's cloud maximizes the investments of networking teams. For example, investments for IaaS services apply to all investment areas.

Investment area

SaaS

PaaS

IaaS

Architect reliable, redundant Internet connectivity with ample bandwidth

Applies

Applies

Applies

Monitor and tune Internet throughput for performance

Applies

Applies

Applies

Troubleshoot Internet connectivity and throughput issues

Applies

Applies

Applies

Design Azure Traffic Manager to load balance traffic to different endpoints

Applies

Applies

Architect reliable, redundant, and performant connectivity to Azure virtual networks

Applies

Design secure connectivity to Azure virtual machines

Applies

Design and implement routing between on- premises locations and virtual networks

Applies

Architect and implement load balancing for internal and Internet-facing IT workloads

Applies

Troubleshoot virtual machine connectivity and throughput issues

Applies

Next step

Common elements of Microsoft cloud connectivity

See also

Microsoft Cloud Networking for Enterprise Architects Microsoft Cloud IT architecture resources

Common elements of Microsoft cloud connectivity

11/28/2018 • 2 minutes to read • Edit Online

Summary: Understand the common elements of networking infrastructure and how to prepare your network.

Integrating your networking with the Microsoft cloud provides optimal access to a broad range of services.

Steps to prepare your network for Microsoft cloud services

For your on-premises network:

1. Analyze your client computers and optimize for network hardware, software drivers, protocol settings, and Internet browsers.

2. Analyze your on-premises network for traffic latency and optimal routing to the Internet edge device.

3. Analyze the capacity and performance of your Internet edge device and optimize for higher levels of traffic.

For your Internet connection:

1. Analyze the latency between your Internet edge device (such as your external firewall) and the regional locations of the Microsoft cloud service to which you are connecting.

2. Analyze the capacity and utilization of your current Internet connection and add capacity if needed. Alternately, add an ExpressRoute connection.

Microsoft cloud connectivity options

Use your existing Internet pipe or an ExpressRoute connection to Office 365, Azure, and Dynamics 365.

Figure 1: Options for Microsoft cloud connectivity

365. Figure 1: Options for Microsoft cloud connectivity Figure 1 shows how an on-premises network can

Figure 1 shows how an on-premises network can be connected to Microsoft cloud offerings using their existing Internet pipe or ExpressRoute. The Internet pipe represents a DMZ and can have the following components:

Internal firewall: A barrier between your trusted network and an untrusted one. Performs traffic filtering (based on A barrier between your trusted network and an untrusted one. Performs traffic filtering (based on rules) and monitoring.

External workload: Web sites or other workloads made available to external users on the Internet. Web sites or other workloads made available to external users on the Internet.

Proxy server: Services requests for web content on behalf of intranet users. A reverse proxy permits unsolicited Services requests for web content on behalf of intranet users. A reverse proxy permits unsolicited inbound requests.

External firewall: Allows outbound traffic and specified inbound traffic. Can perform address translation, packet inspection, SSL Break Allows outbound traffic and specified inbound traffic. Can perform address translation, packet inspection, SSL Break and Inspect, or data loss prevention.

WAN connection to ISP: A carrier-based connection to an ISP, who peers with the Internet for connectivity and routing. A carrier-based connection to an ISP, who peers with the Internet for connectivity and routing.

Areas of networking common to all Microsoft cloud services

You need to consider these areas of networking when adopting any of Microsoft's cloud services.

Intranet performance: Performance to Internet-based resources will suffer if your intranet, including client computers, is not optimized. Performance to Internet-based resources will suffer if your intranet, including client computers, is not optimized.

Edge devices: Devices at the edge of your network are egress points and can include Network Address Devices at the edge of your network are egress points and can include Network Address Translators (NATs), proxy servers (including reverse proxies), firewalls, intrusion detection devices, or a combination.

Internet connection: Your WAN connection to your ISP and the Internet should have enough capacity to handle Your WAN connection to your ISP and the Internet should have enough capacity to handle peak loads. You can also use an ExpressRoute connection.

Internet DNS: A, AAAA, CNAME, MX, PTR and other records to locate Microsoft cloud or your services A, AAAA, CNAME, MX, PTR and other records to locate Microsoft cloud or your services hosted in the cloud. For example, you might need a CNAME record for your app hosted in Azure PaaS.

Next step

ExpressRoute for Microsoft cloud connectivity

See also

Microsoft Cloud Networking for Enterprise Architects

Microsoft Cloud IT architecture resources

ExpressRoute for Microsoft cloud connectivity

3/13/2019 • 11 minutes to read • Edit Online

Summary: Understand how ExpressRoute can help you with faster and more reliable connections to Microsoft's cloud services and platforms.

ExpressRoute provides a private, dedicated, high-throughput network connection to Microsoft's cloud.

ExpressRoute to the Microsoft cloud

Here is the networking path to the Microsoft cloud without an ExpressRoute connection.

Figure 1: The networking path without ExpressRoute

Figure 1: The networking path without ExpressRoute Figure 1 shows the typical path between an on-premises

Figure 1 shows the typical path between an on-premises network and the Microsoft cloud. The on-premises network edge connects to the Internet through a WAN link to an ISP. The traffic then travels across the Internet to the edge of the Microsoft cloud. Cloud offerings within the Microsoft cloud include Office 365, Microsoft Azure, Microsoft Intune, and Dynamics 365. Users of an organization can be located on the on-premises network or on the Internet.

Without an ExpressRoute connection, the only part of the traffic path to the Microsoft cloud that you can control (and have a relationship with the service provider) is the link between your on-premises network edge and your ISP.

The path between your ISP and the Microsoft cloud edge is a best-effort delivery system on the Internet subject to outages, traffic congestion, and monitoring by malicious users.

Users on the Internet, such as roaming or remote users, send their traffic to the Microsoft cloud over the Internet.

Here are the networking paths to the Microsoft cloud with an ExpressRoute connection.

Figure 2: The networking paths with ExpressRoute

Figure 2 shows two networking paths. Traffic to Microsoft Intune travels the same path as

Figure 2 shows two networking paths. Traffic to Microsoft Intune travels the same path as normal Internet traffic. Traffic to Office 365, Microsoft Azure, and Dynamics 365 travels across the ExpressRoute connection, a dedicated path between the edge of the on-premises network and the edge of the Microsoft cloud.

With an ExpressRoute connection, you now have control, through a relationship with your service provider, over the entire traffic path from your edge to the Microsoft cloud edge. This connection can offer predictable performance and a 99.95% uptime SLA.

You can now count on predictable throughput and latency, based on your service provider's connection, to Office 365, Azure, and Dynamics 365 services. ExpressRoute connections to Microsoft Intune are not supported at this time.

Traffic sent over the ExpressRoute connection is no longer subject to Internet outages, traffic congestion, and monitoring.

Users on the Internet, such as roaming or remote users, still send their traffic to the Microsoft cloud over the Internet. One exception is traffic to an intranet line of business application hosted in Azure IaaS, which is sent over the ExpressRoute connection via a remote access connection to the on-premises network.

Even with an ExpressRoute connection, some traffic is still sent over the Internet, such as DNS queries, certificate revocation list checking, and content delivery network (CDN) requests.

See these additional resources for more information:

Advantages of ExpressRoute for Azure

Here are some advantages of using ExpressRoute for Azure-based cloud services:

Predictable performance: With a dedicated path to the edge of the Microsoft cloud, your performance is not With a dedicated path to the edge of the Microsoft cloud, your performance is not subject to Internet provider outages and spikes in Internet traffic. You can determine and hold your providers accountable to a throughput and latency SLA to the Microsoft cloud.

Data privacy for your traffic: Traffic sent over your dedicated ExpressRoute connection is not subject to Internet monitoring or packet Traffic sent over your dedicated ExpressRoute connection is not subject to Internet monitoring or packet capture and analysis by malicious users. It is as secure as using Multiprotocol Label Switching (MPLS)-based WAN links.

High throughput connections: With wide support for ExpressRoute connections by exchange providers and network service providers, you can With wide support for ExpressRoute connections by exchange providers and network service providers, you can obtain up to a 10 Gbps link to the Microsoft cloud.

Lower cost for some configurations: Although ExpressRoute connections are an additional cost, in some cases

Lower cost for some configurations: Although ExpressRoute connections are an additional cost, in some cases a single ExpressRoute connection can cost less than increasing your Internet capacity at multiple locations of your organization to provide adequate throughput to Microsoft cloud services.

An ExpressRoute connection is not a guarantee of higher performance in every configuration. It is possible to have lower performance over a low-bandwidth ExpressRoute connection than a high-bandwidth Internet connection that is only a few hops away from a regional Microsoft datacenter.

For the latest recommendations for using ExpressRoute with Office 365, see ExpressRoute for Office 365.

ExpressRoute connectivity models

Table 1 shows the three primary connectivity models for ExpressRoute connections.

CO-LOCATED AT A CLOUD EXCHANGE

POINT-TO-POINT ETHERNET

ANY-TO-ANY (IP VPN) CONNECTION

POINT-TO-POINT ETHERNET ANY-TO-ANY (IP VPN) CONNECTION If your datacenter is co-located in a facility with a
POINT-TO-POINT ETHERNET ANY-TO-ANY (IP VPN) CONNECTION If your datacenter is co-located in a facility with a
POINT-TO-POINT ETHERNET ANY-TO-ANY (IP VPN) CONNECTION If your datacenter is co-located in a facility with a

If your datacenter is co-located in a facility with a cloud exchange, you can order a virtual cross-connection to the Microsoft cloud through the co- location provider's Ethernet exchange.

If your datacenter is located on your premises, you can use a point-to-point Ethernet link to connect to the Microsoft cloud.

Table 1: ExpressRoute connectivity models

If you are already using an IP VPN (MPLS) provider to connect the sites of your organization, an ExpressRoute connection to the Microsoft cloud acts like another location on your private WAN.

ExpressRoute peering relationships to Microsoft cloud services

A single ExpressRoute connection supports up to two different Border Gateway Protocol (BGP) peering relationships to different parts of the Microsoft cloud. BPG uses peering relationships to establish trust and exchange routing information.

Figure 3: The two different BGP relationships in a single ExpressRoute connection

Figure 3 shows an ExpressRoute connection from an on-premises network. The ExpressRoute connection has two

Figure 3 shows an ExpressRoute connection from an on-premises network. The ExpressRoute connection has two logical peering relationships. A Microsoft peering relationship goes to Microsoft SaaS services, including Office 365, Dynamcs 365, and Azure PaaS services. A private peering relationship goes to Azure IaaS and to a virtual network gateway that hosts virtual machines.

The Microsoft peering BGP relationship:

Is from a router in your DMZ to the public addresses of Office 365, Dynamics 365, and Azure services.virtual machines. The Microsoft peering BGP relationship: Supports bidirectional-initiated communication. The private

Supports bidirectional-initiated communication.addresses of Office 365, Dynamics 365, and Azure services. The private peering BGP relationship: Is from

The private peering BGP relationship:

Is from a router on the edge of your organization network to the private IP addresses assigned to your Azure VNets.communication. The private peering BGP relationship: Supports bidirectional-initiated communication. Is an

Supports bidirectional-initiated communication.to the private IP addresses assigned to your Azure VNets. Is an extension of your organization

Is an extension of your organization network to the Microsoft cloud, complete with internally-consistent addressing and routing.Azure VNets. Supports bidirectional-initiated communication. NNOOTTEE The public peering BGP relationship described in

NNOOTTEE The public peering BGP relationship described in previous versions of this article has been deprecated.

Example of application deployment and traffic flow with ExpressRoute

How traffic travels across ExpressRoute connections and within the Microsoft cloud is a function of the routes at the hops of the path between the source and the destination and application behavior. Here is an example of an application running on an Azure virtual machine that accesses an on-premises SharePoint farm over a site-to-site VPN connection.

Figure 4: An application on an Azure virtual machine accessing an on-premises SharePoint farm

Figure 4 shows an on-premises SharePoint farm, a site-to-site VPN connection between the on-premises network

Figure 4 shows an on-premises SharePoint farm, a site-to-site VPN connection between the on-premises network and a virtual network in Azure IaaS, an application server running as an Azure IaaS virtual machine, and the traffic flow between the application server and the SharePoint farm.

The application locates the IP address of the SharePoint farm using the on-premises DNS and all traffic goes over the site-to-site VPN connection.

This organization migrated their on-premises SharePoint farm to SharePoint Online in Office 365 and deployed an ExpressRoute connection.

Figure 5: Moving the on-premises SharePoint farm to SharePoint Online

Moving the on-premises SharePoint farm to SharePoint Online Figure 5 shows the addition of an ExpressRoute

Figure 5 shows the addition of an ExpressRoute connection with peering relationships to Microsoft SaaS and Office 365 and to Azure IaaS containing the application server on a virtual network. The SharePoint on-premises farm has been migrated to Office 365.

With the Microsoft and private peering relationships:

From the Azure virtual network gateway, on-premises locations are available across the ExpressRoute connection.365. With the Microsoft and private peering relationships: From the Office 365 subscription, public IP addresses

From the Office 365 subscription, public IP addresses of edge devices, such as proxy servers, are available across the ExpressRoute connection.locations are available across the ExpressRoute connection. From the on-premises network edge, the private IP addresses

From the on-premises network edge, the private IP addresses of the Azure VNet and the public IP addresses of Office 365 are available across the ExpressRoute connection.servers, are available across the ExpressRoute connection. When the application accesses the URLs of SharePoint Online,

When the application accesses the URLs of SharePoint Online, it forwards its traffic across the ExpressRoute connection to a proxy server in the edge.

When the proxy server locates the IP address of SharePoint Online, it forwards the traffic back over the ExpressRoute connection. Response traffic travels the reverse path.

Figure 6 shows how the traffic between the application server and SharePoint Online in Office

Figure 6 shows how the traffic between the application server and SharePoint Online in Office 365 flows over the private peering relationship from the application server to the on-premises network edge, and then from the edge over the Microsoft peering relationship to Office 365.

The result is hair pinning, a consequence of the routing and application behavior.

ExpressRoute and Microsoft's cloud network

ExpressRoute connections are available in two different versions: ExpressRoute and ExpressRoute Premium.

EExxpprreessssRRoouuttee How traffic travels between your organization network and a Microsoft datacenter is a combination of:

Your locations.network and a Microsoft datacenter is a combination of: Microsoft cloud peering locations (the physical locations

Microsoft cloud peering locations (the physical locations to connect to the Microsoft edge).a Microsoft datacenter is a combination of: Your locations. Microsoft datacenter locations. Microsoft datacenter and

Microsoft datacenter locations.(the physical locations to connect to the Microsoft edge). Microsoft datacenter and cloud peering locations are

Microsoft datacenter and cloud peering locations are all connected to the Microsoft cloud network.

When you create an ExpressRoute connection to a Microsoft cloud peering location, you are connected to the Microsoft cloud network and all the Microsoft datacenter locations in the same continent. The traffic between the cloud peering location and the destination Microsoft datacenter is carried over the Microsoft cloud network.

This can result in non-optimal delivery to local Microsoft datacenters for the any-to-any connectivity model.

Figure 7: Example of a geographically-distributed organization that uses a single ExpressRoute connection

organization that uses a single ExpressRoute connection Figure 7 shows an organization with two locations, Location

Figure 7 shows an organization with two locations, Location 1 in the northwest of the United States and Location 2 in the northeast. They are connected by an any-to-any WAN provider. This organization also has an ExpressRoute connection to a Microsoft peering location on the west coast. Traffic from Location 2 in the northeast destined for an east coast datacenter must travel all the way across the organization's WAN to the west coast, to the Microsoft peering location, and then back across the country over the Microsoft cloud network to the east coast datacenter.

For optimal delivery, use multiple ExpressRoute connections to regional Microsoft cloud peering locations.

Figure 8: The use of multiple ExpressRoute connections for optimal delivery to regional datacenters

connections for optimal delivery to regional datacenters Figure 8 shows the same organization with two ExpressRoute

Figure 8 shows the same organization with two ExpressRoute connections, one for each location, to regionally local Microsoft peering locations. In this configuration, traffic from Location 2 in the northeast destined for an east coast datacenter goes directly to an east coast peering location, to the Microsoft cloud network, and then to the east coast datacenter.

Multiple ExpressRoute connections can provide:

Better performance to regionally local Microsoft datacenter locations.datacenter. Multiple ExpressRoute connections can provide: Higher availability to the Microsoft cloud when a local

Higher availability to the Microsoft cloud when a local ExpressRoute connection becomes unavailable.to regionally local Microsoft datacenter locations. This works well for organizations in the same continent.

This works well for organizations in the same continent. However, traffic to Microsoft datacenters outside the organization's continent travels over the Internet.

For intercontinental traffic over the Microsoft cloud network, you must use ExpressRoute Premium connections.

EExxpprreessssRRoouuttee PPrreemmiiuumm For organizations that are globally distributed across continents, you can use ExpressRoute Premium.

With ExpressRoute Premium, you can reach any Microsoft datacenter on any continent from any Microsoft peering location on any continent. The traffic between continents is carried over the Microsoft cloud network.

With multiple ExpressRoute Premium connections, you can have:

Better performance to continentally local Microsoft datacenters.multiple ExpressRoute Premium connections, you can have: Higher availability to the global Microsoft cloud when a

Higher availability to the global Microsoft cloud when a local ExpressRoute connection becomes unavailable.performance to continentally local Microsoft datacenters. ExpressRoute Premium is required for Office 365-based

ExpressRoute Premium is required for Office 365-based ExpressRoute connections.

Figure 9: The world-wide Microsoft cloud network

Figure 9: The world-wide Microsoft cloud network Figure 9 shows a logical diagram of the worldwide

Figure 9 shows a logical diagram of the worldwide Microsoft cloud network, with networks that span the continents and regions of the world and their interconnections. With a portion of the Microsoft cloud network in

each continent, a global enterprise creates ExpressRoute Premium connections from its regional hub offices to local Microsoft peering locations.

For a regional office, appropriate Office 365 traffic to:

Continental Office 365 datacenters travels over the Microsoft cloud network within the continent.For a regional office, appropriate Office 365 traffic to: Office 365 datacenters in another continent travels

Office 365 datacenters in another continent travels over the intercontinental Microsoft cloud network.over the Microsoft cloud network within the continent. For more information, see: Azure ExpressRoute for Office

For more information, see:

ExpressRoute options

You can also incorporate the following options into your ExpressRoute deployment:

Security at your edge: To provide advanced security for the traffic sent and received over the ExpressRoute connection, such To provide advanced security for the traffic sent and received over the ExpressRoute connection, such as traffic inspection or intrusion/malware detection, place your security appliances in the traffic path within your DMZ or at the border of your intranet.

Internet traffic for VMs: To prevent Azure VMs from initiating traffic directly with Internet locations, advertise the default route To prevent Azure VMs from initiating traffic directly with Internet locations, advertise the default route to Microsoft. Traffic to the Internet is routed across the ExpressRoute connection and through your on-premises proxy servers. Traffic from Azure VMs to Azure PaaS services or Office 365 is routed back across the ExpressRoute connection.

WAN optimizers: You can deploy WAN optimizers on both sides of a private peering connection for a You can deploy WAN optimizers on both sides of a private peering connection for a cross-premises Azure virtual network (VNet). Inside the Azure VNet, use a WAN optimizer network appliance from the Azure marketplace and user-defined routing to route the traffic through the appliance.

Quality of service: Use Differentiated Services Code Point (DSCP) values in the IPv4 header of your traffic to Use Differentiated Services Code Point (DSCP) values in the IPv4 header of your traffic to mark it for voice, video/interactive, or best-effort delivery. This is especially important for the Microsoft peering relationship and Skype for Business Online traffic.

See these additional resources for more information:

Next step

Designing networking for Microsoft SaaS

See also

Microsoft Cloud Networking for Enterprise Architects

Microsoft Cloud IT architecture resources

Designing networking for Microsoft SaaS

11/28/2018 • 2 minutes to read • Edit Online

Summary: Understand how to optimize your network for access to Microsoft's SaaS services, including Office 365, Microsoft Intune, and Dynamics 365.

Optimizing your network for Microsoft SaaS services requires the configuration of internal and edge devices to route the different categories of traffic to Microsoft SaaS services.

Steps to prepare your network for Microsoft SaaS services

Follow these steps to optimize your network for Microsoft SaaS services:

1. Go through the Steps to prepare your network for Microsoft cloud services section in Common elements of Microsoft cloud connectivity.

2. Add an Internet connection to each of your offices.

3. Ensure that the ISPs for all Internet connections use a DNS server with a local IP address.

4. Examine your network hairpins, intermediate destinations such as cloud-based security services, and eliminate them if possible.

5. Configure your edge devices to bypass processing for the Optimize and Allow categories of Microsoft SaaS traffic.

Optimizing traffic to Microsoft’s SaaS services

There are three categories of Microsoft SaaS traffic:

OptimizeThere are three categories of Microsoft SaaS traffic: Required for connectivity to every Microsoft SaaS service

Required for connectivity to every Microsoft SaaS service and represent over 75% of Microsoft SaaS bandwidth, connections, and volume of data.

AllowMicrosoft SaaS bandwidth, connections, and volume of data. Required for connectivity to specific Microsoft SaaS

Required for connectivity to specific Microsoft SaaS services and features but are not as sensitive to network performance and latency as those in the Optimize category.

Defaultperformance and latency as those in the Optimize category. Represent Microsoft SaaS services and dependencies that

Represent Microsoft SaaS services and dependencies that do not require any optimization. You can treat Default category traffic like normal Internet traffic.

Figure 1: Recommended configuration for Microsoft SaaS traffic for all offices

Figure 1 shows the recommended configuration of all offices, including branch offices and regional or

Figure 1 shows the recommended configuration of all offices, including branch offices and regional or central ones, in which:

Default category and general Internet traffic is routed to offices that have proxy servers and other category and general Internet traffic is routed to offices that have proxy servers and other edge devices to provide protection against Internet-based security risks.

Optimize and Allow category traffic is forwarded directly to the edge of the Microsoft network front and Allow category traffic is forwarded directly to the edge of the Microsoft network front end nearest to the office containing the connecting user, bypassing proxy servers and other edge devices.

Software-defined wide area network (SD-WAN) devices in branch offices separate traffic so that:

Default category and general Internet traffic goes to a central or regional office over the WAN category and general Internet traffic goes to a central or regional office over the WAN backbone.

Optimize and Allow category traffic goes to the ISP providing the local Internet connection. and Allow category traffic goes to the ISP providing the local Internet connection.

For more information, see:

Next step

Designing networking for Microsoft Azure PaaS

See also

Microsoft Cloud Networking for Enterprise Architects

Microsoft Cloud IT architecture resources

Designing networking for Microsoft Azure PaaS

11/28/2018 • 2 minutes to read • Edit Online

Summary: Understand how to optimize your network for access to Microsoft Azure PaaS.

Optimizing networking for Azure PaaS apps requires adequate Internet bandwidth and can require the distribution of network traffic across multiple sites or apps.

Planning steps for hosting organization PaaS applications in Azure

1. Go through the Steps to prepare your network for Microsoft cloud services section in Common elements of Microsoft cloud connectivity.

2. Optimize your Internet bandwidth using steps 2 - 4 of the Steps to prepare your network for Microsoft SaaS services section in Designing networking for Microsoft SaaS.

3. Determine whether you need an ExpressRoute connection to Azure.

4. For web-based workloads, determine whether you need the Azure Application Gateway.

5. For distribution of traffic to different endpoints in different data centers, determine whether you need Azure Traffic Manager.

Internet bandwidth for organization PaaS applications

Organization applications hosted in Azure PaaS require Internet bandwidth for intranet users. There are two options:

Option 1: Use your existing pipe, optimized for Internet traffic with the capacity to handle peak loads. Use your existing pipe, optimized for Internet traffic with the capacity to handle peak loads. SeeDesigning networking for Microsoft SaaS for Internet edge, client usage, and IT operations considerations.

Option 2: For high-bandwidth or low latency needs, use an ExpressRoute connection to Azure. For high-bandwidth or low latency needs, use an ExpressRoute connection to Azure.

Figure 1: Connection options for connecting the Azure PaaS services

1: Connection options for connecting the Azure PaaS services Figure 1 shows an on-premises network connecting

Figure 1 shows an on-premises network connecting to Azure PaaS services over an Internet pipe or ExpressRoute.

Azure Application Gateway

Application-level routing and load balancing services that let you build a scalable and highly-available web front end in Azure for web apps, cloud services, and virtual machines.

Figure 2: Azure Application Gateway

Figure 2 shows the Azure Application Gateway and how user requests from the Internet can

Figure 2 shows the Azure Application Gateway and how user requests from the Internet can be routed to Azure web apps, cloud services, or virtual machines.

Application Gateway currently supports layer 7 application delivery for the following:

HTTP load balancingsupports layer 7 application delivery for the following: Cookie-based session affinity SSL offload For more

Cookie-based session affinityapplication delivery for the following: HTTP load balancing SSL offload For more information, see Application Gateway

SSL offloadfollowing: HTTP load balancing Cookie-based session affinity For more information, see Application Gateway . Azure

For more information, see Application Gateway.

Azure Traffic Manager

Distribution of traffic to different endpoints, which can include cloud services or Azure web apps located in different data centers or external endpoints.

Traffic Manager uses the following routing methods:

Failover: The endpoints are in the same or different Azure datacenters and you want to use The endpoints are in the same or different Azure datacenters and you want to use a primary endpoint for all traffic, but provide backups in case the primary or the backup endpoints are unavailable.

Round robin: You want to distribute load across a set of endpoints in the same datacenter or You want to distribute load across a set of endpoints in the same datacenter or across different datacenters.

Performance: You have endpoints in different geographic locations and you want requesting clients to use the You have endpoints in different geographic locations and you want requesting clients to use the "closest" endpoint in terms of the lowest latency.

Here is an example for three geographically-distributed web apps.

Figure 3: Azure Traffic Manager

web apps. Figure 3: Azure Traffic Manager Figure 3 shows the basic process that Traffic Manager

Figure 3 shows the basic process that Traffic Manager uses to route requests to three different Azure web apps in United States, Europe, and Asia. In the example:

2.

The user initiates traffic with the regional web app in Europe.

For more information, see Traffic Manager.

Next step

Designing networking for Microsoft Azure IaaS

See also

Microsoft Cloud Networking for Enterprise Architects Microsoft Cloud IT architecture resources

Designing networking for Microsoft Azure IaaS

11/28/2018 • 14 minutes to read • Edit Online

Summary: Understand how to design optimized networking for workloads in Microsoft Azure IaaS.

Optimizing networking for IT workloads hosted in Azure IaaS requires an understanding of Azure virtual networks (VNets), address spaces, routing, DNS, and load balancing.

Planning steps for any VNet

Follow these steps for any type of VNet.

SStteepp 11:: PPrreeppaarree yyoouurr iinnttrraanneett ffoorr MMiiccrroossoofftt cclloouudd sseerrvviicceess Go through the Steps to prepare your network for Microsoft cloud services section in Common elements of Microsoft cloud connectivity.

SStteepp 22:: OOppttiimmiizzee yyoouurr IInntteerrnneett bbaannddwwiiddtthh Optimize your Internet bandwidth using steps 2 - 4 of the Steps to prepare your network for Microsoft SaaS services section in Designing networking for Microsoft SaaS.

SStteepp 33:: DDeetteerrmmiinnee tthhee ttyyppee ooff VVNNeett ((cclloouudd--oonnllyy oorr ccrroossss--pprreemmiisseess))

A cloud-only VNet has no connection to an on-premises network. Here is an example.

Figure 1: A cloud-only VNet

network. Here is an example. Figure 1: A cloud-only VNet Figure 1 shows a set of

Figure 1 shows a set of virtual machines in a cloud-only VNet.

A cross-premises VNet has a site-to-site (S2S) VPN or ExpressRoute connection to an on-premises network through an Azure gateway. Here is an example.

Figure 2: A cross-premises VNet

gateway. Here is an example. Figure 2: A cross-premises VNet Figure 2 shows a set of

Figure 2 shows a set of virtual machines in a cross-premises VNet, which is connected to an on-premises network.

See the additional Planning steps for a cross-premises VNet section in this article.

SStteepp 44:: DDeetteerrmmiinnee tthhee aaddddrreessss ssppaaccee ooff tthhee VVNNeett Table 1 shows the address spaces for the different types of VNets.

TYPE OF VNET

VIRTUAL NETWORK ADDRESS SPACE

Cloud-only

Arbitrary private address space

Interconnected cloud-only

Arbitrary private, but not overlapping with other connected VNets

Cross-premises

Private, but not overlapping with on-premises

Interconnected cross-premises

Private, but not overlapping with on-premises and other connected VNets

Table 1: Types of VNets and their corresponding address space

Virtual machines are assigned an address configuration from the address space of the subnet by DHCP:

Address/subnet maskconfiguration from the address space of the subnet by DHCP: Default gateway DNS server IP addresses

Default gatewaythe address space of the subnet by DHCP: Address/subnet mask DNS server IP addresses You can

DNS server IP addressesof the subnet by DHCP: Address/subnet mask Default gateway You can also reserve a static IP

You can also reserve a static IP address.

Virtual machines can also be assigned a public IP address, either individually or from the containing cloud service (for classic deployment machines only).

SStteepp 55:: DDeetteerrmmiinnee tthhee ssuubbnneettss wwiitthhiinn tthhee VVNNeett aanndd tthhee aaddddrreessss ssppaacceess aassssiiggnneedd ttoo eeaacchh There are two types of subnets in a VNet, a gateway subnet and a virtual machine-hosting subnet.

Figure 3: The two types of subnets in Azure

subnet. Figure 3: The two types of subnets in Azure Figure 3 shows a VNet containing

Figure 3 shows a VNet containing a gateway subnet that has an Azure gateway and a set of virtual machine- hosting subnets containing virtual machines.

The Azure gateway subnet is needed by Azure to host the two virtual machines of your Azure gateway. Specify an address space with at least a 29-bit prefix length (example: 192.168.15.248/29). A 28-bit or smaller prefix length is recommended, especially if you are planning to use ExpressRoute.

A best practice for determining the address space of the Azure gateway subnet is:

1. Decide on the size of the gateway subnet.

2. In the variable bits in the address space of the VNet, set the bits used for the gateway subnet to 0 and set the remaining bits to 1.

3. Convert to decimal and express as an address space with the prefix length set to the size of the gateway subnet.

With this method, the address space for the gateway subnet is always at the farthest end of the VNet address

space.

Here is an example of defining the address prefix for the gateway subnet: The address space of the VNet is 10.119.0.0/16. The organization will initially use a site-to-site VPN connection, but will eventually get ExpressRoute. Table 2 shows the steps and results of determining the gateway subnet address prefix in network prefix notation (also known as CIDR).

Here are the steps and example of determining the gateway subnet address prefix:

1. Decide on the size of the gateway subnet. For our example, we chose /28.

2. Set the bits in the variable portion of the VNet address space (b) to 0 for the gateway subnet bits (G), otherwise 1 (V). For our example, we are using the 10.119.0.0/16 address space for the VNet.

10.119.

bbbbbbbb . bbbbbbbb

10.119.

VVVVVVVV . VVVVGGGG

10.119.

11111111 . 11110000

3. Convert the result from step 2 to decimal and express as an address space. For our example, 10.119. 11111111 . 11110000 is 10.119.255.240, and with the prefix length from step 1, (28 in our example), the resulting gateway subnet address prefix is 10.119.255.240/28.

Virtual machine-hosting subnets are where you place Azure virtual machines, which you can do according to typical on-premises guidelines, such as a common role or tier of an application or for subnet isolation.

Azure uses the first 3 addresses on each subnet. Therefore, the number of possible addresses on an Azure subnet

is 2

hosts bits needed, and the corresponding subnet size.

n - 5, where n is the number of host bits. Table 3 shows the range of virtual machines required, the number of

VIRTUAL MACHINES REQUIRED

HOST BITS

SUBNET SIZE

1-3

3

/29

4-11

4

/28

12-27

5

/27

28-59

6

/26

60-123

7

/25

Table 3: Virtual machine requirements and their subnet sizes

For more information, see Plan and design Azure Virtual Networks.

SStteepp 66:: DDeetteerrmmiinnee tthhee DDNNSS sseerrvveerr ccoonnffiigguurraattiioonn aanndd tthhee aaddddrreesssseess ooff tthhee DDNNSS sseerrvveerrss ttoo aassssiiggnn ttoo VVMMss iinn tthhee VVNNeett Azure assigns virtual machines the addresses of DNS servers by DHCP. DNS servers can be:

Supplied by Azure: Provides local name registration and local and Internet name resolutionthe addresses of DNS servers by DHCP. DNS servers can be: Provided by you: Provides local

Provided by you: Provides local or intranet name registration and either intranet or Internet name resolutionby DHCP. DNS servers can be: Supplied by Azure: Provides local name registration and local and

Table 4 shows the different configurations of DNS servers for each type of VNet.

TYPE OF VNET

DNS SERVER

Cloud-only

Azure-supplied for local and Internet name resolution Azure virtual machine for local and Internet name resolution (DNS forwarding)

Cross-premises

On-premises for local and intranet name resolution Azure virtual machine for local and intranet name resolution (DNS replication and forwarding)

Table 4: DNS server options for the two different types of VNets

For more information, see Name Resolution for VMs and Role Instances.

SStteepp 77:: DDeetteerrmmiinnee tthhee llooaadd bbaallaanncciinngg ccoonnffiigguurraattiioonn ((IInntteerrnneett--ffaacciinngg oorr iinntteerrnnaall)) In some cases, you want to distribute incoming traffic to a set of servers that have the same role. Azure IaaS has a built-in facility to do this for Internet-facing and internal traffic loads.

Azure Internet-facing load balancing randomly distributes unsolicited incoming traffic from the Internet to the members of a load-balanced set.

Figure 4: An external load balancer in Azure

set. Figure 4: An external load balancer in Azure Figure 4 shows an external load balancer

Figure 4 shows an external load balancer in Azure that distributes incoming traffic on an inbound NAT rule or endpoint to a set of virtual machines in a load-balanced set.

Azure internal load balancing randomly distributes unsolicited incoming traffic from other Azure VMs or from intranet computers to the members of a load-balanced set.

Figure 5: An internal load balancer in Azure

Figure 5 shows an internal load balancer in Azure that distributes incoming traffic on an

Figure 5 shows an internal load balancer in Azure that distributes incoming traffic on an inbound NAT rule or endpoint to a set of virtual machines in a load-balanced set.

For more information, see Azure Load Balancer.

SStteepp 88:: DDeetteerrmmiinnee tthhee uussee ooff vviirrttuuaall aapppplliiaanncceess aanndd uusseerr--ddeeffiinneedd rroouutteess If you need to forward traffic to virtual appliances in your VNet, you may need to add one or more user-defined routes to a subnet.

Figure 6: Virtual appliances and user-defined routes in Azure

6: Virtual appliances and user-defined routes in Azure Figure 6 shows a cross-premises VNet and a

Figure 6 shows a cross-premises VNet and a user-defined route assigned to a virtual machine-hosting subnet that points to a virtual appliance.

For more information, see User Defined Routes and IP Forwarding.

SStteepp 99:: DDeetteerrmmiinnee hhooww ccoommppuutteerrss ffrroomm tthhee IInntteerrnneett wwiillll ccoonnnneecctt ttoo vviirrttuuaall mmaacchhiinneess There are multiple ways to provide Internet access to the virtual machines on a VNet, which includes access from your organization network through your proxy server or other edge device.

Table 5 lists the methods for filtering or inspecting unsolicited incoming traffic.

METHOD

DEPLOYMENT MODEL

1. Endpoints and ACLs configured on cloud services

Classic

2. Network security groups

Resource Manager and classic

3. Internet-facing load balancer with inbound NAT rules

Resource Manager

4. Network security appliances in the Azure Marketplace (not

shown)

Resource Manager and classic

Table 5: Methods of connecting to virtual machines and their corresponding Azure deployment models

Figure 7: Connecting to Azure virtual machines over the Internet

7: Connecting to Azure virtual machines over the Internet Figure 7 shows an Internet-connected computer connecting

Figure 7 shows an Internet-connected computer connecting to a virtual machine in a cloud service using an endpoint, a virtual machine on a subnet using a network security group, and a virtual machine on a subnet using an external load balancer and inbound NAT rules.

Additional security is provided by:

Remote Desktop and SSH connections, which are authenticated and encrypted.and inbound NAT rules. Additional security is provided by: Remote PowerShell sessions, which are authenticated and

Remote PowerShell sessions, which are authenticated and encrypted.and SSH connections, which are authenticated and encrypted. IPsec transport mode, which you can use for

IPsec transport mode, which you can use for end-to-end encryption.PowerShell sessions, which are authenticated and encrypted. Azure DDOS protection, which helps prevent external and

Azure DDOS protection, which helps prevent external and internal attackstransport mode, which you can use for end-to-end encryption. For more information, see Microsoft Cloud Security

SStteepp 1100:: FFoorr mmuullttiippllee VVNNeettss,, ddeetteerrmmiinnee tthhee VVNNeett--ttoo--VVNNeett ccoonnnneeccttiioonn ttooppoollooggyy VNets can be connected to each other using topologies similar to those used for connecting the sites of an organization.

A daisy chain configuration connects the VNets in a series.

Figure 8: A daisy-chained configuration for VNets

a series. Figure 8: A daisy-chained configuration for VNets Figure 8 shows five VNets connected in

Figure 8 shows five VNets connected in series using a daisy-chained configuration.

A

spoke and hub configuration connects multiple VNets to a set of central VNets, which are themselves connected

to

each other.

Figure 9: A spoke and hub configuration for VNets

other. Figure 9: A spoke and hub configuration for VNets Figure 9 shows six VNets, two

Figure 9 shows six VNets, two VNets are hubs that are connected to each other and also two other spoke VNets.

A full mesh configuration connects every VNet to each other.

Figure 10: A full mesh configuration for VNets

each other. Figure 10: A full mesh configuration for VNets Figure 10 shows four VNets that

Figure 10 shows four VNets that are all connected to each other, using a total of six VNet-to-VNet connections.

Planning steps for a cross-premises VNet

Follow these steps for a cross-premises VNet.

TTIIPP To create a simulated cross-premises dev/test environment, see Simulated cross-premises virtual network in Azure.

SStteepp 11:: DDeetteerrmmiinnee tthhee ccrroossss--pprreemmiisseess ccoonnnneeccttiioonn ttoo tthhee VVNNeett ((SS22SS VVPPNN oorr EExxpprreessssRRoouuttee)) Table 6 lists the different types of connections.

TYPE OF CONNECTION

PURPOSE

Site-to-Site (S2S) VPN

Connect 1-10 sites (including other VNets) to a single VNet.

ExpressRoute

A private, secure link to Azure via an Internet Exchange Provider (IXP) or a Network Service Provider (NSP).

Point-to-Site (P2S) VPN

Connects a single computer to a VNet.

VNet peering or VNet-to-VNet (V2V) VPN

Connects a VNet to another VNet.

Table 6: The types of connections for cross-premises VNets

For more information on the maximum number of connections, see Networking Limits.

For more information about VPN devices, see VPN devices for site-to-site virtual network connections.

For more information about VNet peering, see VNet peering.

Figure 11: The four ways to connect to a cross-premises VNet

Figure 11: The four ways to connect to a cross-premises VNet Figure 11 shows a VNet

Figure 11 shows a VNet with the four types of connections: a P2S connection from a computer, an S2S VPN connection from an on-premises network, an ExpressRoute connection from an on-premises network, and a VNet-to-VNet connection from another VNet.

You can connect to VMs in a VNet in the following ways:

Administration of VNet VMs from your on-premises network or the InternetYou can connect to VMs in a VNet in the following ways: IT workload access from

IT workload access from your on-premises networkof VNet VMs from your on-premises network or the Internet Extension of your network through additional

Extension of your network through additional VNetsInternet IT workload access from your on-premises network Security for connections is provided by the following:

Security for connections is provided by the following:

P2S uses the Secure Socket Tunneling Protocol (SSTP)VNets Security for connections is provided by the following: S2S and VNet-to-VNet VPN connections use IPsec

S2S and VNet-to-VNet VPN connections use IPsec tunnel mode with AES256P2S uses the Secure Socket Tunneling Protocol (SSTP) ExpressRoute is a private WAN connection For more

ExpressRoute is a private WAN connectionVPN connections use IPsec tunnel mode with AES256 For more information, see Microsoft Cloud Security for

SStteepp 22:: DDeetteerrmmiinnee tthhee oonn--pprreemmiisseess VVPPNN ddeevviiccee oorr rroouutteerr Your on-premises VPN device or router acts as:

An IPsec peer, terminating the S2S VPN connection from the Azure gateway.rroouutteerr Your on-premises VPN device or router acts as: The BPG peer and termination point for

The BPG peer and termination point for the private peering ExpressRoute connection.terminating the S2S VPN connection from the Azure gateway. Figure 12: The on-premises VPN router or

Figure 12: The on-premises VPN router or device

connection. Figure 12: The on-premises VPN router or device Figure 12 shows a cross-premises VNet connected

Figure 12 shows a cross-premises VNet connected to an on-premises VPN router or device.

For more information, see About VPN gateway.

SStteepp 33:: AAdddd rroouutteess ttoo yyoouurr iinnttrraanneett ttoo mmaakkee tthhee aaddddrreessss ssppaaccee ooff tthhee VVNNeett rreeaacchhaabbllee Routing to VNets from on-premises consists of the following:

1. A route for the VNet address space that points toward your VPN device.

2. A route for the VNet address space on your VPN device that points across the S2S VPN or ExpressRoute connection

Figure 13: The on-premises routes needed to make a VNet reachable

13: The on-premises routes needed to make a VNet reachable Figure 13 shows the routing information

Figure 13 shows the routing information needed by the on-premises routers and the VPN router or device that represents the address space of the VNet.

SStteepp 44:: FFoorr EExxpprreessssRRoouuttee,, ppllaann ffoorr tthhee nneeww ccoonnnneeccttiioonn wwiitthh yyoouurr pprroovviiddeerr You can create an ExpressRoute connection with private peering between your on-premises network and the Microsoft cloud in three different ways:

Co-located at a cloud exchangePoint-to-point Ethernet connections Any-to-any (IP VPN) networks Figure 14: Using ExpressRoute to connect to a

Point-to-point Ethernet connectionsCo-located at a cloud exchange Any-to-any (IP VPN) networks Figure 14: Using ExpressRoute to connect to

Any-to-any (IP VPN) networksat a cloud exchange Point-to-point Ethernet connections Figure 14: Using ExpressRoute to connect to a cross-premises

Figure 14: Using ExpressRoute to connect to a cross-premises VNet

14: Using ExpressRoute to connect to a cross-premises VNet Figure 14 shows a cross-premises VNet and

Figure 14 shows a cross-premises VNet and an ExpressRoute connection from an on-premises router to Microsoft Azure.

For more information, see ExpressRoute for Microsoft cloud connectivity.

SStteepp 55:: DDeetteerrmmiinnee tthhee LLooccaall NNeettwwoorrkk aaddddrreessss ssppaaccee ffoorr tthhee AAzzuurree ggaatteewwaayy For the routing to on-premises or other VNets from a VNet, Azure forwards traffic across an Azure gateway that matches the Local Network address space assigned to the gateway.

Figure 15: The Local Network address space for a cross-premises VNet

The Local Network address space for a cross-premises VNet Figure 15 shows a cross-premises VNet and

Figure 15 shows a cross-premises VNet and the Local Network address space on the Azure gateway, which represents the reachable address space on the on-premises network.

You can define the Local Network address space in these ways:

Option 1: The list of prefixes for the address space currently needed or in use (updates might be needed when you add new subnets).can define the Local Network address space in these ways: Option 2: Your entire on-premises address

Option 2: Your entire on-premises address space (updates only needed when you add new address space).in use (updates might be needed when you add new subnets). Because the Azure gateway does

Because the Azure gateway does not allow summarized routes, you must define the Local Network address space for option 2 so that it does not include the VNet address space.

Figure 16: The address space hole created by the VNet address space

16: The address space hole created by the VNet address space Figure 16 shows a representation

Figure 16 shows a representation of an address space, with the root space and the VNet address space.

Here is an example of defining the prefixes for the Local Network address space around the address space "hole" created by the VNet:

An organization uses portions of the private address space (10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16) across their on-premises network. They chose option 2 and 10.100.100.0/24 as their VNet address space.Table 7 shows the steps and resulting prefixes that define the Local Network address space

Table 7 shows the steps and resulting prefixes that define the Local Network address space for this example.

STEP

RESULTS

1. List the prefixes that are not the root space for the VNet address space.

172.16.0.0/12 and 192.168.0.0/16

2. List the non-overlapping prefixes for variable octets up to but not including the last used octet in the VNet address

space.

10.0.0.0/16, 10.1.0.0/16…10.99.0.0/16, 10.101.0.0/16… 10.254.0.0/16, 10.255.0.0/16 (255 prefixes, skipping

10.100.0.0/16)

3. List the non-overlapping prefixes within the last used octet

of the VNet address space.

10.100.0.0/24, 10.100.1.0/24…10.100.99.0/24, 10.100.101.0/24…10.100.254.0/24, 10.100.0.255.0/24 (255 prefixes, skipping 10.100.100.0/24)

Table 7: Example Local Address network space

SStteepp 66:: CCoonnffiigguurree oonn--pprreemmiisseess DDNNSS sseerrvveerrss ffoorr DDNNSS rreepplliiccaattiioonn wwiitthh DDNNSS sseerrvveerrss hhoosstteedd iinn AAzzuurree To ensure that on-premises computers can resolve the names of Azure-based servers and Azure-based servers can resolve the names of on-premises computers, configure:

The DNS servers in your VNet to forward to on-premises DNS serverscan resolve the names of on-premises computers, configure: DNS replication of the appropriate zones between DNS

DNS replication of the appropriate zones between DNS servers on-premises and in the VNetservers in your VNet to forward to on-premises DNS servers Figure 17: DNS replication and forwarding

Figure 17: DNS replication and forwarding for a DNS server in a cross-premises VNet

and forwarding for a DNS server in a cross-premises VNet Figure 17 shows a cross-premises VNet

Figure 17 shows a cross-premises VNet with DNS servers in the on-premises network and on a subnet in the VNet. DNS replication and forwarding has been configured between the two DNS servers.

SStteepp 77:: DDeetteerrmmiinnee tthhee uussee ooff ffoorrcceedd ttuunnnneelliinngg The default system route for Azure subnets points to the Internet. To ensure that all traffic from virtual machines travels across the cross-premises connection, create a routing table with the default route that uses the Azure gateway as its next-hop address. You then associate the route table with the subnet. This is known as forced tunneling. For more information, see Configure forced tunneling.

Figure 18: User-defined routes and forced tunneling for a cross-premises VNet

Figure 18 shows a cross-premises VNet with a user-defined route for a subnet pointing to

Figure 18 shows a cross-premises VNet with a user-defined route for a subnet pointing to the Azure gateway.

SharePoint Server 2016 farm in Azure

An example of an intranet IT workload hosted in Azure IaaS is a highly-available, multi-tier SharePoint Server 2016 farm.

Figure 19: A highly-available intranet SharePoint Server 2016 farm in Azure IaaS

intranet SharePoint Server 2016 farm in Azure IaaS Figure 19 shows the nine servers of a

Figure 19 shows the nine servers of a SharePoint Server 2016 farm deployed in a cross-premises VNet that uses internal load balancers for the front-end and data tiers. For more information, including step-by-step design and deployment instructions, see SharePoint Server 2016 in Microsoft Azure.

For additional examples of IT workloads deployed on virtual machines in a cross-premises Azure virtual network, see Hybrid cloud scenarios for Azure IaaS.

See also

Microsoft Cloud Networking for Enterprise Architects

Microsoft Cloud IT architecture resources

Microsoft Hybrid Cloud for Enterprise Architects

11/30/2018 • 2 minutes to read • Edit Online

Summary: What IT architects need to know about hybrid scenarios using Microsoft cloud services and platforms.

This article links you to a set of articles that describe what IT architects need to know about hybrid architecture and configurations with Microsoft cloud services and platforms. You can also view this article as a 7-page poster and print it in tabloid format (also known as ledger, 11 x 17, or A3).

it in tabloid format (also known as ledger, 11 x 17, or A3). PDF | Visio

You can also see all of the models in the Microsoft Cloud IT architecture resources.

See the following sections:

Hybrid cloud overviewIT architecture resources . See the following sections: Microsoft's cloud offerings (SaaS, Azure PaaS, and Azure

Microsoft's cloud offerings (SaaS, Azure PaaS, and Azure IaaS) and their common elements.

Architecture of Microsoft hybrid cloud scenariosAzure PaaS, and Azure IaaS) and their common elements. An architectural diagram of hybrid cloud for

An architectural diagram of hybrid cloud for Microsoft's cloud offerings, showing the common layers of on- premises infrastructure, networking, and identity.

Hybrid cloud scenarios for Microsoft SaaS (Office 365)of on- premises infrastructure, networking, and identity. The SaaS hybrid scenario architecture and descriptions of

The SaaS hybrid scenario architecture and descriptions of key hybrid configurations for Skype for Business, SharePoint Server, and Exchange Server.

Hybrid cloud scenarios for Azure PaaSSkype for Business, SharePoint Server, and Exchange Server. The Azure PaaS hybrid scenario architecture, the description

The Azure PaaS hybrid scenario architecture, the description of an Azure PaaS hybrid application with an example, and the description of SQL Server 2016 Stretch Database.

Hybrid cloud scenarios for Azure IaaSand the description of SQL Server 2016 Stretch Database. The Azure IaaS hybrid scenario architecture and

The Azure IaaS hybrid scenario architecture and the description of a line of business (LOB) application hosted in Azure IaaS.

Microsoft Cloud IT architecture resources

Hybrid cloud overview

1/16/2019 • 3 minutes to read • Edit Online

Summary: Understand the definition and elements of Microsoft hybrid cloud.

Hybrid cloud uses compute or storage resources on your on-premises network and in the cloud. You can use hybrid cloud as a path to migrate your business and its IT needs to the cloud or integrate cloud platforms and services with your existing on-premises infrastructure as part of your overall IT strategy.

Microsoft hybrid cloud

Microsoft hybrid cloud is a set of business scenarios that combine a Microsoft cloud platform with an on-premises component, such as:

Getting search results from content both in an on-premises SharePoint farm and in SharePoint Online in Office 365.cloud platform with an on-premises component, such as: A mobile app running in Azure that queries

A mobile app running in Azure that queries an on-premises data store.SharePoint farm and in SharePoint Online in Office 365. An intranet IT workload running on Azure

An intranet IT workload running on Azure virtual machines.app running in Azure that queries an on-premises data store. Figure 1: Components of the Microsoft

Figure 1: Components of the Microsoft hybrid cloud

machines. Figure 1: Components of the Microsoft hybrid cloud Figure 1 shows the components of the

Figure 1 shows the components of the Microsoft hybrid cloud, from an on-premises network to the set of Office 365, Azure Platform as a Service (PaaS), and Azure Infrastructure as a Service (IaaS) services available across the Internet or an ExpressRoute connection.

Because Microsoft has the most complete cloud solution in the marketplace—including Software as a Service (SaaS), PaaS, and IaaS—you can:

Leverage your existing on-premises investments as you migrate workloads and applications to the cloud.Software as a Service (SaaS), PaaS, and IaaS—you can: Incorporate hybrid cloud scenarios into your long-term

Incorporate hybrid cloud scenarios into your long-term IT plans, for example, when regulations or policies do not permit moving specific data or workloads to the cloud.and IaaS—you can: Leverage your existing on-premises investments as you migrate workloads and applications to the

Create additional hybrid scenarios that include multiple Microsoft cloud services and platforms.Scenarios for hybrid cloud with Microsoft cloud services vary with the platform. SaaS Microsoft SaaS

Scenarios for hybrid cloud with Microsoft cloud services vary with the platform.

SaaScloud with Microsoft cloud services vary with the platform. Microsoft SaaS services include Office 365, Microsoft

Microsoft SaaS services include Office 365, Microsoft Intune, and Microsoft Dynamics 365. Hybrid cloud scenarios with Microsoft SaaS combine these services with on-premises services or applications. For example, Exchange Online running in Office 365 can be integrated with Skype for Business 2019 that is deployed on-premises.

Azure PaaSwith Skype for Business 2019 that is deployed on-premises. Microsoft Azure PaaS services allow you to

Microsoft Azure PaaS services allow you to create cloud-based applications. Hybrid cloud scenarios with Azure PaaS services combine an Azure PaaS app with on-premises resources or applications. For example, an Azure PaaS app could securely query an on-premises data store for information needed to display to mobile app users.

Azure IaaSstore for information needed to display to mobile app users. Azure IaaS services allow you to

Azure IaaS services allow you to build and run server-based IT workloads in the cloud, rather than in your on-premises datacenter. Hybrid cloud scenarios with Azure IaaS services typically consist of an IT workload that runs on virtual machines that is transparently connected to your on-premises network. Your on- premises users will not notice the difference.

Elements of hybrid cloud

You must account for the following elements when planning and implementing hybrid cloud scenarios with Microsoft cloud platforms and services.

Networkingcloud scenarios with Microsoft cloud platforms and services. Networking for hybrid cloud scenarios includes the

Networking for hybrid cloud scenarios includes the connectivity to Microsoft cloud platforms and services and enough bandwidth to be performant under peak loads. For more information, see Microsoft Cloud Networking for Enterprise Architects.

Identitysee Microsoft Cloud Networking for Enterprise Architects . Identity for SaaS and Azure PaaS hybrid scenarios

Identity for SaaS and Azure PaaS hybrid scenarios can include Azure AD as a common identity provider, which can be synchronized with your on-premises Windows Server AD, or federated with Windows Server AD or other identity providers. You can also extend your on-premises Identity infrastructure to Azure IaaS. For more information, see Microsoft Cloud Identity for Enterprise Architects.

Securitysee Microsoft Cloud Identity for Enterprise Architects . Security for hybrid cloud scenarios includes protection and

Security for hybrid cloud scenarios includes protection and management for your identities, data protection, administrative privilege management, threat awareness, and the implementation of governance and security policies. For more information, see Microsoft Cloud Security for Enterprise Architects.

Managementsee Microsoft Cloud Security for Enterprise Architects . Management for hybrid cloud scenarios includes the ability

Management for hybrid cloud scenarios includes the ability to maintain settings, data, accounts, policies, and permissions and to monitor the ongoing health of the elements of the scenario and its performance. You can also use the same tool set, such as Systems Management Server, for managing virtual machines in Azure IaaS.

See Also

Microsoft Hybrid Cloud for Enterprise Architects

Microsoft Cloud IT architecture resources

Architecture of Microsoft hybrid cloud scenarios

11/30/2018 • 2 minutes to read • Edit Online

Summary: Understand the architecture of Microsoft's hybrid cloud offerings.

Use an architectural approach to plan and implement hybrid cloud scenarios with Microsoft cloud services and platforms.

Figure 1: The Microsoft hybrid cloud stack

and platforms. Figure 1: The Microsoft hybrid cloud stack Figure 1 shows the Microsoft hybrid cloud

Figure 1 shows the Microsoft hybrid cloud stack and its layer, which include on-premises, network, Identity, apps and scenarios, and the category of cloud service (Microsoft SaaS, Azure PaaS, and Azure PaaS).

The Apps and scenarios layer has the specific hybrid cloud scenarios that are detailed in the additional articles of this model. The Identity, Network, and On-premises layers can be common to the categories of cloud service (SaaS, PaaS, or PaaS).

On-premisesto the categories of cloud service (SaaS, PaaS, or PaaS). On-premises infrastructure for hybrid scenarios can

On-premises infrastructure for hybrid scenarios can include servers for SharePoint, Exchange, Skype for Business, and line of business applications. It can also include data stores (databases, lists, files). Without ExpressRoute connections, access to the on-premises data stores must be allowed through a reverse proxy or by making the server or data accessible on your DMZ or extranet.

Networkthe server or data accessible on your DMZ or extranet. There are two choices for connectivity

There are two choices for connectivity to Microsoft cloud platforms and services: your existing Internet pipe and ExpressRoute. Use an ExpressRoute connection if predictable performance is important. You can use one ExpressRoute connection to connect directly to Microsoft SaaS services (Office 365 and Dynamics 365), Azure PaaS services, and Azure IaaS services.

IdentityDynamics 365), Azure PaaS services, and Azure IaaS services. For cloud identity infrastructure, there are two

For cloud identity infrastructure, there are two ways to go, depending on the Microsoft cloud platform. For SaaS and Azure PaaS, integrate your on-premises identity infrastructure with Azure AD or federate with

your on-premises identity infrastructure or third-party identity providers. For VMs running in Azure, you can extend your on-premises identity infrastructure, such as Windows Server AD, to the virtual networks (VNets) where your VMs reside.

Hybrid cloud scenarios for the three-phase cloud adoption process

Many enterprises, including Microsoft's, use a three-phase approach to adopting the cloud. Hybrid cloud scenarios can play a role in each phase.

1. Move productivity workloads to SaaS

For productivity workloads that currently are or must stay on-premises, hybrid scenarios allow them to be integrated with their cloud counterparts.

2. Develop new and modern applications in Azure PaaS

Azure PaaS hybrid applications can securely leverage on-premises server or storage resources.

3. Move existing applications to Azure IaaS

For lift-and-shift and build-in-the-cloud scenarios, server-based applications running on Azure VMs provide easy provisioning and scaling.

See Also

Microsoft Hybrid Cloud for Enterprise Architects

Microsoft Cloud IT architecture resources

Hybrid cloud scenarios for Microsoft SaaS (Office

365)

11/30/2018 • 4 minutes to read • Edit Online

Summary: Understand the hybrid architecture and scenarios for Microsoft's SaaS-based cloud offerings (Office

365).

Combine on-premises deployments of Exchange, SharePoint, or Skype for Business with their counterparts in Office 365 as part of a cloud migration or long-term integration strategy.

Microsoft SaaS hybrid scenario architecture

Figure 1 shows the architecture of Microsoft SaaS-based hybrid scenarios for Office 365.

Figure 1: Microsoft SaaS-based hybrid scenarios for Office 365

1: Microsoft SaaS-based hybrid scenarios for Office 365 For each layer of the architecture: Apps and

For each layer of the architecture:

scenarios for Office 365 For each layer of the architecture: Apps and scenarios There are a

Apps and scenarios

There are a variety of SaaS-based hybrid scenarios, aligning around Office Server products and their Office 365 counterparts:

Exchange Server combined with Exchange Online (Exchange Server hybrid)Skype for Business Server combined with Skype for Business Online and the new Cloud PBX

Skype for Business Server combined with Skype for Business Online and the new Cloud PBX and Cloud Connector Edition scenarioscombined with Exchange Online (Exchange Server hybrid) SharePoint Server 2019, SharePoint Server 2016, or

SharePoint Server 2019, SharePoint Server 2016, or SharePoint Server 2013 combined with SharePoint Online (multiple scenarios)and the new Cloud PBX and Cloud Connector Edition scenarios There is also Exchange Online with

There is also Exchange Online with Skype for Business Server on-premises, a cross-product hybrid scenario.

IdentityServer on-premises, a cross-product hybrid scenario. Can include directory synchronization with your on-premises

Can include directory synchronization with your on-premises Windows Server AD. Alternately, you can configure Azure AD to federate with a third-party identity provider.

NetworkAzure AD to federate with a third-party identity provider. Consists of either your existing Internet pipe

Consists of either your existing Internet pipe or an ExpressRoute connection with Microsoft peering for Office 365 or Dynamics 365.

On-premiseswith Microsoft peering for Office 365 or Dynamics 365. Can consist of existing servers for Exchange,

Can consist of existing servers for Exchange, SharePoint, and Skype for Business, which should be updated to their latest versions. You can then combine them with their Office 365 counterparts for hybrid scenarios.

Set up your own Office 365 dev/test environment, see Office 365 Test Lab Guides.

Skype for Business Hybrid

Skype for Business Hybrid lets you combine an existing on-premises deployment with Skype for Business Online. Some users are homed on-premises and some users are homed online, but the users share the same Session Initiation Protocol (SIP) domain, such as contoso.com. You can use this hybrid configuration to migrate from on- premises to Office 365 over time, on your schedule. Skype for Business can also be integrated with Exchange Online.

Figure 2: The Skype for Business hybrid configuration

. Figure 2: The Skype for Business hybrid configuration Figure 2 shows the Skype for Business

Figure 2 shows the Skype for Business hybrid configuration, consisting of an on-premises Skype for Business front end pool and edge server communicating with Skype for Business Online in Office 365.

Cloud PBX with Skype for Business Server

Cloud PBX with Skype for Business Server lets you transition an existing Skype for Business Server on-premises deployment to a topology with on-premises Public Switched Telephone Network (PSTN) connectivity.

Figure 3: Cloud PBX with Skype for Business Server

Figure 3: Cloud PBX with Skype for Business Server Figure 3 shows the Cloud PBX with

Figure 3 shows the Cloud PBX with Skype for Business Server configuration, consisting of an on-premises existing PBX or Telco gateway, a Skype for Business Server, and the PSTN connected to the Microsoft Cloud PBX in Office 365, which includes Skype for Business Online.

Users in the organization who are homed in the cloud can receive private branch exchange (PBX) services from the Microsoft cloud that include signaling and voicemail, but PSTN connectivity (dial tone) is provided through Enterprise Voice from your on-premises Skype for Business Server deployment.

This is a great example of a hybrid configuration that lets you gradually migrate to a cloud-based service. You can retain your users' voice capabilities as you begin to move them to Skype for Business Online. You can move your users at your own pace, knowing that their voice features will continue no matter where they are homed.

If you do not already have an existing Lync Server or Skype for Business Server deployment, you can use Skype for Business Cloud Connector Edition, a set of packaged virtual machines (VMs) that implement on-premises PSTN connectivity with Cloud PBX.

SharePoint Hybrid

SharePoint hybrid combines SharePoint Online in Office 365 with your on-premises SharePoint farm for a best of both worlds, connected experience.

Figure 4: The SharePoint hybrid configuration

experience. Figure 4: The SharePoint hybrid configuration Figure 4 shows the SharePoint hybrid configuration,

Figure 4 shows the SharePoint hybrid configuration, consisting of an on-premises SharePoint farm communicating with SharePoint Online in Office 365.

SharePoint hybrid scenarios:

It is easy to enable hybrid scenarios using the wizards that automate hybrid configuration, available from the SharePoint Online admin center in Office 365.

Allows users to view and use Office 365 video and Delve apps and experiences within the pages of their on- premises SharePoint farm.

All of these SharePoint hybrid scenarios, except the Extensible hybrid app launcher, are available for both SharePoint 2016 and SharePoint 2013 users.

Exchange Server 2016 Hybrid

With Exchange Server 2016 Hybrid, you can realize the benefits of Exchange Online in Office 365 for online users while on-premises users continue to use existing Exchange Server infrastructure.

Figure 5: The Exchange 2016 hybrid configuration

Figure 5: The Exchange 2016 hybrid configuration Figure 5 shows the Exchange 2016 hybrid configuration,

Figure 5 shows the Exchange 2016 hybrid configuration, consisting of on-premises Exchange mailbox servers communicating with Exchange Online Protection and mailboxes in Office 365.

Some users have an on-premises email server and some users use Exchange Online, but all users share the same e-mail address space.

This hybrid configuration:

Leverages your existing Exchange Server infrastructure while you migrate to Exchange Online over time, on your schedule.the same e-mail address space. This hybrid configuration: Allows you to support remote sites without investing

Allows you to support remote sites without investing in branch office infrastructure.you migrate to Exchange Online over time, on your schedule. Allows you to route incoming Internet

Allows you to route incoming Internet email through Exchange Online Protection in Office 365.sites without investing in branch office infrastructure. Serves the needs of multinational organizations with

Serves the needs of multinational organizations with subsidiaries that require data to reside on-premises.email through Exchange Online Protection in Office 365. You can also integrate this hybrid configuration with

You can also integrate this hybrid configuration with other Microsoft Office 365 applications, including Skype for Business Online and SharePoint Online.

For more information, see Exchange Server Hybrid Deployments.

See Also

Microsoft Hybrid Cloud for Enterprise Architects Microsoft Cloud IT architecture resources

Hybrid cloud scenarios for Azure PaaS

11/30/2018 • 2 minutes to read • Edit Online

Summary: Understand the hybrid architecture and scenarios for Microsoft's Platform as a Service (PaaS)-based cloud offerings in Azure.

Combine on-premises data or computing resources with new or converted applications running in Azure PaaS, which can take advantage of cloud performance, reliability, and scale and provide better support for mobile users.

Azure PaaS hybrid scenario architecture

Figure 1 shows the architecture of Microsoft PaaS-based hybrid scenarios in Azure.

Figure 1: Microsoft PaaS-based hybrid scenarios in Azure

Figure 1: Microsoft PaaS-based hybrid scenarios in Azure For each layer of the architecture: Apps and

For each layer of the architecture:

Apps and scenariosscenarios in Azure For each layer of the architecture: A hybrid PaaS application runs in Azure

A hybrid PaaS application runs in Azure and uses on-premises compute or storage resources.

Identityin Azure and uses on-premises compute or storage resources. Consists of either directory synchronization or federation

Consists of either directory synchronization or federation with a third-party identity provider.

Networkor federation with a third-party identity provider. Consists of either your existing Internet pipe or an

Consists of either your existing Internet pipe or an ExpressRoute connection with public peering to Azure PaaS. You must include a way for the Azure PaaS application to access the on-premises compute or storage resource.

On-premisesto access the on-premises compute or storage resource. Consists of identity and security infrastructure and

Consists of identity and security infrastructure and existing line of business (LOB) applications or database servers, which an Azure PaaS application can securely access.

Azure PaaS hybrid application

Figure 2 shows the configuration of a hybrid application running in Azure.

Figure 2: Azure PaaS-based hybrid application

in Azure. Figure 2: Azure PaaS-based hybrid application In Figure 2, an on-premises network hosts storage

In Figure 2, an on-premises network hosts storage or apps on servers and a DMZ containing a proxy server. It is connected to Azure PaaS services either over the Internet or with an ExpressRoute connection.

An organization can make its compute or storage resources available to the Azure PaaS hybrid application by:

Hosting the resource on servers in the DMZ.resources available to the Azure PaaS hybrid application by: Hosting a reverse proxy server in the

Hosting a reverse proxy server in the DMZ, which allows authenticated, inbound, HTTPS-based requests to the resource that is located on-premises.application by: Hosting the resource on servers in the DMZ. The Azure app can use credentials

The Azure app can use credentials from:

Azure AD, which can be synchronized with your on-premises identity provider, such as Windows Server AD.located on-premises. The Azure app can use credentials from: A third-party identity provider. EExxaammppllee AAzzuurree

A third-party identity provider.on-premises identity provider, such as Windows Server AD. EExxaammppllee AAzzuurree PPaaaaSS hhyybbrriidd

EExxaammppllee AAzzuurree PPaaaaSS hhyybbrriidd aapppplliiccaattiioonn Figure 3 shows an example hybrid application running in Azure.

Figure 3: An example Azure PaaS-based hybrid application

Figure 3: An example Azure PaaS-based hybrid application In Figure 3, an on-premises network hosts an

In Figure 3, an on-premises network hosts an LOB app. Azure PaaS hosts a custom mobile app. A smartphone on the Internet accesses the custom mobile app in Azure, which sends data requests to the on-premises LOB app.

This example Azure PaaS hybrid application is a custom mobile app that provides up-to-date contact information on employees. The end-to-end hybrid scenario consists of:

A smartphone app that requires validated, on-premises credentials to run.

A

smartphone app that requires validated, on-premises credentials to run.

custom mobile app running in Azure PaaS, which requests information about specific employees based on

custom mobile app running in Azure PaaS, which requests information about specific employees based on queries from a user's smartphone app.

A

A reverse proxy server in the DMZ that validates the custom mobile app and forwards

A

reverse proxy server in the DMZ that validates the custom mobile app and forwards the request.

An LOB application server farm that services the contact request, subject to the permissions of

An LOB application server farm that services the contact request, subject to the permissions of the user's account.

Because the on-premises identity provider has been synchronized with Azure AD, both the custom mobile app and the LOB app can validate the requesting user's account name.

See Also

Microsoft Hybrid Cloud for Enterprise Architects

Microsoft Cloud IT architecture resources

Hybrid cloud scenarios for Azure IaaS

12/5/2018 • 5 minutes to read • Edit Online

Summary: Understand the hybrid architecture and scenarios for Microsoft's Infrastructure as a Service (IaaS)- based cloud offerings in Azure.

Extend your on-premises computing and identity infrastructure into the cloud by hosting IT workloads running in cross-premises Azure virtual networks (VNets).

Azure IaaS hybrid scenario architecture

Figure 1 shows the architecture of Microsoft IaaS-based hybrid scenarios in Azure.

Figure 1: Microsoft IaaS-based hybrid scenarios in Azure

Figure 1: Microsoft IaaS-based hybrid scenarios in Azure For each layer of the architecture: Apps and

For each layer of the architecture:

Apps and scenariosscenarios in Azure For each layer of the architecture: An IT workload is typically a multi-tier,

An IT workload is typically a multi-tier, highly-available application composed of Azure virtual machines (VMs).

Identityapplication composed of Azure virtual machines (VMs). Add identity servers, such as Windows Server AD domain

Add identity servers, such as Windows Server AD domain controllers, to the set of servers running in Azure VNets for local authentication.

Networkof servers running in Azure VNets for local authentication. Use either a site-to-site VPN connection over

Use either a site-to-site VPN connection over the Internet or an ExpressRoute connection with private peering to Azure IaaS.

On-premisesExpressRoute connection with private peering to Azure IaaS. Contains identity servers that are synchronized with the

Contains identity servers that are synchronized with the identity servers running in Azure. Can also contain resources that VMs running in Azure can access, such as storage and systems management infrastructure.

Directory synchronization server for Office 365

Running your directory synchronization server from an Azure VNet, as shown in Figure 2, is an example of extending your computing and identity infrastructure to the cloud.

Figure 2: Directory synchronization server for Office 365 in Azure IaaS

synchronization server for Office 365 in Azure IaaS In Figure 2, an on-premises network hosts a

In Figure 2, an on-premises network hosts a Windows Server AD infrastructure, with a proxy server and a router

at its edge. The router connects to an Azure gateway at the edge of an Azure VNet with a site-to-site VPN or

ExpressRoute connection. Inside the VNet, a directory synchronization server runs Azure AD Connect.

A directory synchronization server for Office 365 synchronizes the list of accounts in Windows Server AD with the Azure AD tenant of an Office 365 subscription.

A directory synchronization server is a Windows-based server that runs Azure AD Connect. For faster

provisioning or to reduce the number of on-premises servers in your organization, deploy your directory synchronization server in a virtual network (VNet) in Azure IaaS.

The directory synchronization server polls Windows Server AD for changes and then synchronizes them with the Office 365 subscription.

For more information, see Deploy Office 365 Directory Synchronization in Microsoft Azure.

Line of business (LOB) application

Figure 3 shows the configuration of a server-based LOB application running in Azure IaaS.

Figure 3: LOB application in Azure IaaS

in Azure IaaS. Figure 3: LOB application in Azure IaaS In Figure 3, an on-premises network

In Figure 3, an on-premises network hosts an identity infrastructure and users. It is connected to an Azure IaaS gateway with a site-to-site VPN or ExpressRoute connection. Azure IaaS hosts a virtual network containing the servers of the LOB application.

You can create LOB applications running on Azure VMs, which reside on subnets of an Azure VNet in an Azure datacenter (also known as a location).

Because you are essentially extending your on-premises infrastructure to Azure, you must assign unique private address space to your VNets and update your on-premises routing tables to ensure reachability to each VNet.

Once connected, these VMs can be managed with remote desktop connections or with your systems management software, just like your on-premises servers.

By configuring publically-exposed ports, these VMs can also be accessed from the Internet by mobile or remote users.

For a proof-of-concept configuration, see Simulated cross-premises virtual network in Azure.

Attributes of LOB applications hosted on Azure VMs are the following:

Multiple tiersof LOB applications hosted on Azure VMs are the following: Typical LOB applications use a tiered

Typical LOB applications use a tiered approach. Sets of servers provide identity, database processing, application and logic processing, and front-end web servers for employee or customer access.

High availabilityand front-end web servers for employee or customer access. Typical LOB applications provide high availability by

Typical LOB applications provide high availability by using multiple servers in each tier. Azure IaaS provides a 99.9% uptime SLA for servers in Azure availability sets.

Load distributiona 99.9% uptime SLA for servers in Azure availability sets. To distribute the load of network

To distribute the load of network traffic among multiple servers in a tier, you can use an Internet-facing or internal Azure load balancer. Or, you can use a dedicated load balancer appliance available from the Azure marketplace.

Securitybalancer appliance available from the Azure marketplace. To protect servers from unsolicited incoming traffic from

To protect servers from unsolicited incoming traffic from the Internet, you can use Azure network security groups. You can define allowed or denied traffic for a subnet or the network interface of an individual virtual machine.

SharePoint Server 2016 farm in Azure

An example of a multi-tier, highly-available LOB application in Azure is a SharePoint Server 2016 farm, as shown in Figure 4.

Figure 4: A high-availability SharePoint Server 2016 farm in Azure IaaS

high-availability SharePoint Server 2016 farm in Azure IaaS In Figure 4, an on-premises network hosts an

In Figure 4, an on-premises network hosts an identity infrastructure and users. It is connected to an Azure IaaS gateway with a site-to-site VPN or ExpressRoute connection. The Azure VNet contains the servers of the SharePoint Server 2016 farm, which includes separate tiers for the front-end servers, the application servers, the SQL Server cluster, and the domain controllers.

This configuration has the following attributes of LOB applications in Azure:

TiersServers running different roles within the farm create the tiers and each tier has its

Servers running different roles within the farm create the tiers and each tier has its own subnet.

High-availabilitythe farm create the tiers and each tier has its own subnet. Achieved by using more

Achieved by using more than one server in each tier and placing all the servers of a tier in the same availability set.

Load distributionall the servers of a tier in the same availability set. Internal Azure load balancers distribute

Internal Azure load balancers distribute the incoming client web traffic to the front-end servers (WEB1 and WEB2) and to the listener IP address of the SQL Server cluster (SQL1, SQL2, and MN1).

SecurityIP address of the SQL Server cluster (SQL1, SQL2, and MN1). Network security groups for each

Network security groups for each subnet let you to configure allowed inbound and outbound traffic.

Follow this path for successful adoption:

1. Evaluate and experiment

See SharePoint Server 2016 in Microsoft Azure to understand the benefits of running SharePoint Server 2016 in Azure.

See Intranet SharePoint Server 2016 in Azure dev/test environment to build a simulated dev/test environment

2. Design

See Designing a SharePoint Server 2016 farm in Azure to step through a process to determine the set of Azure IaaS networking, compute, and storage elements to host your farm and their settings.

3. Deploy

See Deploying SharePoint Server 2016 with SQL Server AlwaysOn Availability Groups in Azure to step through the end-to-end configuration of the high-availability farm in five phases.

Federated identity for Office 365 in Azure

Another example of a multi-tier, highly-available LOB application in Azure is federated identity for Office 365.

Figure 5: A high-availability federated identity infrastructure for Office 365 in Azure IaaS

identity infrastructure for Office 365 in Azure IaaS In Figure 5, an on-premises network hosts an

In Figure 5, an on-premises network hosts an identity infrastructure and users. It is connected to an Azure IaaS gateway with a site-to-site VPN or ExpressRoute connection. The Azure VNet contains web proxy servers, Active

Directory Federation Services (AD FS) servers, and Windows Server Active Directory (AD) domain controllers.

This configuration has the following attributes of LOB applications in Azure:

Tiers: There are tiers for web proxy servers, AD FS servers, and Windows Server AD domain There are tiers for web proxy servers, AD FS servers, and Windows Server AD domain controllers.

Load distribution: An external Azure load balancer distributes the incoming client authentication requests to the web proxies An external Azure load balancer distributes the incoming client authentication requests to the web proxies and an internal Azure load balancer distributes authentication requests to the AD FS servers.

Follow this path for successful adoption:

1. Evaluate and experiment

See Federated identity for your Office 365 dev/test environment to build a simulated dev/test environment for federated authentication with Office 365.

2. Deploy

See Deploy high availability federated authentication for Office 365 in Azure to step through the end-to-end configuration of the high availability AD FS infrastructure in five phases.

See Also

Microsoft Hybrid Cloud for Enterprise Architects

Microsoft Cloud IT architecture resources

Subscriptions, licenses, accounts, and tenants for Microsoft's cloud offerings

3/13/2019 • 6 minutes to read • Edit Online

Summary: Understand the relationships of organizations, subscriptions, licenses, user accounts, and tenants across Microsoft's cloud offerings.

Microsoft provides a hierarchy of organizations, subscriptions, licenses, and user accounts for consistent use of identities and billing across its cloud offerings:

Microsoft Office 365use of identities and billing across its cloud offerings: See business plans and pricing for more

See business plans and pricing for more information.

Microsoft Azure365 See business plans and pricing for more information. See Azure pricing for more information. Microsoft

See Azure pricing for more information.

Microsoft Intune and the Enterprise Mobility + Security (EMS)Microsoft Azure See Azure pricing for more information. See Intune pricing for more information. Microsoft

See Intune pricing for more information.

Microsoft Dynamics 365+ Security (EMS) See Intune pricing for more information. See Dynamics 365 pricing for more information.

See Dynamics 365 pricing for more information.

Elements of the hierarchy

Here are the elements of the hierarchy:

OOrrggaanniizzaattiioonn An organization represents a business entity that is using Microsoft cloud offerings, typically identified by one or more public Domain Name System (DNS) domain names, such as contoso.com. The organization is a container for subscriptions.

SSuubbssccrriippttiioonnss A subscription is an agreement with Microsoft to use one or more Microsoft cloud platforms or services, for which charges accrue based on either a per-user license fee or on cloud-based resource consumption. Microsoft's Software as a Service (SaaS)-based cloud offerings (Office 365, Intune/EMS, and Dynamics 365) charge per-user license fees. Microsoft's Platform as a Service (PaaS) and Infrastructure as a Service (IaaS) cloud offerings (Azure) charge based on cloud resource consumption.

You can also use a trial subscription, but the subscription expires after a specific amount of time or consumption charges. You can convert a trial subscription to a paid subscription.

Organizations can have multiple subscriptions for Microsoft's cloud offerings. Figure 1 shows an example.

Figure 1: Example of multiple subscriptions for an organization

Figure 1 shows a single organization that has multiple Office 365 subscriptions, an Intune subscription,

Figure 1 shows a single organization that has multiple Office 365 subscriptions, an Intune subscription, a Dynamics

365 subscription, and multiple Azure subscriptions.

LLiicceennsseess For Microsoft's SaaS cloud offerings, a license allows a specific user account to use the services of the cloud offering. You are charged a fixed monthly fee as part of your subscription. Administrators assign licenses to

individual user accounts in the subscription. For the example in Figure 2, the Contoso Corporation has an Office

365 Enterprise E5 subscription with 100 licenses, which allows to up to 100 individual user accounts to use

Enterprise E5 features and services.

Figure 2: Licenses within the SaaS-based subscriptions for an organization

within the SaaS-based subscriptions for an organization For Azure PaaS-based cloud services, software licenses are

For Azure PaaS-based cloud services, software licenses are built into the service pricing.

For Azure IaaS-based virtual machines, additional licenses to use the software or application installed on a virtual machine image might be required. Some virtual machine images have licensed versions of software installed and the cost is included in the per-minute rate for the server. Examples are the virtual machine images for SQL Server 2014 and SQL Server 2016.

Some virtual machine images have trial versions of applications installed and need additional software application licenses for use beyond the trial period. For example, the SharePoint Server 2016 Trial virtual machine image includes a trial version of SharePoint Server 2016 pre-installed. To continue using SharePoint Server 2016 after the trail expiration date, you must purchase a SharePoint Server 2016 license and client licenses from Microsoft. These charges are separate from the Azure subscription and the per-minute rate to run the virtual machine still applies.

UUsseerr aaccccoouunnttss User accounts for all of Microsoft's cloud offerings are stored in an Azure Active Directory (AD) tenant, which contains user accounts and groups. An Azure AD tenant can be synchronized with your existing Windows Server AD accounts using Azure AD Connect, a Windows server-based service. This is known as directory synchronization (DirSync).

Figure 3 shows an example of multiple subscriptions of an organization using a common Azure AD tenant that contains the organization's accounts.

Figure 3: Multiple subscriptions of an organization that use the same Azure AD tenant

of an organization that use the same Azure AD tenant TTeennaannttss For SaaS cloud offerings, the

TTeennaannttss For SaaS cloud offerings, the tenant is the regional location that houses the servers providing cloud services. For example, the Contoso Corporation chose the European region to host its Office 365, EMS, and Dynamics 365 tenants for the 15,000 workers in their Paris headquarters.

Azure PaaS services and virtual machine-based workloads hosted in Azure IaaS can have tenancy in any Azure datacenter across the world. You specify the Azure datacenter, known as the location, when you create the Azure PaaS app or service or element of an IaaS workload.

An Azure AD tenant is a specific instance of Azure AD containing accounts and groups. Paid or trial subscriptions of Office 365, Dynamics 365, or Intune/EMS include a free Azure AD tenant. This Azure AD tenant does not include other Azure services and is not the same as an Azure trial or paid subscription.

SSuummmmaarryy ooff tthhee hhiieerraarrcchhyy Here is a quick recap:

An organization can have multiple subscriptionsooff tthhee hhiieerraarrcchhyy Here is a quick recap: A subscription can have multiple licenses Licenses

A subscription can have multiple licenses

A

subscription can have multiple licenses

Licenses can be assigned to individual user accounts

Licenses can be assigned to individual user accounts

User accounts are stored in an Azure AD tenant

User accounts are stored in an Azure AD tenant

Here is an example of the relationship of organizations, subscriptions, licenses, and user accounts:

An organization identified by its public domain name.organizations, subscriptions, licenses, and user accounts: An Office 365 Enterprise E3 subscription with user licenses.

An Office 365 Enterprise E3 subscription with user licenses.An organization identified by its public domain name. An Office 365 Enterprise E5 subscription with user

An Office 365 Enterprise E5 subscription with user licenses.

An EMS subscription with user licenses.

A Dynamics 365 subscription with user licenses.

Multiple Azure subscriptions.

The organization's user accounts in a common Azure AD tenant.with user licenses. Multiple Azure subscriptions. Multiple Microsoft cloud offering subscriptions can use the

Multiple Microsoft cloud offering subscriptions can use the same Azure AD tenant that acts as a common identity provider. A central Azure AD tenant that contains the synchronized accounts of your on-premises Windows Server AD provides cloud-based Identity as a Service (IDaaS) for your organization. This is shown in Figure 4.

Figure 4: Synchronized on-premises accounts and IDaaS for an organization

on-premises accounts and IDaaS for an organization Figure 4 shows how a common Azure AD tenant

Figure 4 shows how a common Azure AD tenant is used by Microsoft's SaaS cloud offerings, Azure PaaS apps, and virtual machines in Azure IaaS that use Azure AD Domain Services. Azure AD Connect synchronizes the on- premises Windows Server AD forest with the Azure AD tenant.

Combining subscriptions for multiple Microsoft cloud offerings

The following table describes how you can combine multiple Microsoft cloud offerings based on already having a subscription for one type of cloud offering (the labels going down the first column) and adding a subscription for a

different cloud offering (going across the columns).

 

OFFICE 365

AZURE

INTUNE/EMS

DYNAMICS 365

Office 365

NA

You add an Azure subscription to your organization from the Azure portal.

You add an Intune/EMS subscription to your organization from the Microsoft 365 admin center.

You add a Dynamics

 

365

subscription to

your organization from the Microsoft

 

365

admin center.

Azure

You add an Office 365 subscription to your organization.

NA

You add an Intune/EMS subscription to your organization.

You add a Dynamics

365

subscription to

your organization.

Intune/EMS

You add an Office 365 subscription to your organization.

You add an Azure subscription to your organization from the Azure portal.

NA

You add a Dynamics

365

subscription to

your organization.

Dynamics 365

You add an Office 365 subscription to your organization.

You add an Azure subscription to your organization from the Azure portal.

You add an Intune/EMS subscription to your organization.

NA

An easy way to add subscriptions to your organization for Microsoft SaaS-based services is through the Office 365 Admin center:

1. Sign in to the Microsoft 365 admin center (https://admin.microsoft.com) with your global administrator account.

2. From the left navigation of the Admin center home page, click Billing, and then Purchase services.

3. On the Purchase services page, purchase your new subscriptions.

The Office 365 Admin center assigns the organization and Azure AD tenant of your Office 365 subscription to the new subscriptions for SaaS-based cloud offerings.

To add an Azure subscription with the same organization and Azure AD tenant as your Office 365 subscription:

1. Sign in to the Azure portal (https://portal.azure.com) with your Office 365 global administrator account.

2. In the left navigation, click Subscriptions, and then click Add.

3. On the Add subscription page, select an offer and complete the payment information and agreement.

If you purchased Azure and Office 365 subscriptions separately and want to access the Office 365 Azure AD tenant from your Azure subscription, see the instructions in Associate an Office 365 tenant with an Azure subscription.

See Also

Microsoft Cloud IT architecture resources

Cloud adoption Test Lab Guides (TLGs)

Architectural models for SharePoint, Exchange, Skype for Business, and Lync

Architectural models for SharePoint, Exchange, Skype for Business, and Lync

11/1/2018 • 7 minutes to read • Edit Online

Summary: Get the IT posters that describe the architectural models, deployment, and platform options for SharePoint, Exchange, Skype for Business, and Lync.

These IT posters describe the architectural models and deployment options for SharePoint, Exchange, Skype for Business, and Lync, and they provide design information for deploying SharePoint in Microsoft Azure.

With Office 365, you can provide the collaboration and communication services your users are familiar with as a cloud-based service. With a few exceptions, the user experience remains the same whether you are maintaining an on-premises deployment or using Office 365. This unified user experience makes it less straightforward to decide where to place each workload and raises questions such as:

How do you determine which platform option to choose for your individual workloads?where to place each workload and raises questions such as: Does it make sense to keep

Does it make sense to keep any service on-premises?platform option to choose for your individual workloads? What is a scenario where a hybrid deployment

What is a scenario where a hybrid deployment is appropriate?Does it make sense to keep any service on-premises? How does Microsoft Azure fit in the

How does Microsoft Azure fit in the picture?What is a scenario where a hybrid deployment is appropriate? What are the supported configurations for

What are the supported configurations for Office Server workloads in Azure?is appropriate? How does Microsoft Azure fit in the picture? TTIIPP Most of the posters on

TTIIPP Most of the posters on this page are available in multiple languages, including Chinese, English, French, German, Italian, Japanese, Korean, Portuguese, Russian, and Spanish. To download a poster in one of these languages, click the More languages link for that poster.

Let us know what you think! Send us email at cloudadopt@microsoft.com.

This page links you to the following posters:

Architectural models posters You can use these resources to determine your ideal platform and configuration for SharePoint 2016 You can use these resources to determine your ideal platform and configuration for SharePoint 2016 and Skype for Business 2015.

Microsoft SharePoint 2016 Architectural Modelsfor SharePoint 2016 and Skype for Business 2015. Multi-Geo Capabilities in OneDrive and SharePoint Online in

Multi-Geo Capabilities in OneDrive and SharePoint Online in Office 3652015. Microsoft SharePoint 2016 Architectural Models SharePoint Server 2016 Databases Microsoft Skype for

SharePoint Server 2016 DatabasesCapabilities in OneDrive and SharePoint Online in Office 365 Microsoft Skype for Business 2015 Architectural Models

Microsoft Skype for Business 2015 Architectural ModelsOnline in Office 365 SharePoint Server 2016 Databases Platform options posters You can use these resources

Platform options posters You can use these resources to determine your ideal platform and configuration for SharePoint 2013, You can use these resources to determine your ideal platform and configuration for SharePoint 2013, Exchange 2013, and Lync 2013.

SharePoint 2013 Platform Optionsconfiguration for SharePoint 2013, Exchange 2013, and Lync 2013. Exchange 2013 Platform Options Lync 2013 Platform

Exchange 2013 Platform Optionsfor SharePoint 2013, Exchange 2013, and Lync 2013. SharePoint 2013 Platform Options Lync 2013 Platform Options

Lync 2013 Platform Optionsfor SharePoint 2013, Exchange 2013, and Lync 2013. SharePoint 2013 Platform Options Exchange 2013 Platform Options

SharePoint Server 2013 in Azure solutions posters You can use these IT posters to determine the design and configuration for SharePoint Server You can use these IT posters to determine the design and configuration for SharePoint Server 2013 workloads in Azure infrastructure services.

Internet sites in Microsoft Azure using SharePoint Server 2013Server 2013 workloads in Azure infrastructure services. Design sample: Internet sites in Microsoft Azure for

Design sample: Internet sites in Microsoft Azure for SharePoint 2013sites in Microsoft Azure using SharePoint Server 2013 SharePoint Disaster Recovery to Microsoft Azure

SharePoint Disaster Recovery to Microsoft AzureInternet sites in Microsoft Azure for SharePoint 2013 Architectural models posters These new IT posters for

Architectural models posters

These new IT posters for SharePoint 2016 and Skype for Business 2015 provide a way to compare the various deployment methods in an easy-to-print format. Each poster provides a list of all the configurations or platform options available and gives you the following information for each option:

Overview A brief summary of the platform, including a conceptual diagram. A brief summary of the platform, including a conceptual diagram.

Best for Common scenarios that are ideally suited for the particular platform. Common scenarios that are ideally suited for the particular platform.

License requirements The licenses you need for deployment. The licenses you need for deployment.

Architecture tasks The decisions you need to make as an architect. The decisions you need to make as an architect.

IT Pro tasks or responsibilities The daily responsibilities that your IT staff needs to plan for. The daily responsibilities that your IT staff needs to plan for.

MMiiccrroossoofftt SShhaarreePPooiinntt 22001166 AArrcchhiitteeccttuurraall MMooddeellss

ITEM

DESCRIPTION

AArrcchhiitteeccttuurraall MMooddeellss ITEM DESCRIPTION PDF | Visio | More languages This IT poster describes

This IT poster describes the SharePoint Online, Microsoft Azure, and SharePoint on-premises configurations that business decision makers and solutions architects need to know about.

- SharePoint Online (SaaS) - Consume SharePoint through a Software as a Service (SaaS) subscription model.

- SharePoint Hybrid - Move your SharePoint sites and apps to the cloud at your own pace.

- SharePoint in Azure (IaaS) - You extend your on-premises environment into Microsoft Azure and deploy SharePoint 2016 Servers there. (This is recommended for High

Availability/Disaster Recovery and dev/test environments.)

- SharePoint On-premises - You plan, deploy, maintain and customize your SharePoint environment in a datacenter that you maintain.

MMuullttii--GGeeoo CCaappaabbiilliittiieess iinn OOnneeDDrriivvee aanndd SShhaarreePPooiinntt OOnnlliinnee iinn OOffffiiccee 336655

ITEM

DESCRIPTION

ITEM DESCRIPTION PDF | Visio SShhaarreePPooiinntt SSeerrvveerr 22001166 DDaattaabbaasseess ITEM This poster is a

SShhaarreePPooiinntt SSeerrvveerr 22001166 DDaattaabbaasseess

ITEM

This poster is a one-page overview of Multi-Geo Capabilities in OneDrive and SharePoint Online in Office 365. This model includes:

- Benefits

- Steps for deployment

- An example configuration

For more information about Multi-Geo Capabilities in OneDrive and SharePoint Online in Office 365, click here.

DESCRIPTION

SharePoint Online in Office 365, click here . DESCRIPTION PDF | Visio | More languages MMiiccrroossoofftt

MMiiccrroossoofftt SSkkyyppee ffoorr BBuussiinneessss 22001155 AArrcchhiitteeccttuurraall MMooddeellss

ITEM

This IT poster is a quick reference guide for SharePoint Server 2016 databases. Each database has the following details:

- Size

- Scaling guidance

- I/O patterns

- Requirements

The first page has the SharePoint system databases and the service applications that have multiple databases. The second page shows all of the service applications that have single databases.

For more information about the SharePoint Server 2016 databases, see Database types and descriptions in SharePoint Server 2016

DESCRIPTION

types and descriptions in SharePoint Server 2016 DESCRIPTION PDF | Visio | More languages Platform options

Platform options posters

This poster describes the Skype for Business Online, on- premises, hybrid, cloud PBX, and integration with Exchange and SharePoint configurations that business decision makers and solutions architects need to know about.

It is intended for the IT Pro audience to raise awareness of the different fundamental architectural models through which Skype for Business Online and Skype for Business on premises can be consumed.

Start with whichever configuration best suits your organization's needs and future plans. Consider and use others as needed. For example, you might want to consider integration with Exchange and SharePoint or a solution that takes advantage of Microsoft's Cloud PBX offering.

These IT posters for SharePoint 2013, Exchange 2013, and Lync 2013 provide a way to compare the various deployment methods at a single glance in a large poster format. Each poster provides a list of all the

configurations or platform options available and gives you the following information for each option:

Overview A brief summary of the platform, including a conceptual diagram. A brief summary of the platform, including a conceptual diagram.

Best for Common scenarios that are ideally suited for the particular platform. Common scenarios that are ideally suited for the particular platform.

License requirements The licenses you need for deployment. The licenses you need for deployment.

Architecture tasks The decisions you need to make as an architect. The decisions you need to make as an architect.

IT Pro tasks or responsibilities The daily responsibilities that your IT staff needs to plan for. The daily responsibilities that your IT staff needs to plan for.

SharePoint 2013 Platform Options

ITEM

DESCRIPTION

plan for. SharePoint 2013 Platform Options ITEM DESCRIPTION PDF | Visio | More languages Exchange 2013

Exchange 2013 Platform Options

For business decision makers (BDMs) and architects, this model shows the platform options for SharePoint 2013, SharePoint in Office 365, on-premises hybrid with Office 365, Azure, and on-premises only deployments. It includes an overview of each architecture, recommendations, license requirements, and lists of architect and IT Pro tasks for each platform. Several SharePoint solutions on Azure are highlighted.

ITEM

DESCRIPTION

SharePoint 2013 Platform Options . ITEM DESCRIPTION PDF | Visio | More languages Lync 2013 Platform

Lync 2013 Platform Options

For BDMs and architects, this model describes the available platform options for Exchange 2013. Customers can choose from Exchange Online with Office 365, Hybrid Exchange, Exchange Server on-premises and Hosted Exchange. The poster includes details of each architectural option, including the most ideal scenarios for each, the license requirements and IT Pro responsibilities.

ITEM

DESCRIPTION

ITEM DESCRIPTION PDF | Visio | More languages For BDMs and architects, this model describes the

For BDMs and architects, this model describes the available platform options for Lync 2013. Customers can choose from Lync Online with Office 365, Hybrid Lync, Lync Server on- premises and Hosted Lync. The IT poster includes details of each architectural option, including the most ideal scenarios for each, the license requirements and IT Pro responsibilities.

SharePoint in Azure solutions posters

These IT posters show Azure-based solutions using SharePoint Server 2013 in a large poster format. IInntteerrnneett ssiitteess iinn MMiiccrroossoofftt AAzzuurree uussiinngg SShhaarreePPooiinntt SSeerrvveerr 22001133

ITEM

DESCRIPTION

SShhaarreePPooiinntt SSeerrvveerr 22001133 ITEM DESCRIPTION PDF | Visio | More languages This poster outlines key

This poster outlines key design activities and recommended architecture choices for Internet-facing sites in Azure. For an accessible text version of this poster, see Accessible diagram - Internet sites in Microsoft Azure for SharePoint 2013.

For more information, see the following articles:

DDeessiiggnn ssaammppllee:: IInntteerrnneett ssiitteess iinn MMiiccrroossoofftt AAzzuurree ffoorr SShhaarreePPooiinntt 22001133

ITEM

DESCRIPTION

ffoorr SShhaarreePPooiinntt 22001133 ITEM DESCRIPTION PDF | Visio | More languages Use this design sample as

Use this design sample as a starting point for your own architecture Internet-facing site in Azure using SharePoint Server 2013. For an accessible text version of this poster, see Accessible diagram - Design sample: Internet sites in Microsoft Azure for SharePoint 2013.

For more information, see the following articles:

SShhaarreePPooiinntt DDiissaasstteerr RReeccoovveerryy ttoo MMiiccrroossoofftt AAzzuurree

ITEM

DESCRIPTION

ttoo MMiiccrroossoofftt AAzzuurree ITEM DESCRIPTION PDF | Visio | More languages See Also Cloud adoption

See Also

Cloud adoption and hybrid solutions Microsoft Cloud IT architecture resources Cloud adoption Test Lab Guides (TLGs) Hybrid solutions

This IT poster shows architecture principles for a disaster recovery environment in Azure. For an accessible text version of this poster, see Accessible diagram - SharePoint Disaster Recovery to Microsoft Azure.

For more information, see the following articles:

Get your organization ready for Office 365 Enterprise

2/19/2019 • 2 minutes to read • Edit Online

What do you need to do to get ready for Office 365?

Most organizations don't need to do anything to prepare for Office 365. It's an application on the web and people are able to use it as soon as they have an account. Other organizations have more locations, security practices, or other requirements that create the need for more planning. For enterprise-level organizations, follow the checklist items below to get started with Office 365.

If you want help getting Office 365 set up, FastTrack is the easiest way to deploy Office 365, you can also sign in and use the Deployment advisors for Office 365 services.

CHOOSE ONE OR MORE TO GET STARTED:

- Microsoft Office Professional, Office 365, Office 365 ProPlus, and each Office application for Windows, Mac, iOS, and Android all have specific system requirements. Ensure your hardware and software meet the minimum system requirements.

- Recommends changes to directory objects and offers to automate the changes for you.

- More details on using the IdFix tool.

Read our network performance guidance and use our tools to ensure you have the connectivity and performance configuration necessary to provide people with the best experience.

Use our planning checklist as a starting place for building your own deployment plan.

- In-depth overview of possible areas you'll need to plan for with links to reference or how-to information to help you plan.

Use the Exchange Server Large Item Script to find mail items that may be too large to migrate.

- Uses Exchange Web Services to impersonate, access, scan the mailbox for file sizes you specify, and dumps the results in a CSV file. Read the detailed instructions on how to use the script.

Take advantage of Microsoft deployment experts who can help you from planning to helping everyone start using the new services and applications. Use the Deployment wizards for Office 365 services to get customized set up guidance.

- The Onboarding center works directly with customers and with partner organizations. Give them a call today.

- Communication with everyone before, during, and after the transition to Office 365 is critical.

- Use our templates, guides, and handouts to improve your communications.

CHOOSE ONE OR MORE TO GET STARTED:

Read the article Office 365 Network Connectivity Principles to understand the connectivity principles for securely managing Office 365 traffic and getting the best possible performance.

- This article will help you understand the most recent guidance for securely optimizing Office 365 network connectivity.

Want to talk with support?

We're here to help, contact support for business products.

Subscriptions, licenses, accounts, and tenants for Microsoft's cloud offerings

3/13/2019 • 6 minutes to read • Edit Online

Summary: Understand the relationships of organizations, subscriptions, licenses, user accounts, and tenants across Microsoft's cloud offerings.

Microsoft provides a hierarchy of organizations, subscriptions, licenses, and user accounts for consistent use of identities and billing across its cloud offerings:

Microsoft Office 365use of identities and billing across its cloud offerings: See business plans and pricing for more

See business plans and pricing for more information.

Microsoft Azure365 See business plans and pricing for more information. See Azure pricing for more information. Microsoft

See Azure pricing for more information.

Microsoft Intune and the Enterprise Mobility + Security (EMS)Microsoft Azure See Azure pricing for more information. See Intune pricing for more information. Microsoft

See Intune pricing for more information.

Microsoft Dynamics 365+ Security (EMS) See Intune pricing for more information. See Dynamics 365 pricing for more information.

See Dynamics 365 pricing for more information.

Elements of the hierarchy

Here are the elements of the hierarchy:

OOrrggaanniizzaattiioonn An organization represents a business entity that is using Microsoft cloud offerings, typically identified by one or more public Domain Name System (DNS) domain names, such as contoso.com. The organization is a container for subscriptions.

SSuubbssccrriippttiioonnss A subscription is an agreement with Microsoft to use one or more Microsoft cloud platforms or services, for which charges accrue based on either a per-user license fee or on cloud-based resource consumption. Microsoft's Software as a Service (SaaS)-based cloud offerings (Office 365, Intune/EMS, and Dynamics 365) charge per-user license fees. Microsoft's Platform as a Service (PaaS) and Infrastructure as a Service (IaaS) cloud offerings (Azure) charge based on cloud resource consumption.

You can also use a trial subscription, but the subscription expires after a specific amount of time or consumption charges. You can convert a trial subscription to a paid subscription.

Organizations can have multiple subscriptions for Microsoft's cloud offerings. Figure 1 shows an example.

Figure 1: Example of multiple subscriptions for an organization

Figure 1 shows a single organization that has multiple Office 365 subscriptions, an Intune subscription,

Figure 1 shows a single organization that has multiple Office 365 subscriptions, an Intune subscription, a Dynamics 365 subscription, and multiple Azure subscriptions.