Академический Документы
Профессиональный Документы
Культура Документы
Connect.
Explore.
BRK3081
Implementing a modern
network architecture to get
the most out of Office 365
Paul Collinge
Senior Program Manager
Office 365 Engineering - CXP
Jeff Mealiffe
Principal Program Manager
Office 365 Engineering - CXP
The enterprise connectivity challenge
Hote Coffee shop Home Office
l
Firewall / NGFW
Firewall
WAN / NGFW
Accelerator
VPN Proxy Server
MPLS
On premises network On premises network
Head Office Branch Office
Contoso customer:
• 80,000 enterprise users
• Multiple workloads: EXO, SPO, SfBO/Teams
• ~100 of branch offices WW
• MPLS Backbone with elements of WAN Microsoft Global Network
acceleration
ISP
• Centralized network egress architecture through
2 datacenters in the US
• State of the art security perimeter: Proxy, AFW, WAN
DLP, CASB, DPI, SSL B&I
• User is in Sydney office Branch Office
Customer Network
Datacenter
Demo: Office 365 – Centralized network egress
Centralized
Latency to O365
~215 ms
Front Door
Search 320-450 ms
EOA and Calendar Dreadful
Experience
SharePoint ~300 sec
Download
PL: 4%
Skype for business RTT: 198 ms
Call quality Jitter: 63 ms
ISP
WAN
Customer Network
Office 365 Connectivity
Guidance
Office 365 connectivity principles
aka.ms/o365ip Internet
Differentiate traffic Egress connections Optimize route length Assess network security
Identify and differentiate Egress Office 365 data Avoid network hairpins and Assess bypassing proxies,
Office 365 traffic using connections as close to the optimize connectivity traffic inspection devices
Microsoft published user as practical with directly into the nearest and duplicate security
endpoints data matching DNS resolution entry point into Microsoft’s which is available in Office
network 365
New URL and IP categories and web services API
Continued efforts to consolidate/reduce Office 365 IP subnets and URLs
New, priority driven endpoint taxonomy (http://aka.ms/ipurlblog) for easier customer network
optimization
Categories are based on importance/impact to user experience and network optimization ROI
Allowing customers to do incremental network optimizations for Office 365
Web services API (http://aka.ms/ipurlws) to support automation by customers and partners
Focus on key Office 365 experiences first
EXO: 2 FQDNs/~20 IP subnets
SPO: 2 FQDNs/ ~15 IP subnets
Customers Partners
SfBO/Teams: 2 IP subnets
REST API
Optimize Allow Default
Consolidated
[<10 FQDNs] Legacy O365 Endpoints:
O365
[~100 [100s [~1000
Endpoints:
FQDNs] IPs
of IPs and[the
URLs] and URLs]
rest]
• Highest impact on end user performance • Network trusted by customers • Default network treatment (i.e. generic
• Highly network trusted by customers • Medium to low volume Internet)
• High volume • Connectivity must never be blocked • Optional services with description of
• Most sensitive to network latency/QoS • Proxy or firewall capable functionality loss
• Expect low rate of change • Bypass of SSL break & inspect recommended
• Bypass of SSL break & inspect required • Suggested for local and direct Internet egress
• Proxy bypass strongly recommended
• First priority for local and direct Internet egress
New optimize category endpoints
Reminder: It is not sufficient to only open connectivity to these endpoints for Office 365 to work
Network devices can fetch and identify Office 365 network traffic Details
• We’re working with network service vendors to integrate this
• Configure them for optimal Office 365 connectivity
• Customers using these configured devices will have recommended
configuration and all monthly updates automated
Office 365 connectivity principles
aka.ms/o365ip Internet
Differentiate traffic Egress connections Optimize route length Assess network security
Identify and differentiate Egress Office 365 data Avoid network hairpins and Assess bypassing proxies,
Office 365 traffic using connections as close to the optimize connectivity traffic inspection devices
Microsoft published user as practical with directly into the nearest and duplicate security
endpoints data matching DNS resolution entry point into Microsoft’s which is available in Office
network 365
Microsoft
Global
Network
Fast, globally available
network
100K miles of fiber in 130+
locations
130+ global edge nodes
reaching 63% of the Global
GDP within 25ms
Peering relationships with
2700+ ISPs in 190+
locations
Connects 35+ Office 365
Peering & Service front door locations
Datacenter locations
Office 365 Datacenter
Fully software defined and Announced new Office 365 locations
managed by Microsoft
Office 365 cloud becomes closer and closer to end users 45+ datacenters
100+ locations
Network Service
POP Front Door Data
Microsoft Global
Network
Office 365 connectivity architecture and strategy
• Microsoft Global Network (AS8075): Presence |
Question: What can you do to align with Office 365
Peering | Backhaul strategy and fully take advantage of these
• Distributed Service Front Door infrastructure investments
• Intelligent content and business logic placement Answer: Egress Office 365 data traffic locally with
• Office 365 cloud becomes closer and closer to end matching DNS name resolution
users
Miami,
FL
Orlando, ISP
FL
Service Estimated User to
Front Door Washington
DC Front Door RTT
(EXO example)
~65m
s
San Francisco, ISP
CA ~25m
San Jose, s
CA Service
Front
Front
Door ~5ms
Service Service
Seattle, Front Door Front Door
WA ISP Microsoft Global ~85m
Seattle, s
WA Network
Custom
er
Networ * Data at rest remains within tenant specific geo/compliance
Office 365 connectivity principles
aka.ms/o365ip Internet
Differentiate traffic Egress connections Optimize route length Assess network security
Identify and differentiate Egress Office 365 data Avoid network hairpins and Assess bypassing proxies,
Office 365 traffic using connections as close to the optimize connectivity traffic inspection devices
Microsoft published user as practical with directly into the nearest and duplicate security
endpoints data matching DNS resolution entry point into Microsoft’s which is available in Office
network 365
Application level Security for Optimize endpoints
Exchange Online For all Exchange IP addresses: • Outlook.office365.com is used by Outlook • Exchange Online Protection
• https://outlook.office365.com:443 clients • Multi Factor Authentication
• https://outlook.office.com:443
• Outlook.office.com is used by Outlook • Anti Malware protection
Web Access
• Data Loss Prevention (DLP)
• Office 365 Advanced Threat Protection
(ATP)
SharePoint Online For all SharePoint IP addresses: • Web access to SharePoint and OneDrive • Data Loss Prevention (DLP)
• https://<tenant>.sharepoint.com:443 • OneDrive for Business Sync Tool • Anti Malware protection
• https://<tenant>-my.sharepoint.com:443 • Office 365 Advanced Threat Protection
(ATP)
Firewall
DLP IPS
1 2
MPLS/WAN
Internet Proxy
Users PC Router
ISP 1
1 2
MPLS/WAN
SDWAN device Internet Proxy
Users PC SDWAN device
1 ISP 1
MPLS/WAN
Users PC SDWAN
device
MPLS/W
2
Regional office 1 AN
1
SDWAN Internet Proxy
MPLS/WAN device
Users PC SDWAN
device
Branch office 1 Head office
Modern Network architecture: Example #3
SDWAN for egress through Secure Web Gateway
1 SDWAN used to send all traffic via a Cloud based, Secure Web
Windows/Offic
Gateway e Updates Other Cloud
services
SDWAN device used for local ISP breakout
All traffic is sent to the nearest secure web gateway Service
Front Door
Corporate traffic can be sent direct to Head Office via
SDWAN or via SWG
ISP 1
1
Users PC SDWAN
device ISP 2
Firewall
Branch office 2 DLP IPS
SDWA
N
device
2
1
Legacy Egress
Users PC SDWAN
device Home
Users PC Head office
Branch office 1
General Benefits of local egress
Technical Benefits
• Data/Applications/Services are increasingly moving to the cloud and no longer live in the corporate network, it
therefore doesn’t make sense to backhaul all traffic to a central egress
• Central security/egress stacks are very expensive to uplift for cloud services, may still not be optimal and may need
continual uplift for future services
• Cloud security elements often replicate security delivered at the egress
• Allows an enterprise to be more agile to an increasingly fast paced world
• Consider the shift in software update distribution, often best delivered by local CDN
• Centralized management for all remote egress devices
Cost Benefits
• MPLS costs are often much higher than local internet connectivity
• Kelly Services, with 10,000 employees spread across 900+ global branches realized a 60% reduction in overall
telecom OPEX costs when moving to an direct to internet architecture.
In most branches they were able to deliver 10x more bandwidth for 25% of the cost of their legacy connectivity
approach, using the Secure Web Gateway model to implement a simple, centralized control.
Demo: Office 365 – Local and Direct network egress
Centralized Local and Direct
Latency to O365
200-215 ms ~12 ms
Front Door
Search 300-400 ms ~130 ms
Data
ISP ISP
WAN
CPE Device
Config
Customer Network
Skype for Business Online
Network Connectivity
Call Connectivity Model
Signalling traffic (SIP)
Connects client to a pool in the location of the tenant
Informs the client of the relay to use for media services – TCP Port
443
For media traffic the client attempts multiple
connection methods simultaneously when starting
media
[Optimal] UDP Direct - Ports 3478, 3479, 3480, & 3481, (Optional)50,000-59,999
[OK] TCP Direct – Port 443
[Least Preferred] TCP via Proxy PAC
Media Path
Corporate Wired /
user Wireless
Corporate ISP / Internet /
network Express Route
Provider
Corporate Azure network/
user SfB DC
Wired /
Wireless
Media
Relay
Teams 1-to-1 calls on different networks
Transport
Relay
Media
Relay
SharePoint/OneDrive for Business
Network Connectivity
SharePoint Online – Client Connectivity Mechanism
Now uses Anycast to connect to the same IP globally
DNS lookup for tenantname.sharepoint.com returns
13.107.136.9
Multiple edge servers globally configured for that IP
BGP route advertisement and least cost routing is used
Finds the nearest SharePoint enabled Edge node to connect
TCP and SSL connections terminated, optimized and connected
to the SharePoint front end server on an existing session
SharePoint Online & OneDrive for Business Connection Process
EMEA SPO Edge Nodes
2x-5x 3x-10x
Increase in upload speeds Increase in download speeds
55% 40%
Faster opening Word Faster opening PowerPoint
documents in Office Online documents in Office Online
Anycast is now rolled out globally and customers following the network
principles will instantly see the benefit without any customer side change
required
Exchange Online
Network Connectivity
Exchange Online Connection Process -Anycast
For Exchange Online Hosted Mailboxes DC1 CAFE
Firewall
Office 365 ISP 1
Workload On-Premises
Capacity Capacity
Corporate Datacenter
Optimizing Exchange inbound flows
Follow general best practices guidance: http://aka.ms/JustALoadBalancer
External namespaces published in public DNS
Autodiscover points clients (including O365) to appropriate
namespace
Follow principles of connectivity
Egress location should be close to target infrastructure to minimize latency
Minimize impact of security controls on inbound traffic: enough to mitigate threats
Firewall
Exchange Online ISP 1
Capacity
Exchange On-Premises
Load Capacity
Balancer
Corporate Datacenter
High availability for Exchange inbound flows
High availability accomplished via Exchange on-premises
preferred architecture & namespace design: http://aka.ms/preferred &
http://aka.ms/namespace
Exchange Online
Capacity
ISP 1
Firewall
Firewall
Exchange On-Premises Exchange On-Premises
Capacity Load Load Capacity
Balancer Balancer
Firewall
Exchange Online ISP 1
Capacity
Exchange On-Premises
Reverse Load Capacity
Proxy Balancer
(No Pre-
auth*)
Corporate Datacenter
Exchange Hybrid Agent Outbound ACL Only
Hybrid Proxy
Service
IP Whitelist
Hybrid Agent
Tenant-specific endpoint:
https://{guid}.resource.{flow}.his.msappproxy.net
Exchange Online
Exchange Servers
Firewall
SharePoint Online ISP 1
Capacity
SharePoint On-
Reverse Premises
Proxy Capacity
(Certificate
Auth)
Corporate Datacenter
Office 365 Multi Geo:
connectivity and performance
impacts
Get enterprise-grade Contoso.onmicrosoft.com
25,000 Office 365 Users
Asia-Pacific, Australia, Canada, European Union, France, India, Japan, Korea, North America, United Kingdom
aka.ms/Multi-Geo
Key networking considerations for Multi Geo
Multi Geo is not a performance solution – it’s about data residency
Local/regional egress model is critical for Multi Geo customers to avoid
performance degradation
Performance may increase, but only if connectivity guidance is followed
Miami, FL
Orlando, FL ISP
Datacenter Service
Front Door Data
Paris, France
Network Bandwidth
Estimation for Office 365
How Much Bandwidth do I need for Office 365?
This is a very difficult question to answer
The figure is variable per customer profile
Similar size/sector customers may see very different values
Using an average may lead to poor planning decisions
The traditional approach
Use calculators for each workload
• Generally Workload Specific when planning needs to be holistic for all needs
• Poor data in == Poor data out
• Microsoft generally recommended monitoring pilot users and extrapolate data out
Beta Solution using Azure Service Map & Log Analytics
How it works?
• Pilot batch user is using Office 365 services from home,
office or school Cloud, Office 365
Azure
• The user has MMA & Dependency agent installed and
connected to the Azure log analytics workspace OMS
The following solutions are working toward the “Works with Office 365” designation as a part of
Office 365 Networking Partner Program.
Go to the website:
https://myignite.techcommunity.microsoft.com/evaluations
© Copyright Microsoft Corporation. All rights reserved.