[Collinge] Modern Enterprise Network Connectivity Architecture for SaaS Services

4. The enterprise connectivity challenge
Network first mile
Consumer
last mile
Home Office
ISP
Microsoft global network
Network perimeter
Enterprise last mile
Enterprise last mile
Head Office
ISP
On premises network
Firewall / NGFW
Proxy Server
Corporate MPLS WAN / Network perimeter
Enterprise last mile
Enterprise last mile
Enterprise last mile
Head Office Branch Office
ISP
On premises networkOn premises network
Firewall / NGFW
Proxy Server
Corporate MPLS WAN / Network perimeter
Enterprise last mile
Enterprise last mile
Enterprise last mile
Head Office Branch Office
Cloud Access Security Broker
ISP
On premises networkOn premises network
Firewall / NGFW
Intrusion Prevention System
Data Loss Prevention
Secure Web Gateway
WAN Accelerator
Proxy Server
Corporate MPLS WAN / Network perimeter
Enterprise last mile
VPN
Enterprise last mile
Enterprise last mile
Head Office Branch Office
Cloud Access Security Broker
Hotel Coffee shop ISP
On premises networkOn premises network
Firewall / NGFW
Intrusion Prevention System
Data Loss Prevention
Secure Web Gateway
WAN Accelerator
Proxy Server

5. Office 365 connectivity principles
Differentiate traffic
Identify and differentiate
Office 365 traffic using
Microsoft published
endpoints data
aka.ms/o365ip
Egress connections Locally
Egress Office 365 data
connections as close to the
user as practical with
matching DNS resolution
Optimize route length
Avoid network hairpins and
optimize connectivity
directly into the nearest
entry point into Microsoft’s
network
Assess network security
Assess bypassing proxies,
traffic inspection devices
and duplicate security
which is available in Office
365
Internet

6. Identify and differentiate Office 365 traffic
using Microsoft published endpoints data

8. New IP and URL categories
Optimize(required)
Microsoft hosted IPs and
URLs
Expect slow rate of
change
Should not SSL break &
inspect the traffic to
these endpoints
Recommend for local
egress from the user’s
location
Represents over 75% of
Office 365 bandwidth
Allow(alsorequired)
Connectivity is required
for Office 365
Send directly where
possible and
recommend not to SSL
break & inspect
Some endpoints will
have URLs only
Some network latency is
not expected to cause
major performance
issues
Default(optional)
Direct network traffic
similar to web browsing
Some endpoints clearly
marked optional, lost
functionality is described
May not be in Microsoft
datacenters
Most endpoints will have
URLs only
Standard Internet latency
is okay

9. ose to the user as practical with
matching DNS resolution
Avoid network hairpins and optimize connectivity
directly into the nearest entry point into Microsoft’s
network

11. • Microsoft’s global network is one of the top networks
in the world.
• Very high bandwidth, low latency, failover capable links
• Tens of thousands of route miles of privately owned dark fiber
fiber optic network
• Multi Terabit connections DC-DC & DC-Internet
• Peer with over 2500 ISPs globally in 150 locations and 38 countries
• Identified by msn.net router names (for most routers)
• Optimized to get your traffic to it’s destination efficiently
• Aim is for customers to get onto this network as quickly as possible.

13. UK – Peer in London in 26ms
1 4 ms 3 ms 4 ms bthub [192.168.1.254]
4 28 ms 26 ms 27 ms 31.55.187.180
5 24 ms 24 ms 24 ms core2-hu0-8-0-5.southbank.ukcore.bt.net [195.99.127.186]
6 26 ms 24 ms 25 ms peer2-et-10-1-0.telehouse.ukcore.bt.net [195.99.127.7]
7 26 ms 26 ms 26 ms 195.99.126.55
8 36 ms 34 ms 35 ms ae12-0.lon04-96cbe-1a.ntwk.msn.net [207.46.44.162]
9 37 ms 36 ms 37 ms be-9-0.ibr01.dbb.ntwk.msn.net [104.44.4.134]
11 35 ms 34 ms 36 ms ae1-0.db3-96c-3a.ntwk.msn.net [204.152.141.79]
13 34 ms 34 ms 34 ms 104.146.132.25
France – Peer in Paris in 8ms
1 8 ms 2 ms 1 ms 192.168.0.1
2 * 7 ms 7 ms 10.95.160.1
3 6 ms 6 ms 6 ms hlr1rj-ge-0-1-6.100.numericable.net [80.236.6.14]
4 8 ms 18 ms 10 ms ip-254.net-80-236-0.static.numericable.fr [80.236.0.254]
5 8 ms 8 ms 9 ms ip-249.net-80-236-0.static.numericable.fr [80.236.0.249]
6 11 ms 9 ms 10 ms 172.19.132.146
7 9 ms 10 ms 8 ms ae7-0.par02-96cbe-1b.ntwk.msn.net [207.46.41.224]
8 8 ms 8 ms 9 ms ae3-0.pra-96cbe-1b.ntwk.msn.net [204.152.141.246]
9 21 ms 21 ms 22 ms be-6-0.ibr02.amb.ntwk.msn.net [104.44.4.230]
10 20 ms 18 ms 20 ms ae75-0.ams04-96cbe-1b.ntwk.msn.net [104.44.9.239]
11 21 ms 18 ms 19 ms 104.44.80.139
12 * * * Délai d’attente de la demande dépassé.
13 20 ms 20 ms 20 ms 13.107.6.151
Florida – Peer in Miami in 24ms
1 30 ms 3 ms 14 ms zeus.olympus.home [192.168.0.1]
2 11 ms 14 ms 14 ms 10.100.16.1
3 15 ms 15 ms 16 ms ten0-6-0-0.tamp20-car2.bhn.net [71.44.1.106]
4 16 ms 18 ms 19 ms ten0-8-0-6.tamp27-car2.bhn.net [72.31.211.158]
5 16 ms 18 ms 19 ms 72-31-6-190.net.bhntampa.com [72.31.6.190]
6 16 ms 19 ms 19 ms hun0-3-0-7.tamp20-cbr1.bhn.net [72.31.3.140]
7 21 ms 19 ms 24 ms 10.bu-ether15.tamsflde20w-bcr00.tbone.rr.com [66.109.6.96]
8 28 ms 26 ms 28 ms 0.ae0.pr0.mia00.tbone.rr.com [66.109.1.89]
9 24 ms 23 ms 24 ms 66.109.7.238
10 24 ms 24 ms 24 ms ae9-0.mia-96cbe-1b.ntwk.msn.net [104.44.225.167]
11 126 ms 129 ms 129 ms be-75-0.ibr02.atb.ntwk.msn.net [104.44.224.230]
12 131 ms 129 ms 128 ms be-3-0.ibr01.bn1.ntwk.msn.net [104.44.4.49]
13 130 ms 129 ms 128 ms be-1-0.ibr02.bn1.ntwk.msn.net [104.44.4.63]
14 130 ms 129 ms 129 ms be-3-0.ibr02.was05.ntwk.msn.net [104.44.4.26]
15 135 ms 134 ms 133 ms be-4-0.ibr02.nyc04.ntwk.msn.net [104.44.4.29]
16 120 ms 119 ms * ae8-0.lon04-96cbe-1b.ntwk.msn.net [104.44.5.29]
17 123 ms 124 ms 124 ms ae11-0.lon04-96cbe-1a.ntwk.msn.net [207.46.44.154]
18 131 ms 127 ms 132 ms be-9-0.ibr01.dbb.ntwk.msn.net [104.44.4.134]
20 130 ms 128 ms 125 ms ae2-0.db3-96c-3b.ntwk.msn.net [204.152.141.81]
22 126 ms 128 ms 129 ms 104.146.132.25
Scotland – Peer in NY! in 87ms
1 <1 ms <1 ms <1 ms 10.201.100.1
2 <1 ms <1 ms <1 ms 10.201.0.1
5 14 ms 14 ms 15 ms ABC-e-0-0-0-0.londonuk5.poorlypeeredISP.net [*.*.157.174]
6 16 ms 15 ms 15 ms AB2-e-0-0-2-0.londonuk1.poorlypeeredISP.net [*.*.157.113]
7 83 ms 83 ms 83 ms AB1-tengig-0-7-0-0.newyork.poorlypeeredISP.net [*.*.196.121]
8 82 ms 82 ms 82 ms AB2-e-9-0-1.jfk2.poorlypeeredISP.net [*.*.99.65]
9 82 ms 83 ms 82 ms ab1-e-10-1-1.jfk2.poorlypeeredISP.net [*.*.99.214]
10 82 ms 82 ms 82 ms nyc-brdr-02.poorlypeeredISP.net [*.*.26.101]
11 82 ms 82 ms 82 ms nyc-edge-04.poorlypeeredISP.net [*.*.134.1]
12 85 ms 86 ms 87 ms be-4-0.ibr02.nyc04.ntwk.msn.net [104.44.4.28]
14 141 ms 143 ms 145 ms xe-7-3-0-0.lts-96cbe-1a.ntwk.msn.net [207.46.43.45]
15 149 ms * * xe-9-1-1-0.ams-96c-1a.ntwk.msn.net [207.46.42.135]

14. Office 365 connectivity architecture and strategy
* Data at rest remains within tenant specific geo/compliance boundary
Estimated User to Front
Door RTT (EXO example)
ISP
Service
Front Door
Microsoft Global Network
Customer
Network
Service
Front Door
Service
Front
Door
Service
Front Door
ISP
Service
Front
Door
ISP
ISP
Washington
DC
Orlando,
FL
San Francisco,
CA
Miami,
FL
San Jose,
CA
Seattle,
WA
Seattle,
WA
~65ms
~25ms
~85ms
~5ms~5ms
AS8075

17. Transport
Relay

20. 1
2
SPO NAM
4
Connected
TCP 443 Connection to the
Anycast IP address
3
• Connects the client to the
secure, highly available,
globally distributed edge
network
• Terminates SSL connections
closer to the client
• Optimizes connections at the
edge to rectify sub-optimal
settings from the customer side
• Re-uses connections between
the edge and SharePoint Online
DNS
EMEA SPO Edge Nodes
EMEA SPO
Client

21. DNS
1
2
SPO NAM
4
Connected
TCP 443 Connection to the IP
address
3
• User requests directed to the
active Microsoft datacenter
hosting the tenant
• TCP connections perform
proportional to RTT and
customer/egress TCP settings
• SPO content x-geo
• APAC user accessing data in
an EU datacenter
EMEA SPO
Client

22. Faster opening Word
documents in Office Online
Faster opening PowerPoint
documents in Office Online
Increase in upload speeds Increase in download speeds

24. EMEA Outlook
Client
DNS
1
2
EMEA DC2 CAFE
4Connected
TCP 443 Connection to 1st IP in
list returned
EMEA DC1 CAFE
EMEA DC4 CAFE
EMEA DC3 CAFE
3
North America
Mailbox Server

25. Outlook
DNS
1
2
DC2 CAFE
4Connected
TCP 443 Connection to 1st IP in
list returned
DC1 CAFE
DC4 CAFE
DC3 CAFE
3
Mailbox Server
Outlook.ms-acdc.office.com
IP Addresses of FE servers

26. Assess bypassing proxies, traffic inspection
devices and duplicate security which is
available in Office 365

28. • Trusted services are simpler to connect to and they
generally perform better for users
• Customers perform due diligence prior to storing corporate
data with Microsoft but lack of trust means Office 365 has
the same overhead as generic internet sites
• Evaluate Office 365 security features focusing on outcomes,
not implementation
Trust
Microsoft global networkEgress &
Security Stack
Network
POP
Customer network
WAN
Level
of trust
COMPENSATING OVERHEAD
(Cost, Complexity, Latency)
Content
Gateways
B&I RO
Proxy
Proxy/SWG
AFW/NGFW
B&I RW
Proxy
L4&DNS FW
Generic
Internet
Site
Verifiably
Trusted
Application
O365

29. CUSTOMER MANAGED
• Office 365 Security and Compliance Center
• Azure Active Directory / MFA / Conditional Access
• Threat Management (EOP, ATP, TI)
• Message Encryption and Rights Management
• Data Loss Prevention
• Azure AD Tenant Restrictions and Consumer Sign-on Restrictions
• Mobile Device Management (EMS and Intune)
• Azure Information Protection and Windows Defender ATP
MICROSOFT MANAGED
• Secure Development Lifecycle
• DDOS protection
• Multi-tenancy
• Incident response/CDOC
• Access approval
• Perimeter
• Building
• Server environment
• Data-bearing device controls
PHYSICAL
LOGICAL
CUSTOMER
CONTROLS
Office 365 Layered Security Approach

30. Previous perimeternetwork guidance
http://aka.ms/o365ip
https://support.microsoft.com/en-us/help/2690045
Office 365
aka.ms/o365ip

31. Improved traditionalWAN
WAN with regional egress
Microsoft global network
Home OfficeHotel Coffee shop
Corporate MPLS WAN / Network perimeter
Head Office Branch Office
On premises networkOn premises datacenter
ISP
Next Gen Firewall
Data Loss Prevention
Secure Web Gateway
Proxy Server
ISP
Next Gen Firewall
Data Loss Prevention
Secure Web Gateway
Proxy Server
Bypass for Office 365 traffic
Generic Internet sites

32. Hotel Home Office • Compare network path to
local direct egress
• Ensure SSL B&I bypass
• Evaluate vendor reliability
Microsoft global network
Cloud proxy vendor
or other intermediary
with Office 365 traffic
identification
IaaS Hosting
Head Office
On premises network
Branch Office
On premises network
Coffee shop
Generic
Internet sites
Improved traditionalWAN
Localegress with cloud networkservice

33. A differentapproach to enhancedsecurity
Microsoft global networkHome OfficeHotel Coffee shop
Head Office Branch Office
On premises datacenter
ISP
VPN
Next Gen Firewall
Data Loss Prevention
Secure Web Gateway
Proxy Server
Head office on-prem LAN
Firewall
On premises branch network
Firewall
Corporate MPLS WAN / Network perimeter
ISP

34. A differentapproach to enhancedsecurity
Microsoft global networkHome OfficeHotel Coffee shop
On premises datacenter
ISP
Next Gen Firewall
Data Loss Prevention
Secure Web Gateway
Proxy Server
Head office on-prem LAN
Firewall
On premises branch network
Firewall
ISP

35. Office 365 connectivity principles
Differentiate traffic
Identify and differentiate
Office 365 traffic using
Microsoft published
endpoints data
aka.ms/o365ip
Egress connections Locally
Egress Office 365 data
connections as close to the
user as practical with
matching DNS resolution
Optimize route length
Avoid network hairpins and
optimize connectivity
directly into the nearest
entry point into Microsoft’s
network
Assess network security
Assess bypassing proxies,
traffic inspection devices
and duplicate security
which is available in Office
365
Internet

36. http://aka.ms/o365endpoints
http://aka.ms/tune/
https://aka.ms/o365perfprinciples
http://aka.ms/ipurlblog/
https://blogs.technet.microsoft.com/onthewire/
https://myignite.microsoft.com/sessions/53245
https://myignite.microsoft.com/sessions/53447
https://myignite.microsoft.com/sessions/53438