SlideShare una empresa de Scribd logo

Network service description office 365 dedicated plans april 2012

Descargar como DOCX, PDF
G
gallegosm37
1 de 14
Networkfor Enterprises Dedicated Plans Service Description Published:April 2012
The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. ©2012Microsoft Corporation. All rights reserved. Microsoft, Active Directory, ActiveSync, Lync, Outlook, and SharePointare trademarks of the Microsoft group of companies.All other trademarks are property of their respective owners. 2 Network for EnterprisesService Description (Dedicated Plans) | April 2012
Contents Introduction ........................................................................................................................................................ 4 Network Architecture ........................................................................................................................................ 5 Customer Connectivity to Data Centers ......................................................................................................... 7 Customer-Owned Private Connection .................................................................................................................................... 7 Internet IPsec VPN .......................................................................................................................................................................... 7 Connectivity Design Principles .................................................................................................................................................. 8 IP Addressing ................................................................................................................................................................................. 10 Network Security .............................................................................................................................................11 Internet Security ........................................................................................................................................................................... 11 Separation (Compartmentalization) ..................................................................................................................................... 11 Redundancy ................................................................................................................................................................................... 13 3 Network for EnterprisesService Description (Dedicated Plans) | April 2012
Introduction This document describes the Microsoft networking infrastructure components and features that support delivery of Microsoft Office 365 for enterprises services provided under dedicated subscription plans (―dedicated plans‖). The information applies to the following services: Microsoft Exchange Online Microsoft SharePoint® Online Microsoft Lync™Online The document is intended for network engineers and system integrators who work with Microsoft Office 365 customers.The components and features that are described include: Network architecture for Office 365 dedicated plans Customer connectivity to Microsoft data centers Connectivity design principles Network security * Services provided under Office 365 for enterprises dedicated plans are delivered from a Microsoft hosting environment where each customer has their own dedicated data center hardware. 4 Network for EnterprisesService Description (Dedicated Plans) | April 2012
Network Architecture The network architecture for Microsoft Office 365 is divided into three distinct security zones: the Customer Network, the Managed Network, and theManagement Network.Each security zone is implemented as a virtual network. Customer Network The Customer Network describes the customer on-premise enterprise network environment. The Customer Network contains the router and the customer firewall for organizations that want to have these components installed between their IT environment and the Microsoft data center. Managed Network There is a Managed Network for each customer. It is a separate, dedicated security zone that contains the hosted systems that provide Office 365 services and store customer email and data. This network also contains an Active Directory forest that includes a replication of the customer’s Active Directory user, contact, and distribution group objects. The Managed Network includes two gateway networks (GNs): one associated with the Internet (GN/I) and the other with the Customer Network (GN/C). GN/I:The GN/I isa load-balancing–only hardware component. Only the devices that are deployed on this segment will be virtual IP (VIP) addresses hosted on a hardware load balancer’s network interface. These devices are usually deployed in conjunction with servers on the Managed Network,and are protected using firewalls for external (Internet)traffic. GN/C: The GN/C is utilized to implement customer enterprise-facing hardware load-balancing solutions that replicate the functionality implemented in the GN/I. Management Network The Management Network contains the infrastructure that is shared across multiple customers, such as the Microsoft backup and monitoring systems. It also includes an Active Directory forest that contains the user accounts that are needed for operating the services and servers for the Management Network and Managed Network security zones. 5 Network for EnterprisesService Description (Dedicated Plans) | April 2012
Figure 1 shows the Microsoft network architecture and security zone components for Office 365 dedicated plans. Figure 1. Microsoft Office 365network architecture Virtualization is used throughout the network architectureto maintain separation and abstraction on a per-customer basis. This is accomplished using virtual LANs (VLANs) at Layer 2 (Switching), Virtual Routing and Forwarding (VRF) at Layer 3 (Routing), and Layer 3 VPNs at the transport layer. The transport layerrelies on the extensive use of multiprotocol label switching (MPLS) within the Microsoft backbone network. Customer Responsibilities Maintain the customer internal IT infrastructure and network, and provide connectivity to the Microsoft data centers. Maintain the Customer Forest, which hosts the primary user accounts that are used for authentication and hosts contacts and distribution groups. Co-locatethe domain controllers that are located within the Customer Network in the Microsoft data centers. This requirement is discussed in more detail in the ―Microsoft Office 365 Identity and Provisioning(Dedicated Plans) Service Description‖ document. 6 Network for EnterprisesService Description (Dedicated Plans) | April 2012
Customer Connectivity to Data Centers Microsoft supportstwo options for connectivity between a Customer Network and each Microsoft data center: customer-owned private connections andInternet IPsec virtual private network (VPN). At a minimum, connections are required to both the primary and secondary Microsoft data centers that host the customer’s servers. Customer-Owned Private Connection Customers can connect to Microsoft data centers with connections that they own and operate, or via their designated provider. This is the primary connectivity option and gives the customer the ability to host equipment within Microsoft data centers. Microsoft provides only the rack, space, cooling, and access to the equipment. The customer is responsible for ownership and management of the equipment. Microsoft Responsibility Enable the customer to host network equipment inside Microsoft-owned data centers. Microsoft providespower, space, and cooling for the hosted equipmentand access to the equipment.Hosting of customer network equipment is limited to a standard network deployment pod.This pod consists of a pair of industry standard 2-rack unit routers, Layer 2 switches, and firewalls for a total allowance of 12 rack units per data center. Hosting of customer owned network equipment variants that do not fit within this pod design are considered an exception. Microsoft approved exceptions will incur additional service fees. Work with the customer and customer’s carrier personnel to terminate circuits and enable connectivity to Microsoft. Provide ongoing support for the customer or carrier personnel to access equipment that is located at a Microsoft data center. Customer Responsibility Own and manage all aspects of connectivity including equipment and circuits.This includes ensuring Microsoft is provided clear, consistent, and updated documentation of deployed hosted network equipment and connectivity. Ensure that customer provisioned transport is symmetric to the primary and secondary data center.This symmetry implies mirroring of capacity and capability in both data centers. Provide Microsoft with the port and access speed as well as any type of rate limits—such as the committed information rate. Provide Microsoft with periodic (monthly) updates on capacity and utilization of network connectivity so that Microsoft can ensure adequate capacity is available to provide a consistent end-user experience. Internet IPsec VPN Internet IPsec VPN is an Internet-based, encrypted VPN that uses the same Internet service provider (ISP) on both sides of the VPN to optimize performance and reliability. The Internet IPsec VPN should only be used during the deployment process to mitigate long lead time MPLS connections and as a redundancy solution paired with the customer-owned connection. While this is a viable transport technology experience has shown that interoperability and operational issues reduce its use to a support role and not as the primary means of connectivity. Microsoft places a limit of six VPNs per customer at each data center location. If more than six VPNs are required, Microsoft enables the customer to host its own equipment inside Microsoft data centers. 7 Network for EnterprisesService Description (Dedicated Plans) | April 2012
We recommend that customers request and review the document "Using an Internet-based Virtual Private Network (VPN) for Microsoft Online Services" for engineering details about the Internet IPsec VPN option. The document can be obtained from the customer’s technical account manager. Microsoft Responsibility Provide the terminating router and ISP connectivity. Customer Responsibilities Confirm that the ISP connects to Microsoft. Ensure that the customer-provisioned transport is symmetric to the primary and secondary data center.This symmetry implies mirroring of capacity and capability in both data centers. Provide Microsoft with the port and access speed as well as any type of rate limits—such as the committed information rate. Provide Microsoft with periodic (monthly) updates on capacity and utilization of network connectivity so that Microsoft can ensure adequate capacity is available to provide a consistent end-user experience. Provide the router at the customer sites. Connectivity Design Principles Office 365 dedicated plans customers are required to support the following design factors when planning network connectivity to Microsoft data centers. Bandwidth. It is critical that the customer perform initial planning and ongoing capacity analysis to ensure that adequate bandwidth is available to reach Office 365 services at all times. These processes require accurately predicting bandwidth demand and ensuring that proper measuring tools are in place to monitor usage.We recommend that the customer provision a separate link for Internet access if the Internet IPsec VPN option is used as a primary connection link. Latency. Latency is a critical network factor that directly affects perceived and actual performance for a given Office 365 application. Each hosted application provides general guidance for acceptable round-trip time (RTT) between the customer and Microsoft data centers. When provisioning VPNs, tests must be conducted ahead of time to ensure that RTT is within acceptable tolerances. Reliability. Microsoft requires that all connectivity is provisioned in a redundant manner.For Customer-Owned Private Connection this is expected to be accomplished by providing connections relative to the service provisioning points.When selecting Internet-based VPNs,Microsoft does not offer a service-level agreement (SLA) for availability on networks that it does not directly own or operate.A multiple-VPN configuration is required to provide increased reliability and redundancy. Microsoft connectivity. To enable Internet IPsec VPN connections to as many ISPs as possible, Microsoft has a policy of open peering with any carrier that wishes to connect with it. This policy has enabled peering relationships with thousands of ISPs, and has positioned Microsoft in the top five of the best-connected networks in the world. Microsoft actively manages capacity for its owned connections and equipment to ensure that there are no capacity-related outages. Links that are starting or saturate are proactively upgraded as needed. BGP peering. The Border Gateway Protocol (BGP) is used for route exchange over all peering sessions used for connectivity via customer-owned circuits. As part of the networking activation process, information is required about the number of prefixes that the customer plans to advertise.Microsoft requires route summarization or aggregation to limit the number of prefixes received. We also deploy the BGP maximum-prefix feature to ensure that a sudden spike in 8 Network for EnterprisesService Description (Dedicated Plans) | April 2012
advertisements does not adversely impact equipment and peering. The maximum number of prefixes allowed for the peering session is set to 20 percent higher than what the customer announces initially. The customer can request additionalroute announcements from Microsoft, to a maximum of 2048,by submitting a Change Request. In addition to providing prefix information, the customer is required to summarize all routing announcements to ensure optimal routing table size. 9 Network for EnterprisesService Description (Dedicated Plans) | April 2012
IP Addressing Microsoft network configuration work includes allocation of IP address space for each customer in each Microsoft data center. Network address translation (NAT) is not supported in any capacity.Table 1 lists the IP space requirements. Table 1. IP Space Requirements Requirement Purpose /24 address space–managed (MGD) Used for the Office 365 managed servers. This address block is required to be routable between Microsoft and the customer. /24 address space–managed private (MGP) Used for the Office 365 managed servers.Although this address block does not need to be routable between Microsoft and the customer, it does need to be unique to avoid IP address overlap conflicts. For ease of deployment it can be contiguous with the MGD /24. /27 address space Used for customer co-location domain controllers and other co- located devices. /24 address space Temporary address space used for Lotus Notes customers for migration engines. The space is decommissioned after the migrations are complete.This space is only required in the primary data center. Microsoft allocates space in its data centers in the following manner: Internet-accessible systems. Microsoft provides its own publically registered address space using one /26 address space per data center. Customer network–accessible systems. For the systems that the customer accesses over its private network connection, these options are available (listed in order of preference): o Customer provides publically registered IP address space to Microsoft. o Customer provides RFC-1918 address space to Microsoft, avoiding 10.7/16 and 10.20/16. o Microsoft provides private RFC-1918 address space. 10 Network for EnterprisesService Description (Dedicated Plans) | April 2012
Network Security Because the Microsoft Office 365network is designed to manage multiple customer environments from a single management space, network infrastructure controls are specifically implemented to help ensure the confidentiality and integrity of customer data through strict compartmentalization. Under no circumstances is access from one customer environment to another permitted. The Microsoft network also enables reliable data availability through equipment redundancy, resiliency, and industry-standard high- availability design practices. Internet Security Microsoft Internet connections are used to transport email on the customer’s behalf, and for access from mobile and Internet-connected employees. Working with each customer, Microsoft applies a rich set of security controls and optimizes routing to ensure the desired level of performance. In particular, three levels of security are implemented to prevent unwanted traffic from entering the Office 365 network or the customer’s dedicated virtual local area network (VLAN). 1. As traffic heads toward the VLAN, two setsof network filters allow only authorized networks on given ports and protocols to reach the servers for a given Office 365 application. 2. At the router, security by abstraction obscures the routes and allows only authorized traffic to pass through. Because virtualization is used on the router level, only the needed routes are present in the customer’s routing table. 3. All unrecognized traffic is routed to the firewall, where specific rules govern the type of traffic that is allowed to pass through on a stateful basis. Any traffic that does not meet the firewall’s rule list is simply dropped. In addition to this three-tiered security, there’s a final checkpoint in data centers: only servers that are managed by Microsoft and configured for Internet access can receive Internet traffic; reverse access from the Internet to the Customer Network is blocked entirely. Separation (Compartmentalization) One key strategy that Microsoft uses to maintain the confidentiality and integrity of Office 365 customer data is compartmentalization. Multiple techniques are used to control information flows between the Management Network, the Managed Network, and the Customer Network, including the following: Physical separation. Network segments are physically separated by routers that are configured to prevent communications between the Managed Network and the Management Network, and between the Management Network and the Customer Network. Logical separation. Virtual LAN (VLAN) technology is used to further separate communications between Customer Network and Managed Network segments. Firewalls. Firewalls and other network security enforcement points are used to limit data exchanges with systems that are exposed to the Internet, and to isolate systems from back-end systems managed by Microsoft. One-way trusts. Active Directory one-way trusts are used to prevent systems or users in the Managed Networkfrom authenticating to resources on the Management Network. A similar trust prevents these entities from authenticating to the Customer Network. Protocol restrictions. Only Terminal Services can be used to access systems on a Managed Network from the Management Network. 11 Network for EnterprisesService Description (Dedicated Plans) | April 2012
Figure 3 illustrates these information flows and associated restrictions. Network Security Policy Communication Flows Internet Customer Management Gateway Gateway Network Network (Customer) (Internet) Optional Managed Never allowed Controlled by policy Allowed – No network policy (customer policy only) Figure 3. Network communication flows 12 Network for EnterprisesService Description (Dedicated Plans) | April 2012
Figure 4 illustrates the separation of Microsoft Office 365network from other networks and enforcement points. Figure 4. Separation of the Microsoft Office 365 network Redundancy Microsoft Office 365cloud-based servicesare designed to behighlyavailablethrough the use of redundancy throughout all layers of the network. Two devices are used for routing and switching, and all connections are on a redundant basis. Firewall and load-balancer deployments use duplicate systems with automatic failover. Each customer environment in the Managed Network has two separate network connections and two individual power feeds to ensure availability. Each data center network stamp has redundant, high- capacity (n x 10GE) links into the Microsoft backbone. These links provide protected connectivity to the Internet edge and to other Microsoft locations. Server racks are built with multiple top-of-rack (TOR) switches to provide redundancy.Servers utilize network interface card (NIC)-teaming to ensure rapid failover. 13 Network for EnterprisesService Description (Dedicated Plans) | April 2012
Figure 5 provides an overview of the redundancy of the Office 365 networkinfrastructure. Data Center Internet Edge Edge Router Edge Anchor Site Router Anchor Site Core Internet Core Core Router A Router B Data Center Data Center Data Center Data Center Router A Router B Anchor Site Access Layer 3 Access Access Router B Router A Layer 2 Aggregation Switch A Switch B Internet Load Balancer A Load Balancer B Firewall A Firewall B TOR Switches TOR Switches TOR Switches Data Center S E R V S E R V ... . S E R V Anchor Site E E E R R R S S S Top of Rack/ Servers Figure 5.Microsoft Office 365network redundancy 14 Network for EnterprisesService Description (Dedicated Plans) | April 2012

Recomendados

Microsoft Certification Roadmap for Students
Microsoft Certification Roadmap for StudentsMicrosoft Certification Roadmap for Students
Microsoft Certification Roadmap for StudentsNR Computer Learning Center
 
Ict curriculum roadmap
Ict curriculum roadmapIct curriculum roadmap
Ict curriculum roadmapinterviz
 
IRJET- Research Paper on Active Directory
IRJET- Research Paper on Active DirectoryIRJET- Research Paper on Active Directory
IRJET- Research Paper on Active DirectoryIRJET Journal
 
IRJET- Effective Privacy based Distributed Storage Structure
IRJET- Effective Privacy based Distributed Storage StructureIRJET- Effective Privacy based Distributed Storage Structure
IRJET- Effective Privacy based Distributed Storage StructureIRJET Journal
 
Active Directory Proposal
Active Directory ProposalActive Directory Proposal
Active Directory ProposalMJ Ferdous
 
Idc unified-infrastructure
Idc unified-infrastructureIdc unified-infrastructure
Idc unified-infrastructureCMR WORLD TECH
 
IRJET- Homomorphic Encryption Scheme in Cloud Computing for Security and Priv...
IRJET- Homomorphic Encryption Scheme in Cloud Computing for Security and Priv...IRJET- Homomorphic Encryption Scheme in Cloud Computing for Security and Priv...
IRJET- Homomorphic Encryption Scheme in Cloud Computing for Security and Priv...IRJET Journal
 
Cisco data center
Cisco data centerCisco data center
Cisco data centerArnold Derrick Kinney
 

Recomendados

Microsoft Certification Roadmap for Students
Microsoft Certification Roadmap for StudentsMicrosoft Certification Roadmap for Students
Microsoft Certification Roadmap for StudentsNR Computer Learning Center
 
Ict curriculum roadmap
Ict curriculum roadmapIct curriculum roadmap
Ict curriculum roadmapinterviz
 
IRJET- Research Paper on Active Directory
IRJET- Research Paper on Active DirectoryIRJET- Research Paper on Active Directory
IRJET- Research Paper on Active DirectoryIRJET Journal
 
IRJET- Effective Privacy based Distributed Storage Structure
IRJET- Effective Privacy based Distributed Storage StructureIRJET- Effective Privacy based Distributed Storage Structure
IRJET- Effective Privacy based Distributed Storage StructureIRJET Journal
 
Active Directory Proposal
Active Directory ProposalActive Directory Proposal
Active Directory ProposalMJ Ferdous
 
Idc unified-infrastructure
Idc unified-infrastructureIdc unified-infrastructure
Idc unified-infrastructureCMR WORLD TECH
 
IRJET- Homomorphic Encryption Scheme in Cloud Computing for Security and Priv...
IRJET- Homomorphic Encryption Scheme in Cloud Computing for Security and Priv...IRJET- Homomorphic Encryption Scheme in Cloud Computing for Security and Priv...
IRJET- Homomorphic Encryption Scheme in Cloud Computing for Security and Priv...IRJET Journal
 
Cisco data center
Cisco data centerCisco data center
Cisco data centerArnold Derrick Kinney
 
Sql Azure Database whitepaper r01
Sql Azure Database whitepaper r01Sql Azure Database whitepaper r01
Sql Azure Database whitepaper r01Ismail Muhammad
 
LEGO EMBRACING CHANGE BY COMBINING BI WITH FLEXIBLE INFORMATION SYSTEM
LEGO EMBRACING CHANGE BY COMBINING BI WITH FLEXIBLE INFORMATION SYSTEMLEGO EMBRACING CHANGE BY COMBINING BI WITH FLEXIBLE INFORMATION SYSTEM
LEGO EMBRACING CHANGE BY COMBINING BI WITH FLEXIBLE INFORMATION SYSTEMmyteratak
 
MULTI-CLOUD ARCHITECTURE
MULTI-CLOUD ARCHITECTUREMULTI-CLOUD ARCHITECTURE
MULTI-CLOUD ARCHITECTUREMaganathin Veeraragaloo
 
Lego embracing change by combining business intelligent with a flexible infor...
Lego embracing change by combining business intelligent with a flexible infor...Lego embracing change by combining business intelligent with a flexible infor...
Lego embracing change by combining business intelligent with a flexible infor...Zulkifflee Sofee
 
Introducing Windows Azure
Introducing Windows AzureIntroducing Windows Azure
Introducing Windows AzureIsmail Muhammad
 
Addressing Security Issues and Challenges in Mobile Cloud Computing
Addressing Security Issues and Challenges in Mobile Cloud ComputingAddressing Security Issues and Challenges in Mobile Cloud Computing
Addressing Security Issues and Challenges in Mobile Cloud ComputingEditor IJCATR
 
IRJET- Simultaneous ammunition for the multi-cloud computing simulation
IRJET- Simultaneous ammunition for the multi-cloud computing simulation IRJET- Simultaneous ammunition for the multi-cloud computing simulation
IRJET- Simultaneous ammunition for the multi-cloud computing simulation IRJET Journal
 
Windows mobile architecture_overview
Windows mobile architecture_overviewWindows mobile architecture_overview
Windows mobile architecture_overviewDaniel Downs
 
Case4 lego embracing change by combining bi with flexible information system 2
Case4 lego embracing change by combining bi with flexible information system 2Case4 lego embracing change by combining bi with flexible information system 2
Case4 lego embracing change by combining bi with flexible information system 2dyadelm
 
Lync 2010 Global Installation LATAM configuration
Lync 2010 Global Installation LATAM configurationLync 2010 Global Installation LATAM configuration
Lync 2010 Global Installation LATAM configurationRoland Burink
 
SAFETY: A Framework for Secure IaaS Clouds
SAFETY: A Framework for Secure IaaS CloudsSAFETY: A Framework for Secure IaaS Clouds
SAFETY: A Framework for Secure IaaS CloudsEswar Publications
 
Attribute Based Secure Information Recovery Retrieval System for Decentralize...
Attribute Based Secure Information Recovery Retrieval System for Decentralize...Attribute Based Secure Information Recovery Retrieval System for Decentralize...
Attribute Based Secure Information Recovery Retrieval System for Decentralize...IRJET Journal
 
PM ISE Information Interoperability Presentation -agile sourcing brief
PM ISE Information Interoperability Presentation -agile sourcing briefPM ISE Information Interoperability Presentation -agile sourcing brief
PM ISE Information Interoperability Presentation -agile sourcing briefGovCloud Network
 
CLOUD COMPUTING SECURITY IN BUSINESS INFORMATION SYSTEMS
CLOUD COMPUTING SECURITY IN BUSINESS INFORMATION SYSTEMSCLOUD COMPUTING SECURITY IN BUSINESS INFORMATION SYSTEMS
CLOUD COMPUTING SECURITY IN BUSINESS INFORMATION SYSTEMSIJNSA Journal
 
IT6801-Service Oriented Architecture
IT6801-Service Oriented ArchitectureIT6801-Service Oriented Architecture
IT6801-Service Oriented ArchitectureMadhu Amarnath
 
Microsoft Forefront - Identity and Access Management Whitepaper
Microsoft Forefront - Identity and Access Management WhitepaperMicrosoft Forefront - Identity and Access Management Whitepaper
Microsoft Forefront - Identity and Access Management WhitepaperMicrosoft Private Cloud
 
Citrix MDX Technologies Feature Brief
Citrix MDX Technologies Feature BriefCitrix MDX Technologies Feature Brief
Citrix MDX Technologies Feature BriefNuno Alves
 
See How Virtualization is a key Technology to help Datacenters Move: Whitepaper
See How Virtualization is a key Technology to help Datacenters Move: WhitepaperSee How Virtualization is a key Technology to help Datacenters Move: Whitepaper
See How Virtualization is a key Technology to help Datacenters Move: WhitepaperMicrosoft Private Cloud
 
Cluster arch
Cluster archCluster arch
Cluster archVinod Hanumantharayappa
 
Refactoring to Microservice Architecture
Refactoring to Microservice ArchitectureRefactoring to Microservice Architecture
Refactoring to Microservice ArchitectureIJCSIS Research Publications
 
Clustering overview2
Clustering overview2Clustering overview2
Clustering overview2Vinod Hanumantharayappa
 
IRJET- A Detailed Study and Analysis of Cloud Computing Usage with Real-Time ...
IRJET- A Detailed Study and Analysis of Cloud Computing Usage with Real-Time ...IRJET- A Detailed Study and Analysis of Cloud Computing Usage with Real-Time ...
IRJET- A Detailed Study and Analysis of Cloud Computing Usage with Real-Time ...IRJET Journal
 

Más contenido relacionado

La actualidad más candente

Sql Azure Database whitepaper r01
Sql Azure Database whitepaper r01Sql Azure Database whitepaper r01
Sql Azure Database whitepaper r01Ismail Muhammad
 
LEGO EMBRACING CHANGE BY COMBINING BI WITH FLEXIBLE INFORMATION SYSTEM
LEGO EMBRACING CHANGE BY COMBINING BI WITH FLEXIBLE INFORMATION SYSTEMLEGO EMBRACING CHANGE BY COMBINING BI WITH FLEXIBLE INFORMATION SYSTEM
LEGO EMBRACING CHANGE BY COMBINING BI WITH FLEXIBLE INFORMATION SYSTEMmyteratak
 
Lego embracing change by combining business intelligent with a flexible infor...
Lego embracing change by combining business intelligent with a flexible infor...Lego embracing change by combining business intelligent with a flexible infor...
Lego embracing change by combining business intelligent with a flexible infor...Zulkifflee Sofee
 
Introducing Windows Azure
Introducing Windows AzureIntroducing Windows Azure
Introducing Windows AzureIsmail Muhammad
 
Addressing Security Issues and Challenges in Mobile Cloud Computing
Addressing Security Issues and Challenges in Mobile Cloud ComputingAddressing Security Issues and Challenges in Mobile Cloud Computing
Addressing Security Issues and Challenges in Mobile Cloud ComputingEditor IJCATR
 
IRJET- Simultaneous ammunition for the multi-cloud computing simulation
IRJET- Simultaneous ammunition for the multi-cloud computing simulation IRJET- Simultaneous ammunition for the multi-cloud computing simulation
IRJET- Simultaneous ammunition for the multi-cloud computing simulation IRJET Journal
 
Windows mobile architecture_overview
Windows mobile architecture_overviewWindows mobile architecture_overview
Windows mobile architecture_overviewDaniel Downs
 
Case4 lego embracing change by combining bi with flexible information system 2
Case4 lego embracing change by combining bi with flexible information system 2Case4 lego embracing change by combining bi with flexible information system 2
Case4 lego embracing change by combining bi with flexible information system 2dyadelm
 
Lync 2010 Global Installation LATAM configuration
Lync 2010 Global Installation LATAM configurationLync 2010 Global Installation LATAM configuration
Lync 2010 Global Installation LATAM configurationRoland Burink
 
SAFETY: A Framework for Secure IaaS Clouds
SAFETY: A Framework for Secure IaaS CloudsSAFETY: A Framework for Secure IaaS Clouds
SAFETY: A Framework for Secure IaaS CloudsEswar Publications
 
Attribute Based Secure Information Recovery Retrieval System for Decentralize...
Attribute Based Secure Information Recovery Retrieval System for Decentralize...Attribute Based Secure Information Recovery Retrieval System for Decentralize...
Attribute Based Secure Information Recovery Retrieval System for Decentralize...IRJET Journal
 
PM ISE Information Interoperability Presentation -agile sourcing brief
PM ISE Information Interoperability Presentation -agile sourcing briefPM ISE Information Interoperability Presentation -agile sourcing brief
PM ISE Information Interoperability Presentation -agile sourcing briefGovCloud Network
 
CLOUD COMPUTING SECURITY IN BUSINESS INFORMATION SYSTEMS
CLOUD COMPUTING SECURITY IN BUSINESS INFORMATION SYSTEMSCLOUD COMPUTING SECURITY IN BUSINESS INFORMATION SYSTEMS
CLOUD COMPUTING SECURITY IN BUSINESS INFORMATION SYSTEMSIJNSA Journal
 
IT6801-Service Oriented Architecture
IT6801-Service Oriented ArchitectureIT6801-Service Oriented Architecture
IT6801-Service Oriented ArchitectureMadhu Amarnath
 
Microsoft Forefront - Identity and Access Management Whitepaper
Microsoft Forefront - Identity and Access Management WhitepaperMicrosoft Forefront - Identity and Access Management Whitepaper
Microsoft Forefront - Identity and Access Management WhitepaperMicrosoft Private Cloud
 
Citrix MDX Technologies Feature Brief
Citrix MDX Technologies Feature BriefCitrix MDX Technologies Feature Brief
Citrix MDX Technologies Feature BriefNuno Alves
 
See How Virtualization is a key Technology to help Datacenters Move: Whitepaper
See How Virtualization is a key Technology to help Datacenters Move: WhitepaperSee How Virtualization is a key Technology to help Datacenters Move: Whitepaper
See How Virtualization is a key Technology to help Datacenters Move: WhitepaperMicrosoft Private Cloud
 

La actualidad más candente (20)

Sql Azure Database whitepaper r01
Sql Azure Database whitepaper r01Sql Azure Database whitepaper r01
Sql Azure Database whitepaper r01
 
LEGO EMBRACING CHANGE BY COMBINING BI WITH FLEXIBLE INFORMATION SYSTEM
LEGO EMBRACING CHANGE BY COMBINING BI WITH FLEXIBLE INFORMATION SYSTEMLEGO EMBRACING CHANGE BY COMBINING BI WITH FLEXIBLE INFORMATION SYSTEM
LEGO EMBRACING CHANGE BY COMBINING BI WITH FLEXIBLE INFORMATION SYSTEM
 
MULTI-CLOUD ARCHITECTURE
MULTI-CLOUD ARCHITECTUREMULTI-CLOUD ARCHITECTURE
MULTI-CLOUD ARCHITECTURE
 
Lego embracing change by combining business intelligent with a flexible infor...
Lego embracing change by combining business intelligent with a flexible infor...Lego embracing change by combining business intelligent with a flexible infor...
Lego embracing change by combining business intelligent with a flexible infor...
 
Introducing Windows Azure
Introducing Windows AzureIntroducing Windows Azure
Introducing Windows Azure
 
Addressing Security Issues and Challenges in Mobile Cloud Computing
Addressing Security Issues and Challenges in Mobile Cloud ComputingAddressing Security Issues and Challenges in Mobile Cloud Computing
Addressing Security Issues and Challenges in Mobile Cloud Computing
 
IRJET- Simultaneous ammunition for the multi-cloud computing simulation
IRJET- Simultaneous ammunition for the multi-cloud computing simulation IRJET- Simultaneous ammunition for the multi-cloud computing simulation
IRJET- Simultaneous ammunition for the multi-cloud computing simulation
 
Windows mobile architecture_overview
Windows mobile architecture_overviewWindows mobile architecture_overview
Windows mobile architecture_overview
 
Case4 lego embracing change by combining bi with flexible information system 2
Case4 lego embracing change by combining bi with flexible information system 2Case4 lego embracing change by combining bi with flexible information system 2
Case4 lego embracing change by combining bi with flexible information system 2
 
Lync 2010 Global Installation LATAM configuration
Lync 2010 Global Installation LATAM configurationLync 2010 Global Installation LATAM configuration
Lync 2010 Global Installation LATAM configuration
 
SAFETY: A Framework for Secure IaaS Clouds
SAFETY: A Framework for Secure IaaS CloudsSAFETY: A Framework for Secure IaaS Clouds
SAFETY: A Framework for Secure IaaS Clouds
 
Attribute Based Secure Information Recovery Retrieval System for Decentralize...
Attribute Based Secure Information Recovery Retrieval System for Decentralize...Attribute Based Secure Information Recovery Retrieval System for Decentralize...
Attribute Based Secure Information Recovery Retrieval System for Decentralize...
 
PM ISE Information Interoperability Presentation -agile sourcing brief
PM ISE Information Interoperability Presentation -agile sourcing briefPM ISE Information Interoperability Presentation -agile sourcing brief
PM ISE Information Interoperability Presentation -agile sourcing brief
 
CLOUD COMPUTING SECURITY IN BUSINESS INFORMATION SYSTEMS
CLOUD COMPUTING SECURITY IN BUSINESS INFORMATION SYSTEMSCLOUD COMPUTING SECURITY IN BUSINESS INFORMATION SYSTEMS
CLOUD COMPUTING SECURITY IN BUSINESS INFORMATION SYSTEMS
 
IT6801-Service Oriented Architecture
IT6801-Service Oriented ArchitectureIT6801-Service Oriented Architecture
IT6801-Service Oriented Architecture
 
Microsoft Forefront - Identity and Access Management Whitepaper
Microsoft Forefront - Identity and Access Management WhitepaperMicrosoft Forefront - Identity and Access Management Whitepaper
Microsoft Forefront - Identity and Access Management Whitepaper
 
Citrix MDX Technologies Feature Brief
Citrix MDX Technologies Feature BriefCitrix MDX Technologies Feature Brief
Citrix MDX Technologies Feature Brief
 
See How Virtualization is a key Technology to help Datacenters Move: Whitepaper
See How Virtualization is a key Technology to help Datacenters Move: WhitepaperSee How Virtualization is a key Technology to help Datacenters Move: Whitepaper
See How Virtualization is a key Technology to help Datacenters Move: Whitepaper
 
Cluster arch
Cluster archCluster arch
Cluster arch
 
Refactoring to Microservice Architecture
Refactoring to Microservice ArchitectureRefactoring to Microservice Architecture
Refactoring to Microservice Architecture
 

Similar a Network service description office 365 dedicated plans april 2012

IRJET- A Detailed Study and Analysis of Cloud Computing Usage with Real-Time ...
IRJET- A Detailed Study and Analysis of Cloud Computing Usage with Real-Time ...IRJET- A Detailed Study and Analysis of Cloud Computing Usage with Real-Time ...
IRJET- A Detailed Study and Analysis of Cloud Computing Usage with Real-Time ...IRJET Journal
 
Computing And Information Technology Programmes Essay
Computing And Information Technology Programmes EssayComputing And Information Technology Programmes Essay
Computing And Information Technology Programmes EssayLucy Nader
 
Cloud computing
Cloud computingCloud computing
Cloud computingshethzaid
 
Sql Server 2014 Platform for Hybrid Cloud Technical Decision Maker White Paper
Sql Server 2014 Platform for Hybrid Cloud Technical Decision Maker White PaperSql Server 2014 Platform for Hybrid Cloud Technical Decision Maker White Paper
Sql Server 2014 Platform for Hybrid Cloud Technical Decision Maker White PaperDavid J Rosenthal
 
CLOUD COMPUTING: SECURITY ISSUES AND CHALLENGES
CLOUD COMPUTING: SECURITY ISSUES AND CHALLENGESCLOUD COMPUTING: SECURITY ISSUES AND CHALLENGES
CLOUD COMPUTING: SECURITY ISSUES AND CHALLENGESP singh
 
Cisco Hybrid Cloud Solution for IT Capacity Augmentation
Cisco Hybrid Cloud Solution for IT Capacity AugmentationCisco Hybrid Cloud Solution for IT Capacity Augmentation
Cisco Hybrid Cloud Solution for IT Capacity AugmentationPaulo Renato
 
Secure Data Center for Enterprise
Secure Data Center for EnterpriseSecure Data Center for Enterprise
Secure Data Center for EnterpriseCisco Russia
 
An Overview on Security Issues in Cloud Computing
An Overview on Security Issues in Cloud ComputingAn Overview on Security Issues in Cloud Computing
An Overview on Security Issues in Cloud ComputingIOSR Journals
 
Using power bi in hybrid it
Using power bi in hybrid itUsing power bi in hybrid it
Using power bi in hybrid ithman10010
 
IRJET- An Overview on Cloud Computing and Challenges
IRJET- An Overview on Cloud Computing and ChallengesIRJET- An Overview on Cloud Computing and Challenges
IRJET- An Overview on Cloud Computing and ChallengesIRJET Journal
 
Cisco Secure Enclaves Architecture
Cisco Secure Enclaves ArchitectureCisco Secure Enclaves Architecture
Cisco Secure Enclaves ArchitectureCisco Russia
 
VMworld 2013: Get on with Business - VMware Reference Architectures Help Stre...
VMworld 2013: Get on with Business - VMware Reference Architectures Help Stre...VMworld 2013: Get on with Business - VMware Reference Architectures Help Stre...
VMworld 2013: Get on with Business - VMware Reference Architectures Help Stre...VMworld
 
IRJET- Single to Multi Cloud Data Security in Cloud Computing
IRJET- Single to Multi Cloud Data Security in Cloud ComputingIRJET- Single to Multi Cloud Data Security in Cloud Computing
IRJET- Single to Multi Cloud Data Security in Cloud ComputingIRJET Journal
 
Improving the Latency Value by Virtualizing Distributed Data Center and Auto...
Improving the Latency Value by Virtualizing Distributed Data Center and Auto...Improving the Latency Value by Virtualizing Distributed Data Center and Auto...
Improving the Latency Value by Virtualizing Distributed Data Center and Auto...IOSR Journals
 
IT-35 Cloud Computing Unit 1.pptx
IT-35 Cloud Computing Unit 1.pptxIT-35 Cloud Computing Unit 1.pptx
IT-35 Cloud Computing Unit 1.pptxadad129366
 
Comprehensive Study on Deployment Models and Service Models in Cloud Computing.
Comprehensive Study on Deployment Models and Service Models in Cloud Computing.Comprehensive Study on Deployment Models and Service Models in Cloud Computing.
Comprehensive Study on Deployment Models and Service Models in Cloud Computing.IRJET Journal
 

Similar a Network service description office 365 dedicated plans april 2012 (20)

Clustering overview2
Clustering overview2Clustering overview2
Clustering overview2
 
IRJET- A Detailed Study and Analysis of Cloud Computing Usage with Real-Time ...
IRJET- A Detailed Study and Analysis of Cloud Computing Usage with Real-Time ...IRJET- A Detailed Study and Analysis of Cloud Computing Usage with Real-Time ...
IRJET- A Detailed Study and Analysis of Cloud Computing Usage with Real-Time ...
 
Cloud Computing Improving Organizational Agility
Cloud Computing Improving Organizational AgilityCloud Computing Improving Organizational Agility
Cloud Computing Improving Organizational Agility
 
Computing And Information Technology Programmes Essay
Computing And Information Technology Programmes EssayComputing And Information Technology Programmes Essay
Computing And Information Technology Programmes Essay
 
Cloud computing
Cloud computingCloud computing
Cloud computing
 
Sql Server 2014 Platform for Hybrid Cloud Technical Decision Maker White Paper
Sql Server 2014 Platform for Hybrid Cloud Technical Decision Maker White PaperSql Server 2014 Platform for Hybrid Cloud Technical Decision Maker White Paper
Sql Server 2014 Platform for Hybrid Cloud Technical Decision Maker White Paper
 
Cisco
CiscoCisco
Cisco
 
CLOUD COMPUTING: SECURITY ISSUES AND CHALLENGES
CLOUD COMPUTING: SECURITY ISSUES AND CHALLENGESCLOUD COMPUTING: SECURITY ISSUES AND CHALLENGES
CLOUD COMPUTING: SECURITY ISSUES AND CHALLENGES
 
CapAug
CapAugCapAug
CapAug
 
Cisco Hybrid Cloud Solution for IT Capacity Augmentation
Cisco Hybrid Cloud Solution for IT Capacity AugmentationCisco Hybrid Cloud Solution for IT Capacity Augmentation
Cisco Hybrid Cloud Solution for IT Capacity Augmentation
 
Secure Data Center for Enterprise
Secure Data Center for EnterpriseSecure Data Center for Enterprise
Secure Data Center for Enterprise
 
An Overview on Security Issues in Cloud Computing
An Overview on Security Issues in Cloud ComputingAn Overview on Security Issues in Cloud Computing
An Overview on Security Issues in Cloud Computing
 
Using power bi in hybrid it
Using power bi in hybrid itUsing power bi in hybrid it
Using power bi in hybrid it
 
IRJET- An Overview on Cloud Computing and Challenges
IRJET- An Overview on Cloud Computing and ChallengesIRJET- An Overview on Cloud Computing and Challenges
IRJET- An Overview on Cloud Computing and Challenges
 
Cisco Secure Enclaves Architecture
Cisco Secure Enclaves ArchitectureCisco Secure Enclaves Architecture
Cisco Secure Enclaves Architecture
 
VMworld 2013: Get on with Business - VMware Reference Architectures Help Stre...
VMworld 2013: Get on with Business - VMware Reference Architectures Help Stre...VMworld 2013: Get on with Business - VMware Reference Architectures Help Stre...
VMworld 2013: Get on with Business - VMware Reference Architectures Help Stre...
 
IRJET- Single to Multi Cloud Data Security in Cloud Computing
IRJET- Single to Multi Cloud Data Security in Cloud ComputingIRJET- Single to Multi Cloud Data Security in Cloud Computing
IRJET- Single to Multi Cloud Data Security in Cloud Computing
 
Improving the Latency Value by Virtualizing Distributed Data Center and Auto...
Improving the Latency Value by Virtualizing Distributed Data Center and Auto...Improving the Latency Value by Virtualizing Distributed Data Center and Auto...
Improving the Latency Value by Virtualizing Distributed Data Center and Auto...
 
IT-35 Cloud Computing Unit 1.pptx
IT-35 Cloud Computing Unit 1.pptxIT-35 Cloud Computing Unit 1.pptx
IT-35 Cloud Computing Unit 1.pptx
 
Comprehensive Study on Deployment Models and Service Models in Cloud Computing.
Comprehensive Study on Deployment Models and Service Models in Cloud Computing.Comprehensive Study on Deployment Models and Service Models in Cloud Computing.
Comprehensive Study on Deployment Models and Service Models in Cloud Computing.
 

Network service description office 365 dedicated plans april 2012

  • 1. Networkfor Enterprises Dedicated Plans Service Description Published:April 2012
  • 2. The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. ©2012Microsoft Corporation. All rights reserved. Microsoft, Active Directory, ActiveSync, Lync, Outlook, and SharePointare trademarks of the Microsoft group of companies.All other trademarks are property of their respective owners. 2 Network for EnterprisesService Description (Dedicated Plans) | April 2012
  • 3. Contents Introduction ........................................................................................................................................................ 4 Network Architecture ........................................................................................................................................ 5 Customer Connectivity to Data Centers ......................................................................................................... 7 Customer-Owned Private Connection .................................................................................................................................... 7 Internet IPsec VPN .......................................................................................................................................................................... 7 Connectivity Design Principles .................................................................................................................................................. 8 IP Addressing ................................................................................................................................................................................. 10 Network Security .............................................................................................................................................11 Internet Security ........................................................................................................................................................................... 11 Separation (Compartmentalization) ..................................................................................................................................... 11 Redundancy ................................................................................................................................................................................... 13 3 Network for EnterprisesService Description (Dedicated Plans) | April 2012
  • 4. Introduction This document describes the Microsoft networking infrastructure components and features that support delivery of Microsoft Office 365 for enterprises services provided under dedicated subscription plans (―dedicated plans‖). The information applies to the following services: Microsoft Exchange Online Microsoft SharePoint® Online Microsoft Lync™Online The document is intended for network engineers and system integrators who work with Microsoft Office 365 customers.The components and features that are described include: Network architecture for Office 365 dedicated plans Customer connectivity to Microsoft data centers Connectivity design principles Network security * Services provided under Office 365 for enterprises dedicated plans are delivered from a Microsoft hosting environment where each customer has their own dedicated data center hardware. 4 Network for EnterprisesService Description (Dedicated Plans) | April 2012
  • 5. Network Architecture The network architecture for Microsoft Office 365 is divided into three distinct security zones: the Customer Network, the Managed Network, and theManagement Network.Each security zone is implemented as a virtual network. Customer Network The Customer Network describes the customer on-premise enterprise network environment. The Customer Network contains the router and the customer firewall for organizations that want to have these components installed between their IT environment and the Microsoft data center. Managed Network There is a Managed Network for each customer. It is a separate, dedicated security zone that contains the hosted systems that provide Office 365 services and store customer email and data. This network also contains an Active Directory forest that includes a replication of the customer’s Active Directory user, contact, and distribution group objects. The Managed Network includes two gateway networks (GNs): one associated with the Internet (GN/I) and the other with the Customer Network (GN/C). GN/I:The GN/I isa load-balancing–only hardware component. Only the devices that are deployed on this segment will be virtual IP (VIP) addresses hosted on a hardware load balancer’s network interface. These devices are usually deployed in conjunction with servers on the Managed Network,and are protected using firewalls for external (Internet)traffic. GN/C: The GN/C is utilized to implement customer enterprise-facing hardware load-balancing solutions that replicate the functionality implemented in the GN/I. Management Network The Management Network contains the infrastructure that is shared across multiple customers, such as the Microsoft backup and monitoring systems. It also includes an Active Directory forest that contains the user accounts that are needed for operating the services and servers for the Management Network and Managed Network security zones. 5 Network for EnterprisesService Description (Dedicated Plans) | April 2012
  • 6. Figure 1 shows the Microsoft network architecture and security zone components for Office 365 dedicated plans. Figure 1. Microsoft Office 365network architecture Virtualization is used throughout the network architectureto maintain separation and abstraction on a per-customer basis. This is accomplished using virtual LANs (VLANs) at Layer 2 (Switching), Virtual Routing and Forwarding (VRF) at Layer 3 (Routing), and Layer 3 VPNs at the transport layer. The transport layerrelies on the extensive use of multiprotocol label switching (MPLS) within the Microsoft backbone network. Customer Responsibilities Maintain the customer internal IT infrastructure and network, and provide connectivity to the Microsoft data centers. Maintain the Customer Forest, which hosts the primary user accounts that are used for authentication and hosts contacts and distribution groups. Co-locatethe domain controllers that are located within the Customer Network in the Microsoft data centers. This requirement is discussed in more detail in the ―Microsoft Office 365 Identity and Provisioning(Dedicated Plans) Service Description‖ document. 6 Network for EnterprisesService Description (Dedicated Plans) | April 2012
  • 7. Customer Connectivity to Data Centers Microsoft supportstwo options for connectivity between a Customer Network and each Microsoft data center: customer-owned private connections andInternet IPsec virtual private network (VPN). At a minimum, connections are required to both the primary and secondary Microsoft data centers that host the customer’s servers. Customer-Owned Private Connection Customers can connect to Microsoft data centers with connections that they own and operate, or via their designated provider. This is the primary connectivity option and gives the customer the ability to host equipment within Microsoft data centers. Microsoft provides only the rack, space, cooling, and access to the equipment. The customer is responsible for ownership and management of the equipment. Microsoft Responsibility Enable the customer to host network equipment inside Microsoft-owned data centers. Microsoft providespower, space, and cooling for the hosted equipmentand access to the equipment.Hosting of customer network equipment is limited to a standard network deployment pod.This pod consists of a pair of industry standard 2-rack unit routers, Layer 2 switches, and firewalls for a total allowance of 12 rack units per data center. Hosting of customer owned network equipment variants that do not fit within this pod design are considered an exception. Microsoft approved exceptions will incur additional service fees. Work with the customer and customer’s carrier personnel to terminate circuits and enable connectivity to Microsoft. Provide ongoing support for the customer or carrier personnel to access equipment that is located at a Microsoft data center. Customer Responsibility Own and manage all aspects of connectivity including equipment and circuits.This includes ensuring Microsoft is provided clear, consistent, and updated documentation of deployed hosted network equipment and connectivity. Ensure that customer provisioned transport is symmetric to the primary and secondary data center.This symmetry implies mirroring of capacity and capability in both data centers. Provide Microsoft with the port and access speed as well as any type of rate limits—such as the committed information rate. Provide Microsoft with periodic (monthly) updates on capacity and utilization of network connectivity so that Microsoft can ensure adequate capacity is available to provide a consistent end-user experience. Internet IPsec VPN Internet IPsec VPN is an Internet-based, encrypted VPN that uses the same Internet service provider (ISP) on both sides of the VPN to optimize performance and reliability. The Internet IPsec VPN should only be used during the deployment process to mitigate long lead time MPLS connections and as a redundancy solution paired with the customer-owned connection. While this is a viable transport technology experience has shown that interoperability and operational issues reduce its use to a support role and not as the primary means of connectivity. Microsoft places a limit of six VPNs per customer at each data center location. If more than six VPNs are required, Microsoft enables the customer to host its own equipment inside Microsoft data centers. 7 Network for EnterprisesService Description (Dedicated Plans) | April 2012
  • 8. We recommend that customers request and review the document "Using an Internet-based Virtual Private Network (VPN) for Microsoft Online Services" for engineering details about the Internet IPsec VPN option. The document can be obtained from the customer’s technical account manager. Microsoft Responsibility Provide the terminating router and ISP connectivity. Customer Responsibilities Confirm that the ISP connects to Microsoft. Ensure that the customer-provisioned transport is symmetric to the primary and secondary data center.This symmetry implies mirroring of capacity and capability in both data centers. Provide Microsoft with the port and access speed as well as any type of rate limits—such as the committed information rate. Provide Microsoft with periodic (monthly) updates on capacity and utilization of network connectivity so that Microsoft can ensure adequate capacity is available to provide a consistent end-user experience. Provide the router at the customer sites. Connectivity Design Principles Office 365 dedicated plans customers are required to support the following design factors when planning network connectivity to Microsoft data centers. Bandwidth. It is critical that the customer perform initial planning and ongoing capacity analysis to ensure that adequate bandwidth is available to reach Office 365 services at all times. These processes require accurately predicting bandwidth demand and ensuring that proper measuring tools are in place to monitor usage.We recommend that the customer provision a separate link for Internet access if the Internet IPsec VPN option is used as a primary connection link. Latency. Latency is a critical network factor that directly affects perceived and actual performance for a given Office 365 application. Each hosted application provides general guidance for acceptable round-trip time (RTT) between the customer and Microsoft data centers. When provisioning VPNs, tests must be conducted ahead of time to ensure that RTT is within acceptable tolerances. Reliability. Microsoft requires that all connectivity is provisioned in a redundant manner.For Customer-Owned Private Connection this is expected to be accomplished by providing connections relative to the service provisioning points.When selecting Internet-based VPNs,Microsoft does not offer a service-level agreement (SLA) for availability on networks that it does not directly own or operate.A multiple-VPN configuration is required to provide increased reliability and redundancy. Microsoft connectivity. To enable Internet IPsec VPN connections to as many ISPs as possible, Microsoft has a policy of open peering with any carrier that wishes to connect with it. This policy has enabled peering relationships with thousands of ISPs, and has positioned Microsoft in the top five of the best-connected networks in the world. Microsoft actively manages capacity for its owned connections and equipment to ensure that there are no capacity-related outages. Links that are starting or saturate are proactively upgraded as needed. BGP peering. The Border Gateway Protocol (BGP) is used for route exchange over all peering sessions used for connectivity via customer-owned circuits. As part of the networking activation process, information is required about the number of prefixes that the customer plans to advertise.Microsoft requires route summarization or aggregation to limit the number of prefixes received. We also deploy the BGP maximum-prefix feature to ensure that a sudden spike in 8 Network for EnterprisesService Description (Dedicated Plans) | April 2012
  • 9. advertisements does not adversely impact equipment and peering. The maximum number of prefixes allowed for the peering session is set to 20 percent higher than what the customer announces initially. The customer can request additionalroute announcements from Microsoft, to a maximum of 2048,by submitting a Change Request. In addition to providing prefix information, the customer is required to summarize all routing announcements to ensure optimal routing table size. 9 Network for EnterprisesService Description (Dedicated Plans) | April 2012
  • 10. IP Addressing Microsoft network configuration work includes allocation of IP address space for each customer in each Microsoft data center. Network address translation (NAT) is not supported in any capacity.Table 1 lists the IP space requirements. Table 1. IP Space Requirements Requirement Purpose /24 address space–managed (MGD) Used for the Office 365 managed servers. This address block is required to be routable between Microsoft and the customer. /24 address space–managed private (MGP) Used for the Office 365 managed servers.Although this address block does not need to be routable between Microsoft and the customer, it does need to be unique to avoid IP address overlap conflicts. For ease of deployment it can be contiguous with the MGD /24. /27 address space Used for customer co-location domain controllers and other co- located devices. /24 address space Temporary address space used for Lotus Notes customers for migration engines. The space is decommissioned after the migrations are complete.This space is only required in the primary data center. Microsoft allocates space in its data centers in the following manner: Internet-accessible systems. Microsoft provides its own publically registered address space using one /26 address space per data center. Customer network–accessible systems. For the systems that the customer accesses over its private network connection, these options are available (listed in order of preference): o Customer provides publically registered IP address space to Microsoft. o Customer provides RFC-1918 address space to Microsoft, avoiding 10.7/16 and 10.20/16. o Microsoft provides private RFC-1918 address space. 10 Network for EnterprisesService Description (Dedicated Plans) | April 2012
  • 11. Network Security Because the Microsoft Office 365network is designed to manage multiple customer environments from a single management space, network infrastructure controls are specifically implemented to help ensure the confidentiality and integrity of customer data through strict compartmentalization. Under no circumstances is access from one customer environment to another permitted. The Microsoft network also enables reliable data availability through equipment redundancy, resiliency, and industry-standard high- availability design practices. Internet Security Microsoft Internet connections are used to transport email on the customer’s behalf, and for access from mobile and Internet-connected employees. Working with each customer, Microsoft applies a rich set of security controls and optimizes routing to ensure the desired level of performance. In particular, three levels of security are implemented to prevent unwanted traffic from entering the Office 365 network or the customer’s dedicated virtual local area network (VLAN). 1. As traffic heads toward the VLAN, two setsof network filters allow only authorized networks on given ports and protocols to reach the servers for a given Office 365 application. 2. At the router, security by abstraction obscures the routes and allows only authorized traffic to pass through. Because virtualization is used on the router level, only the needed routes are present in the customer’s routing table. 3. All unrecognized traffic is routed to the firewall, where specific rules govern the type of traffic that is allowed to pass through on a stateful basis. Any traffic that does not meet the firewall’s rule list is simply dropped. In addition to this three-tiered security, there’s a final checkpoint in data centers: only servers that are managed by Microsoft and configured for Internet access can receive Internet traffic; reverse access from the Internet to the Customer Network is blocked entirely. Separation (Compartmentalization) One key strategy that Microsoft uses to maintain the confidentiality and integrity of Office 365 customer data is compartmentalization. Multiple techniques are used to control information flows between the Management Network, the Managed Network, and the Customer Network, including the following: Physical separation. Network segments are physically separated by routers that are configured to prevent communications between the Managed Network and the Management Network, and between the Management Network and the Customer Network. Logical separation. Virtual LAN (VLAN) technology is used to further separate communications between Customer Network and Managed Network segments. Firewalls. Firewalls and other network security enforcement points are used to limit data exchanges with systems that are exposed to the Internet, and to isolate systems from back-end systems managed by Microsoft. One-way trusts. Active Directory one-way trusts are used to prevent systems or users in the Managed Networkfrom authenticating to resources on the Management Network. A similar trust prevents these entities from authenticating to the Customer Network. Protocol restrictions. Only Terminal Services can be used to access systems on a Managed Network from the Management Network. 11 Network for EnterprisesService Description (Dedicated Plans) | April 2012
  • 12. Figure 3 illustrates these information flows and associated restrictions. Network Security Policy Communication Flows Internet Customer Management Gateway Gateway Network Network (Customer) (Internet) Optional Managed Never allowed Controlled by policy Allowed – No network policy (customer policy only) Figure 3. Network communication flows 12 Network for EnterprisesService Description (Dedicated Plans) | April 2012
  • 13. Figure 4 illustrates the separation of Microsoft Office 365network from other networks and enforcement points. Figure 4. Separation of the Microsoft Office 365 network Redundancy Microsoft Office 365cloud-based servicesare designed to behighlyavailablethrough the use of redundancy throughout all layers of the network. Two devices are used for routing and switching, and all connections are on a redundant basis. Firewall and load-balancer deployments use duplicate systems with automatic failover. Each customer environment in the Managed Network has two separate network connections and two individual power feeds to ensure availability. Each data center network stamp has redundant, high- capacity (n x 10GE) links into the Microsoft backbone. These links provide protected connectivity to the Internet edge and to other Microsoft locations. Server racks are built with multiple top-of-rack (TOR) switches to provide redundancy.Servers utilize network interface card (NIC)-teaming to ensure rapid failover. 13 Network for EnterprisesService Description (Dedicated Plans) | April 2012
  • 14. Figure 5 provides an overview of the redundancy of the Office 365 networkinfrastructure. Data Center Internet Edge Edge Router Edge Anchor Site Router Anchor Site Core Internet Core Core Router A Router B Data Center Data Center Data Center Data Center Router A Router B Anchor Site Access Layer 3 Access Access Router B Router A Layer 2 Aggregation Switch A Switch B Internet Load Balancer A Load Balancer B Firewall A Firewall B TOR Switches TOR Switches TOR Switches Data Center S E R V S E R V ... . S E R V Anchor Site E E E R R R S S S Top of Rack/ Servers Figure 5.Microsoft Office 365network redundancy 14 Network for EnterprisesService Description (Dedicated Plans) | April 2012