3. Contents
Introduction ........................................................................................................................................................ 4
Network Architecture ........................................................................................................................................ 5
Customer Connectivity to Data Centers ......................................................................................................... 7
Customer-Owned Private Connection .................................................................................................................................... 7
Internet IPsec VPN .......................................................................................................................................................................... 7
Connectivity Design Principles .................................................................................................................................................. 8
IP Addressing ................................................................................................................................................................................. 10
Network Security .............................................................................................................................................11
Internet Security ........................................................................................................................................................................... 11
Separation (Compartmentalization) ..................................................................................................................................... 11
Redundancy ................................................................................................................................................................................... 13
3
Network for EnterprisesService Description (Dedicated Plans) | April 2012
4. Introduction
This document describes the Microsoft networking infrastructure components and features that support
delivery of Microsoft Office 365 for enterprises services provided under dedicated subscription plans
(―dedicated plans‖). The information applies to the following services:
Microsoft Exchange Online
Microsoft SharePoint® Online
Microsoft Lync™Online
The document is intended for network engineers and system integrators who work with Microsoft Office
365 customers.The components and features that are described include:
Network architecture for Office 365 dedicated plans
Customer connectivity to Microsoft data centers
Connectivity design principles
Network security
* Services provided under Office 365 for enterprises dedicated plans are delivered from a Microsoft hosting environment where
each customer has their own dedicated data center hardware.
4
Network for EnterprisesService Description (Dedicated Plans) | April 2012
5. Network Architecture
The network architecture for Microsoft Office 365 is divided into three distinct security zones: the
Customer Network, the Managed Network, and theManagement Network.Each security zone is
implemented as a virtual network.
Customer Network
The Customer Network describes the customer on-premise enterprise network environment. The
Customer Network contains the router and the customer firewall for organizations that want to have these
components installed between their IT environment and the Microsoft data center.
Managed Network
There is a Managed Network for each customer. It is a separate, dedicated security zone that contains the
hosted systems that provide Office 365 services and store customer email and data. This network also
contains an Active Directory forest that includes a replication of the customer’s Active Directory user,
contact, and distribution group objects.
The Managed Network includes two gateway networks (GNs): one associated with the Internet (GN/I) and
the other with the Customer Network (GN/C).
GN/I:The GN/I isa load-balancing–only hardware component. Only the devices that are deployed
on this segment will be virtual IP (VIP) addresses hosted on a hardware load balancer’s network
interface. These devices are usually deployed in conjunction with servers on the Managed
Network,and are protected using firewalls for external (Internet)traffic.
GN/C: The GN/C is utilized to implement customer enterprise-facing hardware load-balancing
solutions that replicate the functionality implemented in the GN/I.
Management Network
The Management Network contains the infrastructure that is shared across multiple customers, such as
the Microsoft backup and monitoring systems. It also includes an Active Directory forest that contains the
user accounts that are needed for operating the services and servers for the Management Network and
Managed Network security zones.
5
Network for EnterprisesService Description (Dedicated Plans) | April 2012
6. Figure 1 shows the Microsoft network architecture and security zone components for Office 365 dedicated
plans.
Figure 1. Microsoft Office 365network architecture
Virtualization is used throughout the network architectureto maintain separation and abstraction on a
per-customer basis. This is accomplished using virtual LANs (VLANs) at Layer 2 (Switching), Virtual Routing
and Forwarding (VRF) at Layer 3 (Routing), and Layer 3 VPNs at the transport layer. The transport
layerrelies on the extensive use of multiprotocol label switching (MPLS) within the Microsoft backbone
network.
Customer Responsibilities
Maintain the customer internal IT infrastructure and network, and provide connectivity to the
Microsoft data centers.
Maintain the Customer Forest, which hosts the primary user accounts that are used for
authentication and hosts contacts and distribution groups.
Co-locatethe domain controllers that are located within the Customer Network in the Microsoft
data centers. This requirement is discussed in more detail in the ―Microsoft Office 365 Identity and
Provisioning(Dedicated Plans) Service Description‖ document.
6
Network for EnterprisesService Description (Dedicated Plans) | April 2012
7. Customer Connectivity to Data Centers
Microsoft supportstwo options for connectivity between a Customer Network and each Microsoft data
center: customer-owned private connections andInternet IPsec virtual private network (VPN). At a
minimum, connections are required to both the primary and secondary Microsoft data centers that host
the customer’s servers.
Customer-Owned Private Connection
Customers can connect to Microsoft data centers with connections that they own and operate, or via their
designated provider. This is the primary connectivity option and gives the customer the ability to host
equipment within Microsoft data centers. Microsoft provides only the rack, space, cooling, and access to
the equipment. The customer is responsible for ownership and management of the equipment.
Microsoft Responsibility
Enable the customer to host network equipment inside Microsoft-owned data centers. Microsoft
providespower, space, and cooling for the hosted equipmentand access to the
equipment.Hosting of customer network equipment is limited to a standard network deployment
pod.This pod consists of a pair of industry standard 2-rack unit routers, Layer 2 switches, and
firewalls for a total allowance of 12 rack units per data center. Hosting of customer owned
network equipment variants that do not fit within this pod design are considered an exception.
Microsoft approved exceptions will incur additional service fees.
Work with the customer and customer’s carrier personnel to terminate circuits and enable
connectivity to Microsoft.
Provide ongoing support for the customer or carrier personnel to access equipment that is
located at a Microsoft data center.
Customer Responsibility
Own and manage all aspects of connectivity including equipment and circuits.This includes
ensuring Microsoft is provided clear, consistent, and updated documentation of deployed hosted
network equipment and connectivity.
Ensure that customer provisioned transport is symmetric to the primary and secondary data
center.This symmetry implies mirroring of capacity and capability in both data centers.
Provide Microsoft with the port and access speed as well as any type of rate limits—such as the
committed information rate.
Provide Microsoft with periodic (monthly) updates on capacity and utilization of network
connectivity so that Microsoft can ensure adequate capacity is available to provide a consistent
end-user experience.
Internet IPsec VPN
Internet IPsec VPN is an Internet-based, encrypted VPN that uses the same Internet service provider (ISP)
on both sides of the VPN to optimize performance and reliability. The Internet IPsec VPN should only be
used during the deployment process to mitigate long lead time MPLS connections and as a redundancy
solution paired with the customer-owned connection. While this is a viable transport technology
experience has shown that interoperability and operational issues reduce its use to a support role and not
as the primary means of connectivity.
Microsoft places a limit of six VPNs per customer at each data center location. If more than six VPNs are
required, Microsoft enables the customer to host its own equipment inside Microsoft data centers.
7
Network for EnterprisesService Description (Dedicated Plans) | April 2012
8. We recommend that customers request and review the document "Using an Internet-based Virtual Private
Network (VPN) for Microsoft Online Services" for engineering details about the Internet IPsec VPN option.
The document can be obtained from the customer’s technical account manager.
Microsoft Responsibility
Provide the terminating router and ISP connectivity.
Customer Responsibilities
Confirm that the ISP connects to Microsoft.
Ensure that the customer-provisioned transport is symmetric to the primary and secondary data
center.This symmetry implies mirroring of capacity and capability in both data centers.
Provide Microsoft with the port and access speed as well as any type of rate limits—such as the
committed information rate.
Provide Microsoft with periodic (monthly) updates on capacity and utilization of network
connectivity so that Microsoft can ensure adequate capacity is available to provide a consistent
end-user experience.
Provide the router at the customer sites.
Connectivity Design Principles
Office 365 dedicated plans customers are required to support the following design factors when planning
network connectivity to Microsoft data centers.
Bandwidth. It is critical that the customer perform initial planning and ongoing capacity analysis
to ensure that adequate bandwidth is available to reach Office 365 services at all times. These
processes require accurately predicting bandwidth demand and ensuring that proper measuring
tools are in place to monitor usage.We recommend that the customer provision a separate link
for Internet access if the Internet IPsec VPN option is used as a primary connection link.
Latency. Latency is a critical network factor that directly affects perceived and actual performance
for a given Office 365 application. Each hosted application provides general guidance for
acceptable round-trip time (RTT) between the customer and Microsoft data centers. When
provisioning VPNs, tests must be conducted ahead of time to ensure that RTT is within acceptable
tolerances.
Reliability. Microsoft requires that all connectivity is provisioned in a redundant manner.For
Customer-Owned Private Connection this is expected to be accomplished by providing
connections relative to the service provisioning points.When selecting Internet-based
VPNs,Microsoft does not offer a service-level agreement (SLA) for availability on networks that it
does not directly own or operate.A multiple-VPN configuration is required to provide increased
reliability and redundancy.
Microsoft connectivity. To enable Internet IPsec VPN connections to as many ISPs as possible,
Microsoft has a policy of open peering with any carrier that wishes to connect with it. This policy
has enabled peering relationships with thousands of ISPs, and has positioned Microsoft in the top
five of the best-connected networks in the world. Microsoft actively manages capacity for its
owned connections and equipment to ensure that there are no capacity-related outages. Links
that are starting or saturate are proactively upgraded as needed.
BGP peering. The Border Gateway Protocol (BGP) is used for route exchange over all peering
sessions used for connectivity via customer-owned circuits. As part of the networking activation
process, information is required about the number of prefixes that the customer plans to
advertise.Microsoft requires route summarization or aggregation to limit the number of prefixes
received. We also deploy the BGP maximum-prefix feature to ensure that a sudden spike in
8
Network for EnterprisesService Description (Dedicated Plans) | April 2012
9. advertisements does not adversely impact equipment and peering. The maximum number of
prefixes allowed for the peering session is set to 20 percent higher than what the customer
announces initially. The customer can request additionalroute announcements from Microsoft, to
a maximum of 2048,by submitting a Change Request. In addition to providing prefix information,
the customer is required to summarize all routing announcements to ensure optimal routing table
size.
9
Network for EnterprisesService Description (Dedicated Plans) | April 2012
10. IP Addressing
Microsoft network configuration work includes allocation of IP address space for each customer in each
Microsoft data center. Network address translation (NAT) is not supported in any capacity.Table 1 lists the
IP space requirements.
Table 1. IP Space Requirements
Requirement Purpose
/24 address space–managed (MGD) Used for the Office 365 managed servers. This address block is
required to be routable between Microsoft and the customer.
/24 address space–managed private (MGP) Used for the Office 365 managed servers.Although this address
block does not need to be routable between Microsoft and the
customer, it does need to be unique to avoid IP address overlap
conflicts. For ease of deployment it can be contiguous with the
MGD /24.
/27 address space Used for customer co-location domain controllers and other co-
located devices.
/24 address space Temporary address space used for Lotus Notes customers for
migration engines. The space is decommissioned after the
migrations are complete.This space is only required in the primary
data center.
Microsoft allocates space in its data centers in the following manner:
Internet-accessible systems. Microsoft provides its own publically registered address space
using one /26 address space per data center.
Customer network–accessible systems. For the systems that the customer accesses over its
private network connection, these options are available (listed in order of preference):
o Customer provides publically registered IP address space to Microsoft.
o Customer provides RFC-1918 address space to Microsoft, avoiding 10.7/16 and 10.20/16.
o Microsoft provides private RFC-1918 address space.
10
Network for EnterprisesService Description (Dedicated Plans) | April 2012
11. Network Security
Because the Microsoft Office 365network is designed to manage multiple customer environments from a
single management space, network infrastructure controls are specifically implemented to help ensure the
confidentiality and integrity of customer data through strict compartmentalization. Under no
circumstances is access from one customer environment to another permitted. The Microsoft network also
enables reliable data availability through equipment redundancy, resiliency, and industry-standard high-
availability design practices.
Internet Security
Microsoft Internet connections are used to transport email on the customer’s behalf, and for access from
mobile and Internet-connected employees. Working with each customer, Microsoft applies a rich set of
security controls and optimizes routing to ensure the desired level of performance. In particular, three
levels of security are implemented to prevent unwanted traffic from entering the Office 365 network or
the customer’s dedicated virtual local area network (VLAN).
1. As traffic heads toward the VLAN, two setsof network filters allow only authorized networks on
given ports and protocols to reach the servers for a given Office 365 application.
2. At the router, security by abstraction obscures the routes and allows only authorized traffic to
pass through. Because virtualization is used on the router level, only the needed routes are
present in the customer’s routing table.
3. All unrecognized traffic is routed to the firewall, where specific rules govern the type of traffic that
is allowed to pass through on a stateful basis. Any traffic that does not meet the firewall’s rule list
is simply dropped.
In addition to this three-tiered security, there’s a final checkpoint in data centers: only servers that are
managed by Microsoft and configured for Internet access can receive Internet traffic; reverse access from
the Internet to the Customer Network is blocked entirely.
Separation (Compartmentalization)
One key strategy that Microsoft uses to maintain the confidentiality and integrity of Office 365 customer
data is compartmentalization. Multiple techniques are used to control information flows between the
Management Network, the Managed Network, and the Customer Network, including the following:
Physical separation. Network segments are physically separated by routers that are configured
to prevent communications between the Managed Network and the Management Network, and
between the Management Network and the Customer Network.
Logical separation. Virtual LAN (VLAN) technology is used to further separate communications
between Customer Network and Managed Network segments.
Firewalls. Firewalls and other network security enforcement points are used to limit data
exchanges with systems that are exposed to the Internet, and to isolate systems from back-end
systems managed by Microsoft.
One-way trusts. Active Directory one-way trusts are used to prevent systems or users in the
Managed Networkfrom authenticating to resources on the Management Network. A similar trust
prevents these entities from authenticating to the Customer Network.
Protocol restrictions. Only Terminal Services can be used to access systems on a Managed
Network from the Management Network.
11
Network for EnterprisesService Description (Dedicated Plans) | April 2012
12. Figure 3 illustrates these information flows and associated restrictions.
Network Security Policy Communication Flows
Internet
Customer Management
Gateway Gateway
Network Network
(Customer) (Internet)
Optional
Managed
Never allowed
Controlled by policy
Allowed – No network policy (customer policy only)
Figure 3. Network communication flows
12
Network for EnterprisesService Description (Dedicated Plans) | April 2012
13. Figure 4 illustrates the separation of Microsoft Office 365network from other networks and enforcement
points.
Figure 4. Separation of the Microsoft Office 365 network
Redundancy
Microsoft Office 365cloud-based servicesare designed to behighlyavailablethrough the use of redundancy
throughout all layers of the network. Two devices are used for routing and switching, and all connections
are on a redundant basis. Firewall and load-balancer deployments use duplicate systems with automatic
failover. Each customer environment in the Managed Network has two separate network connections and
two individual power feeds to ensure availability. Each data center network stamp has redundant, high-
capacity (n x 10GE) links into the Microsoft backbone. These links provide protected connectivity to the
Internet edge and to other Microsoft locations.
Server racks are built with multiple top-of-rack (TOR) switches to provide redundancy.Servers utilize
network interface card (NIC)-teaming to ensure rapid failover.
13
Network for EnterprisesService Description (Dedicated Plans) | April 2012
14. Figure 5 provides an overview of the redundancy of the Office 365 networkinfrastructure.
Data Center
Internet
Edge
Edge
Router
Edge
Anchor Site
Router
Anchor Site
Core Internet
Core Core
Router A Router B
Data Center
Data Center
Data Center Data Center
Router A Router B Anchor Site
Access
Layer 3 Access
Access Router B
Router A
Layer 2
Aggregation
Switch A Switch B
Internet
Load Balancer A Load Balancer B
Firewall A Firewall B
TOR Switches TOR Switches TOR Switches Data Center
S
E
R
V
S
E
R
V
... . S
E
R
V
Anchor Site
E E E
R R R
S S S
Top of Rack/ Servers
Figure 5.Microsoft Office 365network redundancy
14
Network for EnterprisesService Description (Dedicated Plans) | April 2012