Traditional enterprise networks are designed primarily to provide users access to applications and information hosted in business operated datacenters.
Because of the massive network security stack, Internet connectivity for branch offices is usually concentrated and backhauled within the customer’s wide area network (WAN). This model worked well for secure access from users inside the office into corporate on-premises apps such as mail and record sharing where bandwidth may be assured, and minimal community security inside the WAN intended network traffic was not impeded.
Traditional enterprise community backhauling Internet bound traffic within its WAN
As enterprise adoption and reliance on SaaS apps like Office 365 continues to rise, and as employees operate from diverse locations, the previous methods of backhauling traffic into a centralized location for inspection creates latency and leads to a poor end user experience. The shift from accessing enterprise applications in a customer operated central datacenter into Office 365, as well as also the differences in traffic patterns, performance requirements, and endpoint security needs to be acknowledged and planned differently in comparison to simple Internet communications and internet browsing research connectivity.
The Microsoft international community and Office 365
Even the Microsoft international network is among the largest network backbones in the world consisting of high bandwidth links which have minimal network congestion, together with thousands of miles of independently owned dark fiber, multi-terabit network connections involving data centers, and program front doors servers spread across the globe. More than 100 public Internet peering interconnection locations with this system makes it easy for all users, regardless of location, to link in the community using the Internet and access services such as Office 365, Azure, Xbox, Bing, Skype, Hotmail and much more.
Microsoft continues to invest in the community, the geographic locations of this program front doors, people peering partnerships with ISP’s, and visitors backhauling capabilities. This allows user network visitors to input the Microsoft worldwide network quite close to the user, then the traffic is backhauled in Microsoft’s cost over large bandwidth lines inside the community into the location where the user’s information is stored.
Microsoft international network with all those blue dots representing Office 365 front end servers across the globe
Microsoft recommends using the Internet along with a simple network design for optimum connectivity and performance at Office 365. A vital goal from the system design should be reducing the round-trip time (RTT) from the system to the Microsoft global network and ensure that the network traffic is not hair pinned or concentrated to specific locations. Use the Office 365 connectivity principles to handle your traffic and find the best performance when linking to Office 365.
- Identify and differentiate Office 365 traffic using Microsoft published endpoints
Office 365 URLs and IP addresses aka.ms/O365IPAs that a SaaS program Office 365 has a massive number URL’s and IP Addresses representing Office 365 service front end servers.
Identifying Office 365 network traffic is the first step in being able to differentiate that visitors from generic Internet-bound traffic. An Office 365 administrator may use a script to bring the endpoint details and apply it into a perimeter firewall and other network devices. This will ensure that traffic bound for Office 365 is identified, treated appropriately and managed differently to community traffic bound for generic and frequently unknown Internet sites that employees can browse.
- Egress Office 365 data connections as close to the user as functional using matching DNS resolution
Local Internet egress to Microsoft’s community Many enterprise WANs are designed to backhaul network traffic to a fundamental business head office for processing prior to network egress into the Internet. Because Office 365 runs on Microsoft’s large worldwide network which includes many front end servers across the planet, there’ll frequently be a network link and front end server close to the user’s location.
In comparison to backhauling information across the corporate WAN, the user is most likely going to have far better performance by egressing Office 365 network traffic to the Internet close to their location where it could be linked to Microsoft’s international community. Additionally, lots of Office 365 applications use DNS requests to ascertain the user’s geographic location. If the users DNS lookups aren’t done in precisely the same point as the system egress the user might be led into some distant Office 365 front end server.
Shortening the network route to Microsoft’s international network and also to Office 365 front end servers this manner should be expected to improve connectivity performance and also the end user experience in Office 365.
- Prevent network hairpins and Boost connectivity straight into the nearest entry point into Microsoft’s international network
Enterprise community hair pinning Office 365 jumped Internet traffic Microsoft is continuously focusing on reducing the distance between users and Office 365 endpoints, forcing down latency and improving end user experience. There are two types of network path hairpin which might happen in linking users to Office 365.
As discussed, the second type could result from a cloud based system security infrastructure device. If the system device vendor has limited hosting locations and also directs a user to a specific individual that is distant from these they can produce a hairpin path where network traffic goes from the user into the distant network device back into a Office 365 front end server that is close to the user. This may be prevented by asking cloud based system security vendors about the specific locations of the hosting and being critical of their network paths this creates that could be different to the direct path to Office 365 endpoints on Microsoft’s international network.
The first type results in misaligned network egress and DNS lookups for a user. This may result in the user being led into a Office 365 front end server that is close to them, but through a distant corporate egress location in a head office. This may be prevented by neighborhood egress and neighborhood DNS as outlined at the principle above.
- Assess bypassing proxies, traffic inspection devices and replicate security which is available at Office 365Bypassing additional security for Office 365
Shared Internet web browsing visitors to anonymous Internet sites may have substantial security risk and most enterprises implement network security, tracking, and visitors analysis technology in their Internet egress locations. Network security technologies includes proxy servers, inline SSL fracture and inspect of network traffic, network layer based information loss prevention, and much more. Network security devices is a strongly rising industry.
Office 365 servers are all hosted in Microsoft datacenters and Microsoft is quite transparent about datacenter security, operational security and risk reduction around those servers as well as the network endpoints they represent. These security details are seen at the Microsoft Trust Center.
For more information you can visit: www.office.com/setup