Traditional enterprise networks are designed primarily to provide users access to applications and data hosted in company operated datacenters. A secondary use has been as a gateway for access to the Internet for communications and web browsing. Because of the large network security stack, Internet connectivity for branch offices is commonly centralized and backhauled over the customer’s wide area network (WAN).
Enterprise adoption and reliance on SaaS apps like Office 365 continues to grow. Employees work from more varied locations. All of this create latency and leads to a poor end user experience.
The Microsoft global network and Office 365
The Microsoft global network is one of the largest network backbones in the world. It consists of high bandwidth links that have minimal network congestion, with thousands of miles of privately owned dark fiber, multi-terabit network connections between datacentres, application front doors servers spread around the world and over 100 public Internet peering interconnection locations on this network.
Office 365 connectivity principles
- Identifyand differentiate Office 365 traffic using Microsoft published endpoints
As a SaaS application Office 365 has a large number URL’s and IP Addresses representing Office 365 service front end servers. We refer to these URL’s and IP addresses as endpoints and customers can use them to identify specific network traffic that is destined for Office 365.
Identifying Office 365 network traffic – Microsoft publishes the Office 365 endpoints and guidance on how best to use this data – An Office 365 administrator can use a script to fetch the endpoint details and apply it to a perimeter firewall and other network devices.
- EgressOffice 365 data connections as close to the user as practical with matching DNS resolution
Egress Office 365 network traffic to the Internet close to your location (where it can be connected to Microsoft’s global network) and get better performance.
Many Office 365 applications use DNS requests to determine the user’s geographic location. If the users DNS lookups are not done at the same point as the network egress the user may be directed to a distant Office 365 front end server.
- Avoidnetwork hairpins and optimize connectivity directly into the nearest entry point into Microsoft’s global network
There are two types of network route hairpin that can greatly lengthen the network path between a user and Microsoft’s global network, and this increases network latency and reduces performance of Office 365.
- The first type results from misaligned network egress and DNS lookups for a user. This can result in the user being directed to an Office 365 front end server that is close to them, but via a distant corporate egress location at a head office.
- If the network device vendor has limited hosting locations and directs a user to a specific one that is distant from them they may create a hairpin route where network traffic goes from the user to the distant network device and back to an Office 365 front end server that is near the user. This can be avoided by asking cloud based network security vendors about the specific locations of their hosting and being critical of the network paths that this creates that may be different to the direct route to Office 365 endpoints on Microsoft’s global network.
- Assessbypassing proxies, traffic inspection devices and duplicate security which is available in Office 365
Network security technology includes proxy servers, inline SSL break and inspect of network traffic, network layer based data loss prevention, and more. Unfortunately, it also increases the cost and resources required for Internet connectivity, and it reduces the performance for network connections.
Office 365 also has many other methods available for reducing such as:
- Data Loss Prevention
- Multi-Factor Authentication
- Customer Lock Box
- Advanced Threat Protection
- Office 365 Threat Intelligence
- Office 365 Secure Score
- Exchange Online Protection
- Network DDOS Security, and other many other security features.
Office 365 product group videos expanding on the Office 365 connectivity principles:
- Strategy: https://youtu.be/19a8s90HboQ
- Planning: https://youtu.be/cJDpB59gk3M
- Implementation: https://youtu.be/lZwvitkvg6A
Guidance on network planning and perf tuning in Office 365: aka.ms/tune
Office 365 URLs and IP addresses: aka.ms/O365IP
Managing bandwidth requirements for Office 365: aka.ms/O365networkconnectivity