network service description office 365 dedicated plans april 2012

Network for EnterprisesDedicated Plans Service Description

Published: April 2012

Network for Enterprises Service Description (Dedicated Plans) | April 2012

The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of

the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a

commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date

of publication.

This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS

TO THE INFORMATION IN THIS DOCUMENT.

Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no

part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any

means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written

permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject

matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this

document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

©2012 Microsoft Corporation. All rights reserved.

Microsoft, Active Directory, ActiveSync, Lync, Outlook, and SharePoint are trademarks of the Microsoft group of companies. All

other trademarks are property of their respective owners.

2


Contents

Introduction......................................................................................................4

Network Architecture.........................................................................................5

Customer Connectivity to Data Centers...............................................................7Customer-Owned Private Connection..................................................................................7Internet IPsec VPN...............................................................................................................7Connectivity Design Principles.............................................................................................8IP Addressing.......................................................................................................................9

Network Security.............................................................................................10Internet Security................................................................................................................10Separation (Compartmentalization)...................................................................................10Redundancy......................................................................................................................12

3


IntroductionThis document describes the Microsoft networking infrastructure components and features that support delivery of Microsoft Office 365 for enterprises services provided under dedicated subscription plans (“dedicated plans”). The information applies to the following services:

Microsoft Exchange Online Microsoft SharePoint® Online Microsoft Lync™ Online

The document is intended for network engineers and system integrators who work with Microsoft Office 365 customers. The components and features that are described include:

Network architecture for Office 365 dedicated plans Customer connectivity to Microsoft data centers Connectivity design principles Network security

* Services provided under Office 365 for enterprises dedicated plans are delivered from a Microsoft hosting environment where each customer has their own dedicated data center hardware.

4


Network ArchitectureThe network architecture for Microsoft Office 365 is divided into three distinct security zones: the Customer Network, the Managed Network, and the Management Network. Each security zone is implemented as a virtual network.

Customer NetworkThe Customer Network describes the customer on-premise enterprise network environment. The Customer Network contains the router and the customer firewall for organizations that want to have these components installed between their IT environment and the Microsoft data center.

Managed NetworkThere is a Managed Network for each customer. It is a separate, dedicated security zone that contains the hosted systems that provide Office 365 services and store customer email and data. This network also contains an Active Directory forest that includes a replication of the customer’s Active Directory user, contact, and distribution group objects.

The Managed Network includes two gateway networks (GNs): one associated with the Internet (GN/I) and the other with the Customer Network (GN/C).

GN/I: The GN/I is a load-balancing–only hardware component. Only the devices that are deployed on this segment will be virtual IP (VIP) addresses hosted on a hardware load balancer’s network interface. These devices are usually deployed in conjunction with servers on the Managed Network, and are protected using firewalls for external (Internet) traffic.

GN/C: The GN/C is utilized to implement customer enterprise-facing hardware load-balancing solutions that replicate the functionality implemented in the GN/I.

Management NetworkThe Management Network contains the infrastructure that is shared across multiple customers, such as the Microsoft backup and monitoring systems. It also includes an Active Directory forest that contains the user accounts that are needed for operating the services and servers for the Management Network and Managed Network security zones.

5


Figure 1 shows the Microsoft network architecture and security zone components for Office 365 dedicated plans.

Figure 1. Microsoft Office 365 network architecture

Virtualization is used throughout the network architecture to maintain separation and abstraction on a per-customer basis. This is accomplished using virtual LANs (VLANs) at Layer 2 (Switching), Virtual Routing and Forwarding (VRF) at Layer 3 (Routing), and Layer 3 VPNs at the transport layer. The transport layer relies on the extensive use of multiprotocol label switching (MPLS) within the Microsoft backbone network.

Customer Responsibilities Maintain the customer internal IT infrastructure and network, and provide

connectivity to the Microsoft data centers. Maintain the Customer Forest, which hosts the primary user accounts that are used

for authentication and hosts contacts and distribution groups. Co-locate the domain controllers that are located within the Customer Network in the

Microsoft data centers. This requirement is discussed in more detail in the “Microsoft Office 365 Identity and Provisioning (Dedicated Plans) Service Description” document.

6


Customer Connectivity to Data CentersMicrosoft supports two options for connectivity between a Customer Network and each Microsoft data center: customer-owned private connections and Internet IPsec virtual private network (VPN). At a minimum, connections are required to both the primary and secondary Microsoft data centers that host the customer’s servers.

Customer-Owned Private ConnectionCustomers can connect to Microsoft data centers with connections that they own and operate, or via their designated provider. This is the primary connectivity option and gives the customer the ability to host equipment within Microsoft data centers. Microsoft provides only the rack, space, cooling, and access to the equipment. The customer is responsible for ownership and management of the equipment.

Microsoft Responsibility Enable the customer to host network equipment inside Microsoft-owned data centers.

Microsoft provides power, space, and cooling for the hosted equipment and access to the equipment. Hosting of customer network equipment is limited to a standard network deployment pod. This pod consists of a pair of industry standard 2-rack unit routers, Layer 2 switches, and firewalls for a total allowance of 12 rack units per data center. Hosting of customer owned network equipment variants that do not fit within this pod design are considered an exception. Microsoft approved exceptions will incur additional service fees.

Work with the customer and customer’s carrier personnel to terminate circuits and enable connectivity to Microsoft.

Provide ongoing support for the customer or carrier personnel to access equipment that is located at a Microsoft data center.

Customer Responsibility Own and manage all aspects of connectivity including equipment and circuits. This

includes ensuring Microsoft is provided clear, consistent, and updated documentation of deployed hosted network equipment and connectivity.

Ensure that customer provisioned transport is symmetric to the primary and secondary data center. This symmetry implies mirroring of capacity and capability in both data centers.

Provide Microsoft with the port and access speed as well as any type of rate limits—such as the committed information rate.

Provide Microsoft with periodic (monthly) updates on capacity and utilization of network connectivity so that Microsoft can ensure adequate capacity is available to provide a consistent end-user experience.

Internet IPsec VPNInternet IPsec VPN is an Internet-based, encrypted VPN that uses the same Internet service provider (ISP) on both sides of the VPN to optimize performance and reliability. The Internet IPsec VPN should only be used during the deployment process to mitigate long lead time MPLS connections and as a redundancy solution paired with the customer-owned connection. While this is a viable transport technology experience has shown that interoperability and operational issues reduce its use to a support role and not as the primary means of connectivity.

Microsoft places a limit of six VPNs per customer at each data center location. If more than six VPNs are required, Microsoft enables the customer to host its own equipment inside Microsoft data centers.

7


We recommend that customers request and review the document "Using an Internet-based Virtual Private Network (VPN) for Microsoft Online Services" for engineering details about the Internet IPsec VPN option. The document can be obtained from the customer’s technical account manager.

Microsoft Responsibility Provide the terminating router and ISP connectivity.

Customer Responsibilities Confirm that the ISP connects to Microsoft. Ensure that the customer-provisioned transport is symmetric to the primary and

secondary data center. This symmetry implies mirroring of capacity and capability in both data centers.

Provide Microsoft with the port and access speed as well as any type of rate limits—such as the committed information rate.

Provide Microsoft with periodic (monthly) updates on capacity and utilization of network connectivity so that Microsoft can ensure adequate capacity is available to provide a consistent end-user experience.

Provide the router at the customer sites.

Connectivity Design PrinciplesOffice 365 dedicated plans customers are required to support the following design factors when planning network connectivity to Microsoft data centers.

Bandwidth. It is critical that the customer perform initial planning and ongoing capacity analysis to ensure that adequate bandwidth is available to reach Office 365 services at all times. These processes require accurately predicting bandwidth demand and ensuring that proper measuring tools are in place to monitor usage. We recommend that the customer provision a separate link for Internet access if the Internet IPsec VPN option is used as a primary connection link.

Latency. Latency is a critical network factor that directly affects perceived and actual performance for a given Office 365 application. Each hosted application provides general guidance for acceptable round-trip time (RTT) between the customer and Microsoft data centers. When provisioning VPNs, tests must be conducted ahead of time to ensure that RTT is within acceptable tolerances.

Reliability. Microsoft requires that all connectivity is provisioned in a redundant manner. For Customer-Owned Private Connection this is expected to be accomplished by providing connections relative to the service provisioning points. When selecting Internet-based VPNs, Microsoft does not offer a service-level agreement (SLA) for availability on networks that it does not directly own or operate. A multiple-VPN configuration is required to provide increased reliability and redundancy.

Microsoft connectivity. To enable Internet IPsec VPN connections to as many ISPs as possible, Microsoft has a policy of open peering with any carrier that wishes to connect with it. This policy has enabled peering relationships with thousands of ISPs, and has positioned Microsoft in the top five of the best-connected networks in the world. Microsoft actively manages capacity for its owned connections and equipment to ensure that there are no capacity-related outages. Links that are starting or saturate are proactively upgraded as needed.

BGP peering. The Border Gateway Protocol (BGP) is used for route exchange over all peering sessions used for connectivity via customer-owned circuits. As part of the networking activation process, information is required about the number of prefixes that the customer plans to advertise. Microsoft requires route summarization or aggregation to limit the number of prefixes received. We also deploy the BGP

8


maximum-prefix feature to ensure that a sudden spike in advertisements does not adversely impact equipment and peering. The maximum number of prefixes allowed for the peering session is set to 20 percent higher than what the customer announces initially. The customer can request additional route announcements from Microsoft, to a maximum of 2048, by submitting a Change Request. In addition to providing prefix information, the customer is required to summarize all routing announcements to ensure optimal routing table size.

9


IP AddressingMicrosoft network configuration work includes allocation of IP address space for each customer in each Microsoft data center. Network address translation (NAT) is not supported in any capacity. Table 1 lists the IP space requirements.

Table 1. IP Space Requirements

Requirement Purpose

/24 address space – managed (MGD) Used for the Office 365 managed servers. This address block is required to be routable between Microsoft and the customer.

/24 address space – managed private (MGP)

Used for the Office 365 managed servers. Although this address block does not need to be routable between Microsoft and the customer, it does need to be unique to avoid IP address overlap conflicts. For ease of deployment it can be contiguous with the MGD /24.

/27 address space Used for customer co-location domain controllers and other co-located devices.

/24 address space Temporary address space used for Lotus Notes customers for migration engines. The space is decommissioned after the migrations are complete. This space is only required in the primary data center.

Microsoft allocates space in its data centers in the following manner:

Internet-accessible systems. Microsoft provides its own publically registered address space using one /26 address space per data center.

Customer network–accessible systems. For the systems that the customer accesses over its private network connection, these options are available (listed in order of preference):

o Customer provides publically registered IP address space to Microsoft.o Customer provides RFC-1918 address space to Microsoft, avoiding 10.7/16 and

10.20/16.o Microsoft provides private RFC-1918 address space.

10


Network SecurityBecause the Microsoft Office 365 network is designed to manage multiple customer environments from a single management space, network infrastructure controls are specifically implemented to help ensure the confidentiality and integrity of customer data through strict compartmentalization. Under no circumstances is access from one customer environment to another permitted. The Microsoft network also enables reliable data availability through equipment redundancy, resiliency, and industry-standard high-availability design practices.

Internet SecurityMicrosoft Internet connections are used to transport email on the customer’s behalf, and for access from mobile and Internet-connected employees. Working with each customer, Microsoft applies a rich set of security controls and optimizes routing to ensure the desired level of performance. In particular, three levels of security are implemented to prevent unwanted traffic from entering the Office 365 network or the customer’s dedicated virtual local area network (VLAN).

1. As traffic heads toward the VLAN, two sets of network filters allow only authorized networks on given ports and protocols to reach the servers for a given Office 365 application.

2. At the router, security by abstraction obscures the routes and allows only authorized traffic to pass through. Because virtualization is used on the router level, only the needed routes are present in the customer’s routing table.

3. All unrecognized traffic is routed to the firewall, where specific rules govern the type of traffic that is allowed to pass through on a stateful basis. Any traffic that does not meet the firewall’s rule list is simply dropped.

In addition to this three-tiered security, there’s a final checkpoint in data centers: only servers that are managed by Microsoft and configured for Internet access can receive Internet traffic; reverse access from the Internet to the Customer Network is blocked entirely.

Separation (Compartmentalization)One key strategy that Microsoft uses to maintain the confidentiality and integrity of Office 365 customer data is compartmentalization. Multiple techniques are used to control information flows between the Management Network, the Managed Network, and the Customer Network, including the following:

Physical separation. Network segments are physically separated by routers that are configured to prevent communications between the Managed Network and the Management Network, and between the Management Network and the Customer Network.

Logical separation. Virtual LAN (VLAN) technology is used to further separate communications between Customer Network and Managed Network segments.

Firewalls. Firewalls and other network security enforcement points are used to limit data exchanges with systems that are exposed to the Internet, and to isolate systems from back-end systems managed by Microsoft.

One-way trusts. Active Directory one-way trusts are used to prevent systems or users in the Managed Network from authenticating to resources on the Management Network. A similar trust prevents these entities from authenticating to the Customer Network.

Protocol restrictions. Only Terminal Services can be used to access systems on a Managed Network from the Management Network.

11


Figure 3 illustrates these information flows and associated restrictions.

Network Security Policy Communication Flows

Allowed – No network policy (customer policy only)

Never allowed

GatewayNetwork(Customer)

GatewayNetwork

(Internet)

Customer

Internet

Managed

Management

Controlled by policy

Optional

Figure 3. Network communication flows

12


Figure 4 illustrates the separation of Microsoft Office 365 network from other networks and enforcement points.

Figure 4. Separation of the Microsoft Office 365 network

RedundancyMicrosoft Office 365 cloud-based services are designed to be highly available through the use of redundancy throughout all layers of the network. Two devices are used for routing and switching, and all connections are on a redundant basis. Firewall and load-balancer deployments use duplicate systems with automatic failover. Each customer environment in the Managed Network has two separate network connections and two individual power feeds to ensure availability. Each data center network stamp has redundant, high-capacity (n x 10GE) links into the Microsoft backbone. These links provide protected connectivity to the Internet edge and to other Microsoft locations.

Server racks are built with multiple top-of-rack (TOR) switches to provide redundancy. Servers utilize network interface card (NIC)-teaming to ensure rapid failover.

13


Figure 5 provides an overview of the redundancy of the Office 365 network infrastructure.

Anchor Site

Anchor Site

Internet

Internet

Anchor Site

Data Center

Anchor Site

... .

Internet

Switch A Switch B

AccessRouter BAccess

Router A

Data Center Router B

Data Center Router A

CoreRouter A

Edge

Core

EdgeRouter

EdgeRouter

Data Center

AccessLayer 3

Layer 2 Aggregation

Top of Rack/ Servers

CoreRouter B

Data Center

Data Center

Firewall A

Load Balancer A Load Balancer B

Firewall B

SERVERS

SERVERS

TOR SwitchesTOR Switches

SERVERS

TOR Switches

Figure 5. Microsoft Office 365 network redundancy

14

network service description office 365 dedicated plans april 2012

Documents

thecustomer network

virtual network

managed network

network engineers

themanagement network

microsoft office365

microsoft group of companies

customer firewall