Your SlideShare is downloading. ×
Network service description office 365 dedicated plans april 2012
Network service description office 365 dedicated plans april 2012
Network service description office 365 dedicated plans april 2012
Network service description office 365 dedicated plans april 2012
Network service description office 365 dedicated plans april 2012
Network service description office 365 dedicated plans april 2012
Network service description office 365 dedicated plans april 2012
Network service description office 365 dedicated plans april 2012
Network service description office 365 dedicated plans april 2012
Network service description office 365 dedicated plans april 2012
Network service description office 365 dedicated plans april 2012
Network service description office 365 dedicated plans april 2012
Network service description office 365 dedicated plans april 2012
Network service description office 365 dedicated plans april 2012
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Network service description office 365 dedicated plans april 2012

522

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
522
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
16
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Networkfor EnterprisesDedicated Plans Service DescriptionPublished:April 2012
  • 2. The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date ofpublication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part ofMicrosoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THEINFORMATION IN THIS DOCUMENT.Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of thisdocument may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical,photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in thisdocument. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you anylicense to these patents, trademarks, copyrights, or other intellectual property.©2012Microsoft Corporation. All rights reserved.Microsoft, Active Directory, ActiveSync, Lync, Outlook, and SharePointare trademarks of the Microsoft group of companies.All other trademarksare property of their respective owners. 2 Network for EnterprisesService Description (Dedicated Plans) | April 2012
  • 3. ContentsIntroduction ........................................................................................................................................................ 4Network Architecture ........................................................................................................................................ 5Customer Connectivity to Data Centers ......................................................................................................... 7 Customer-Owned Private Connection .................................................................................................................................... 7 Internet IPsec VPN .......................................................................................................................................................................... 7 Connectivity Design Principles .................................................................................................................................................. 8 IP Addressing ................................................................................................................................................................................. 10Network Security .............................................................................................................................................11 Internet Security ........................................................................................................................................................................... 11 Separation (Compartmentalization) ..................................................................................................................................... 11 Redundancy ................................................................................................................................................................................... 13 3 Network for EnterprisesService Description (Dedicated Plans) | April 2012
  • 4. IntroductionThis document describes the Microsoft networking infrastructure components and features that supportdelivery of Microsoft Office 365 for enterprises services provided under dedicated subscription plans(―dedicated plans‖). The information applies to the following services: Microsoft Exchange Online Microsoft SharePoint® Online Microsoft Lync™OnlineThe document is intended for network engineers and system integrators who work with Microsoft Office365 customers.The components and features that are described include: Network architecture for Office 365 dedicated plans Customer connectivity to Microsoft data centers Connectivity design principles Network security* Services provided under Office 365 for enterprises dedicated plans are delivered from a Microsoft hosting environment whereeach customer has their own dedicated data center hardware. 4 Network for EnterprisesService Description (Dedicated Plans) | April 2012
  • 5. Network ArchitectureThe network architecture for Microsoft Office 365 is divided into three distinct security zones: theCustomer Network, the Managed Network, and theManagement Network.Each security zone isimplemented as a virtual network.Customer NetworkThe Customer Network describes the customer on-premise enterprise network environment. TheCustomer Network contains the router and the customer firewall for organizations that want to have thesecomponents installed between their IT environment and the Microsoft data center.Managed NetworkThere is a Managed Network for each customer. It is a separate, dedicated security zone that contains thehosted systems that provide Office 365 services and store customer email and data. This network alsocontains an Active Directory forest that includes a replication of the customer’s Active Directory user,contact, and distribution group objects.The Managed Network includes two gateway networks (GNs): one associated with the Internet (GN/I) andthe other with the Customer Network (GN/C). GN/I:The GN/I isa load-balancing–only hardware component. Only the devices that are deployed on this segment will be virtual IP (VIP) addresses hosted on a hardware load balancer’s network interface. These devices are usually deployed in conjunction with servers on the Managed Network,and are protected using firewalls for external (Internet)traffic. GN/C: The GN/C is utilized to implement customer enterprise-facing hardware load-balancing solutions that replicate the functionality implemented in the GN/I.Management NetworkThe Management Network contains the infrastructure that is shared across multiple customers, such asthe Microsoft backup and monitoring systems. It also includes an Active Directory forest that contains theuser accounts that are needed for operating the services and servers for the Management Network andManaged Network security zones. 5 Network for EnterprisesService Description (Dedicated Plans) | April 2012
  • 6. Figure 1 shows the Microsoft network architecture and security zone components for Office 365 dedicatedplans. Figure 1. Microsoft Office 365network architectureVirtualization is used throughout the network architectureto maintain separation and abstraction on aper-customer basis. This is accomplished using virtual LANs (VLANs) at Layer 2 (Switching), Virtual Routingand Forwarding (VRF) at Layer 3 (Routing), and Layer 3 VPNs at the transport layer. The transportlayerrelies on the extensive use of multiprotocol label switching (MPLS) within the Microsoft backbonenetwork. Customer Responsibilities Maintain the customer internal IT infrastructure and network, and provide connectivity to the Microsoft data centers. Maintain the Customer Forest, which hosts the primary user accounts that are used for authentication and hosts contacts and distribution groups. Co-locatethe domain controllers that are located within the Customer Network in the Microsoft data centers. This requirement is discussed in more detail in the ―Microsoft Office 365 Identity and Provisioning(Dedicated Plans) Service Description‖ document. 6 Network for EnterprisesService Description (Dedicated Plans) | April 2012
  • 7. Customer Connectivity to Data CentersMicrosoft supportstwo options for connectivity between a Customer Network and each Microsoft datacenter: customer-owned private connections andInternet IPsec virtual private network (VPN). At aminimum, connections are required to both the primary and secondary Microsoft data centers that hostthe customer’s servers.Customer-Owned Private ConnectionCustomers can connect to Microsoft data centers with connections that they own and operate, or via theirdesignated provider. This is the primary connectivity option and gives the customer the ability to hostequipment within Microsoft data centers. Microsoft provides only the rack, space, cooling, and access tothe equipment. The customer is responsible for ownership and management of the equipment. Microsoft Responsibility Enable the customer to host network equipment inside Microsoft-owned data centers. Microsoft providespower, space, and cooling for the hosted equipmentand access to the equipment.Hosting of customer network equipment is limited to a standard network deployment pod.This pod consists of a pair of industry standard 2-rack unit routers, Layer 2 switches, and firewalls for a total allowance of 12 rack units per data center. Hosting of customer owned network equipment variants that do not fit within this pod design are considered an exception. Microsoft approved exceptions will incur additional service fees. Work with the customer and customer’s carrier personnel to terminate circuits and enable connectivity to Microsoft. Provide ongoing support for the customer or carrier personnel to access equipment that is located at a Microsoft data center. Customer Responsibility Own and manage all aspects of connectivity including equipment and circuits.This includes ensuring Microsoft is provided clear, consistent, and updated documentation of deployed hosted network equipment and connectivity. Ensure that customer provisioned transport is symmetric to the primary and secondary data center.This symmetry implies mirroring of capacity and capability in both data centers. Provide Microsoft with the port and access speed as well as any type of rate limits—such as the committed information rate. Provide Microsoft with periodic (monthly) updates on capacity and utilization of network connectivity so that Microsoft can ensure adequate capacity is available to provide a consistent end-user experience.Internet IPsec VPNInternet IPsec VPN is an Internet-based, encrypted VPN that uses the same Internet service provider (ISP)on both sides of the VPN to optimize performance and reliability. The Internet IPsec VPN should only beused during the deployment process to mitigate long lead time MPLS connections and as a redundancysolution paired with the customer-owned connection. While this is a viable transport technologyexperience has shown that interoperability and operational issues reduce its use to a support role and notas the primary means of connectivity.Microsoft places a limit of six VPNs per customer at each data center location. If more than six VPNs arerequired, Microsoft enables the customer to host its own equipment inside Microsoft data centers. 7 Network for EnterprisesService Description (Dedicated Plans) | April 2012
  • 8. We recommend that customers request and review the document "Using an Internet-based Virtual PrivateNetwork (VPN) for Microsoft Online Services" for engineering details about the Internet IPsec VPN option.The document can be obtained from the customer’s technical account manager. Microsoft Responsibility Provide the terminating router and ISP connectivity. Customer Responsibilities Confirm that the ISP connects to Microsoft. Ensure that the customer-provisioned transport is symmetric to the primary and secondary data center.This symmetry implies mirroring of capacity and capability in both data centers. Provide Microsoft with the port and access speed as well as any type of rate limits—such as the committed information rate. Provide Microsoft with periodic (monthly) updates on capacity and utilization of network connectivity so that Microsoft can ensure adequate capacity is available to provide a consistent end-user experience. Provide the router at the customer sites.Connectivity Design PrinciplesOffice 365 dedicated plans customers are required to support the following design factors when planningnetwork connectivity to Microsoft data centers. Bandwidth. It is critical that the customer perform initial planning and ongoing capacity analysis to ensure that adequate bandwidth is available to reach Office 365 services at all times. These processes require accurately predicting bandwidth demand and ensuring that proper measuring tools are in place to monitor usage.We recommend that the customer provision a separate link for Internet access if the Internet IPsec VPN option is used as a primary connection link. Latency. Latency is a critical network factor that directly affects perceived and actual performance for a given Office 365 application. Each hosted application provides general guidance for acceptable round-trip time (RTT) between the customer and Microsoft data centers. When provisioning VPNs, tests must be conducted ahead of time to ensure that RTT is within acceptable tolerances. Reliability. Microsoft requires that all connectivity is provisioned in a redundant manner.For Customer-Owned Private Connection this is expected to be accomplished by providing connections relative to the service provisioning points.When selecting Internet-based VPNs,Microsoft does not offer a service-level agreement (SLA) for availability on networks that it does not directly own or operate.A multiple-VPN configuration is required to provide increased reliability and redundancy. Microsoft connectivity. To enable Internet IPsec VPN connections to as many ISPs as possible, Microsoft has a policy of open peering with any carrier that wishes to connect with it. This policy has enabled peering relationships with thousands of ISPs, and has positioned Microsoft in the top five of the best-connected networks in the world. Microsoft actively manages capacity for its owned connections and equipment to ensure that there are no capacity-related outages. Links that are starting or saturate are proactively upgraded as needed. BGP peering. The Border Gateway Protocol (BGP) is used for route exchange over all peering sessions used for connectivity via customer-owned circuits. As part of the networking activation process, information is required about the number of prefixes that the customer plans to advertise.Microsoft requires route summarization or aggregation to limit the number of prefixes received. We also deploy the BGP maximum-prefix feature to ensure that a sudden spike in 8 Network for EnterprisesService Description (Dedicated Plans) | April 2012
  • 9. advertisements does not adversely impact equipment and peering. The maximum number ofprefixes allowed for the peering session is set to 20 percent higher than what the customerannounces initially. The customer can request additionalroute announcements from Microsoft, toa maximum of 2048,by submitting a Change Request. In addition to providing prefix information,the customer is required to summarize all routing announcements to ensure optimal routing tablesize. 9 Network for EnterprisesService Description (Dedicated Plans) | April 2012
  • 10. IP AddressingMicrosoft network configuration work includes allocation of IP address space for each customer in eachMicrosoft data center. Network address translation (NAT) is not supported in any capacity.Table 1 lists theIP space requirements. Table 1. IP Space Requirements Requirement Purpose/24 address space–managed (MGD) Used for the Office 365 managed servers. This address block is required to be routable between Microsoft and the customer./24 address space–managed private (MGP) Used for the Office 365 managed servers.Although this address block does not need to be routable between Microsoft and the customer, it does need to be unique to avoid IP address overlap conflicts. For ease of deployment it can be contiguous with the MGD /24./27 address space Used for customer co-location domain controllers and other co- located devices./24 address space Temporary address space used for Lotus Notes customers for migration engines. The space is decommissioned after the migrations are complete.This space is only required in the primary data center.Microsoft allocates space in its data centers in the following manner: Internet-accessible systems. Microsoft provides its own publically registered address space using one /26 address space per data center. Customer network–accessible systems. For the systems that the customer accesses over its private network connection, these options are available (listed in order of preference): o Customer provides publically registered IP address space to Microsoft. o Customer provides RFC-1918 address space to Microsoft, avoiding 10.7/16 and 10.20/16. o Microsoft provides private RFC-1918 address space. 10 Network for EnterprisesService Description (Dedicated Plans) | April 2012
  • 11. Network SecurityBecause the Microsoft Office 365network is designed to manage multiple customer environments from asingle management space, network infrastructure controls are specifically implemented to help ensure theconfidentiality and integrity of customer data through strict compartmentalization. Under nocircumstances is access from one customer environment to another permitted. The Microsoft network alsoenables reliable data availability through equipment redundancy, resiliency, and industry-standard high-availability design practices.Internet SecurityMicrosoft Internet connections are used to transport email on the customer’s behalf, and for access frommobile and Internet-connected employees. Working with each customer, Microsoft applies a rich set ofsecurity controls and optimizes routing to ensure the desired level of performance. In particular, threelevels of security are implemented to prevent unwanted traffic from entering the Office 365 network orthe customer’s dedicated virtual local area network (VLAN). 1. As traffic heads toward the VLAN, two setsof network filters allow only authorized networks on given ports and protocols to reach the servers for a given Office 365 application. 2. At the router, security by abstraction obscures the routes and allows only authorized traffic to pass through. Because virtualization is used on the router level, only the needed routes are present in the customer’s routing table. 3. All unrecognized traffic is routed to the firewall, where specific rules govern the type of traffic that is allowed to pass through on a stateful basis. Any traffic that does not meet the firewall’s rule list is simply dropped.In addition to this three-tiered security, there’s a final checkpoint in data centers: only servers that aremanaged by Microsoft and configured for Internet access can receive Internet traffic; reverse access fromthe Internet to the Customer Network is blocked entirely.Separation (Compartmentalization)One key strategy that Microsoft uses to maintain the confidentiality and integrity of Office 365 customerdata is compartmentalization. Multiple techniques are used to control information flows between theManagement Network, the Managed Network, and the Customer Network, including the following: Physical separation. Network segments are physically separated by routers that are configured to prevent communications between the Managed Network and the Management Network, and between the Management Network and the Customer Network. Logical separation. Virtual LAN (VLAN) technology is used to further separate communications between Customer Network and Managed Network segments. Firewalls. Firewalls and other network security enforcement points are used to limit data exchanges with systems that are exposed to the Internet, and to isolate systems from back-end systems managed by Microsoft. One-way trusts. Active Directory one-way trusts are used to prevent systems or users in the Managed Networkfrom authenticating to resources on the Management Network. A similar trust prevents these entities from authenticating to the Customer Network. Protocol restrictions. Only Terminal Services can be used to access systems on a Managed Network from the Management Network. 11 Network for EnterprisesService Description (Dedicated Plans) | April 2012
  • 12. Figure 3 illustrates these information flows and associated restrictions. Network Security Policy Communication Flows Internet Customer Management Gateway Gateway Network Network (Customer) (Internet) Optional Managed Never allowed Controlled by policy Allowed – No network policy (customer policy only) Figure 3. Network communication flows 12 Network for EnterprisesService Description (Dedicated Plans) | April 2012
  • 13. Figure 4 illustrates the separation of Microsoft Office 365network from other networks and enforcementpoints. Figure 4. Separation of the Microsoft Office 365 networkRedundancyMicrosoft Office 365cloud-based servicesare designed to behighlyavailablethrough the use of redundancythroughout all layers of the network. Two devices are used for routing and switching, and all connectionsare on a redundant basis. Firewall and load-balancer deployments use duplicate systems with automaticfailover. Each customer environment in the Managed Network has two separate network connections andtwo individual power feeds to ensure availability. Each data center network stamp has redundant, high-capacity (n x 10GE) links into the Microsoft backbone. These links provide protected connectivity to theInternet edge and to other Microsoft locations.Server racks are built with multiple top-of-rack (TOR) switches to provide redundancy.Servers utilizenetwork interface card (NIC)-teaming to ensure rapid failover. 13 Network for EnterprisesService Description (Dedicated Plans) | April 2012
  • 14. Figure 5 provides an overview of the redundancy of the Office 365 networkinfrastructure. Data Center Internet Edge Edge Router Edge Anchor Site Router Anchor Site Core Internet Core Core Router A Router B Data Center Data Center Data Center Data Center Router A Router B Anchor Site Access Layer 3 Access Access Router B Router A Layer 2 Aggregation Switch A Switch B Internet Load Balancer A Load Balancer B Firewall A Firewall B TOR Switches TOR Switches TOR Switches Data Center S E R V S E R V ... . S E R V Anchor Site E E E R R R S S S Top of Rack/ Servers Figure 5.Microsoft Office 365network redundancy 14 Network for EnterprisesService Description (Dedicated Plans) | April 2012

×