DDoS Detection, Mitigation, Orchestration, and Threat Intelligence
Consolidated Security & CGNAT
TLS/SSL Inspection
Web Application Firewall
Application Security & Load Balancing
Analytics & Management
CGNAT & IPv6 Migration
This article presents architectural design guidelines for enterprise networks providing Microsoft Office 365 services. Office 365 has standard SaaS architectural requirements, but also several unique options to provide optimal application performance, scalability and resiliency.
Components outside of the core LAN and WAN environment can affect overall user experience. This includes desktop and other end-user devices, client software and operating environments. Performance can also be affected by configurations and policies managed by the customer administrator for Office 365.
This article focuses on the architecture of the enterprise network and design methodologies available to the network administrators to optimize the performance and scalability of Microsoft Office 365 services.
Office 365 has a broad set of cloud services with widely varying performance requirements. Applications like OneDrive and Outlook transfer data in the background. The volume of data can be massive but has a minor affect on user experience directly. Skype for Business provides voice and streaming video and has high requirements for network performance. Network packet drops, or latency issues affect voice quality directly creating starkly bad user experiences.
Microsoft’s minimum performance requirements for Skype for Business is:
Some applications require network latencies as low as 25 milliseconds. Office 365 has become a large portion of WAN traffic with over 50 applications and services. Many of these services are business critical where service outages and poor performance affect businesses directly.
The main topics covered in this article are:
Once Office 365 traffic is handed off to the Microsoft Global Network access point, the data is intelligently routed using advanced high-speed networking technologies. Network performance issues are often found in the network segment between the customer’s network edge and the Microsoft network.
The customer is responsible for this network segment. The design criteria for Office 365 networks include:
There are several network solutions available to provide customer network connectivity to Office 365 cloud services:
The most common method to connect to Office 365 services is by directly routing traffic over the Internet. Often the performance of this network depends on the Internet service provider. This network segment should be monitored for both performance and other issues. Refer to the section “Troubleshooting and Monitoring WANS.”
Even if the connection between the customer network and Office 365 does use this method, mobile users and potentially branch office locations will use this direct Internet route.
Network design options include:
Customer WAN infrastructures can be extended to ISP or co-location facilities which have direct peering relationships with Microsoft. These facilities can provide direct carrier interconnections to Microsoft.
An example configuration would be for the customer to deploy a Multiprotocol Label Switching (MPLS) circuit to an ISP providing a direct handoff to Office 365.
This would require the customer to:
The customer would be able to guarantee network performance and resiliency for business-critical Office 365 services.
Microsoft ExpressRoute® is similar to the WAN extension method above but is provided by Microsoft as a service. The network service provider would provision this direct connection to Microsoft and handoff the network to your premises, similar to other network circuits.
Advanced networking technologies are available with Application Delivery Controllers and SD-WAN solutions. These solutions provide advanced and flexible WAN architectures. Some of the network features include:
The Microsoft Global Network has a large number of network entry points geographically distributed world-wide. To provide the best performance for Office 365 services, customers should connect to the nearest Microsoft Network Point of Presence (POP). Once on the Microsoft network, traffic is intelligently routed through the high-speed Microsoft Global Network.
Office 365 services use GeoDNS lookup and other technologies to determine where DNS requests are coming from and redirect client traffic to the nearest geographically located Service Front Door.
Office 365 clients use local DNS servers, which forward requests to Microsoft DNS servers. The Microsoft Office 365 DNS servers identify the geographic location of the client, and direct client traffic to the closest Office 365 services front door.
Customer DNS servers must reside on the same network subnet as the clients. If the customer’s DNS servers reside far away from the clients, traffic will be routed in a suboptimal path.
The customer DNS servers should either:
As traffic and the number of devices grow, typical security infrastructure and NAT implementations can become bottlenecks. Security devices may suffer performance degradation while inspecting encrypted traffic. Steering Office 365 traffic around the edges of customer premise equipment reduce as much as 80% of the load on the egress and edge security systems.
The benefits of steering Office 365 traffic directly to the Office 365 access point is:
Each individual user creates dozens of long-lived connections to the Office 365 hosted environment. Large documents frequently transfer to and from the cloud. NAT servers are stressed similarly.
Office 365 client network traffic to cloud services traverse the edge network and security systems. This stack of edge systems is complex, expensive and must be highly reliable. Office 365 services include security services which may be redundant and can be routed directly to the Microsoft network securely, bypassing many of the enterprise edge systems.
In the diagram above, Office 365 traffic detected and steered directly to the Office 365 network access point. Other Internet traffic is sent to the edge security systems for inspection. Office 365 provides similar security processing and is provided by Microsoft.
This network architecture is described here: Enterprise Network Architecture
Steering Office 365 traffic around edge CPE systems requires:
Office 365 network traffic is encrypted but can be identified by the destination URL or IP address in the HTTPS and IP headers. Microsoft publishes the current Office 365 network endpoint URLs, IPv4 and IPv6 addresses and TCP/UDP ports. This identifies every network access point for every Office 365 service.
This endpoint data is downloaded and used to configure the traffic steering load balancer to route data destined to Office 365 endpoints directly. All other traffic is routed to the edge security systems, the same as before.
The Office 365 data changes over time and must be downloaded and reloaded into the load balancer to refresh the endpoint data. Here is the current Office 365 URLs and IP address ranges.
Below is a small sample of this data.
The network between the customer network edge to the Microsoft network edge is typically provided by an Internet Service Provider (ISP). This portion of the Office 365 access network is outside the control of both the customer and Microsoft and should be established and monitored carefully.
Express Route if a service available which provides direct leased line connections to the Microsoft network. Express Route provides a superior solution with Service Level Agreements available. This solution has a higher operating cost.
This network connection can be tested and monitored using several network tools including:
This network segment should be monitored for performance metrics including:
1. Round time delay and latency.
a. Using utilities like PING/psping will identify general performance problems but will not provide much more information for diagnostics
2. Network routing issues like “hairpins” and routing loops
a. Once problems are identified with PING, issues within the ISP networks can be identified using a network trace route utility.b. Run a tracert command to a Microsoft service. This utility will show each hop in the network displaying the details of the entire network route. Each hop will be listed with the round-trip time. Analyze the route data and look for:
i. Long delay times between network hopsii. Routing paths to distant geographic destinations.iii. Odd route paths
3. Stored historical performance data.
a. Network monitoring tool are available which continuously monitor network performance.b. Collect this data to calculate a historical baseline performancec. These tools will usually send events for performance issues
4. Microsoft Office 365 includes monitoring tools.
a. These tools test the complete path from the Office 365 client to the Office 365 cloud service. One example is the Skype Network Monitor and Assessment tool. This tool will simulate Skype traffic for 15+ seconds and monitor for network performance, packet loss and jitter
A10 Networks has partnered with Microsoft to design an Office 365 solution for enterprise networks. A10 Networks’ Thunder products provide a complete enterprise solution or can augment existing edge systems to offload, scale and secure Office 365 applications.
Learn more about A10’s application delivery controllers and load balancing products.
Seeing is believing. Schedule a live demo today.
