Export (0) Print
Expand All

Customer Connectivity to Data Centers


Applies to: Office 365

Topic Last Modified: 2014-01-07

Microsoft supports two options for connectivity between a Customer Network and each Microsoft data center. The primary option is to use a private connection that you own and operate. An alternative is to use an Internet IPsec virtual private network (VPN) connection. At a minimum, connections are required to both the primary and secondary Microsoft data centers that host the servers that provide your Office 365 services.

The following sections describe the two connectivity options in more detail. Connectivity design principles and IP addressing are also covered.

Your organization can connect to Microsoft data centers with connections that you own and operate, or via your designated provider. This is the primary Office 365 connectivity option and gives you the ability to host equipment within a Microsoft designated peering point, which is referred to as an Edge Site. Microsoft provides only the rack, space, cooling, and access to the equipment. You are responsible for ownership and management of the equipment.

Microsoft Responsibilities

  • Enable your organization to host network equipment inside a Microsoft-owned Edge Site. Microsoft provides power, space, and cooling for the hosted equipment and access to the equipment. Hosting of your network equipment is limited to a standard network deployment pod. This pod consists of a pair of industry standard 2-rack unit routers, Layer 2 switches, and firewalls for a total allowance of 12 rack units—with a maximum of 1650 watts power consumption—per data center. Hosting of network equipment variants that do not fit within this pod design are considered an exception. Exceptions approved by Microsoft will incur additional service fees.

  • Work with you and your carrier personnel to terminate circuits and enable connectivity to Microsoft.

  • Provide ongoing support for you or your carrier personnel to access equipment that is located at a Microsoft data center.

Customer Responsibilities

  • Provide a fiber 1 or 10 Gigabit Ethernet hand-off from a Layer 3 peering device to Microsoft.

  • Own and manage all aspects of connectivity including equipment and circuits. This includes ensuring that you provide Microsoft with clear, consistent, and updated documentation of deployed hosted network equipment and connectivity.

  • Ensure that your provisioned transport is symmetric to each peering location within a region where hosted data centers are deployed. This symmetry implies mirroring of capacity and capability in the peering locations.

  • Provide Microsoft with the port and access speed as well as any type of rate limits—such as the committed information rate.

  • Provide Microsoft with periodic (monthly) updates on capacity and utilization of network connectivity so that Microsoft can ensure adequate capacity is available to provide a consistent end-user experience.

Internet IPsec VPN is an Internet-based, encrypted VPN that uses the same Internet service provider (ISP) on both sides of the VPN to optimize performance and reliability. The Internet IPsec VPN should only be used during the deployment process to mitigate long lead time MPLS connections and as a redundancy solution paired with the customer-owned connection. While Internet IPsec VPN is a viable transport technology, experience has shown that interoperability and operational issues reduce its use to a support role and not as the primary means of connectivity.

Microsoft places a limit of six VPNs per customer at each data center location. If more than six VPNs are required, Microsoft enables your organization to host its own equipment inside a Microsoft Edge Site.

We recommend that you review the document "Using an Internet-based Virtual Private Network (VPN) for Microsoft Online Services" for engineering details about the Internet IPsec VPN option. You can request the document from your Microsoft Service Delivery Manager.

Microsoft Responsibility

  • Provide the terminating router and ISP connectivity.

Customer Responsibilities

  • Confirm that the ISP connects to Microsoft.

  • Ensure that your provisioned transport is symmetric to the primary and secondary data center. This symmetry implies mirroring of capacity and capability in both data centers.

  • Provide Microsoft with the port and access speed as well as any type of rate limits, such as the committed information rate.

  • Provide Microsoft with periodic (monthly) updates on capacity and utilization of network connectivity so that Microsoft can ensure adequate capacity is available to provide a consistent end-user experience.

  • Provide the router at your sites.

As an Office 365 Dedicated plans customer, your organization is required to support the following design factors when planning network connectivity to Microsoft data centers.

  • Bandwidth. It is critical that your organization perform initial planning and ongoing capacity analysis to ensure that adequate bandwidth is available to reach Office 365 services at all times. These processes require accurately predicting bandwidth demand and ensuring that proper measuring tools are in place to monitor usage. We recommend that you provision a separate link for Internet access if the Internet IPsec VPN option is used as a primary connection link.

  • Latency. Latency is a critical network factor that directly affects perceived and actual performance for a specific Office 365 service. Each Office 365 service provides general guidance for acceptable round-trip time (RTT) between your data center and the Microsoft data centers. When provisioning VPNs, tests must be conducted ahead of time to ensure that RTT is within acceptable tolerances.

  • Reliability. Microsoft requires that all connectivity is provisioned in a redundant manner. For your customer-owned private connection this is expected to be accomplished by providing connections relative to the service provisioning points. When selecting Internet-based VPNs, Microsoft does not offer a service-level agreement (SLA) for availability on networks that it does not directly own or operate. A multiple-VPN configuration is required to provide increased reliability and redundancy.

  • Microsoft connectivity. To enable Internet IPsec VPN connections to as many ISPs as possible, Microsoft has a policy of open peering with any carrier that wishes to connect with it. This policy has enabled peering relationships with thousands of ISPs, and has positioned Microsoft in the top five of the best-connected networks in the world. Microsoft actively manages capacity for its owned connections and equipment to ensure that there are no capacity-related outages. Links that are starting to saturate are proactively upgraded as needed.

  • BGP peering. The Border Gateway Protocol (BGP) is used for route exchange over all peering sessions used for connectivity via customer-owned circuits. As part of the networking activation process, information is required about the number of prefixes that your organization plans to advertise. Microsoft requires route summarization or aggregation to limit the number of prefixes received. We also deploy the BGP maximum-prefix feature to ensure that a sudden spike in advertisements does not adversely impact equipment and peering. The maximum number of prefixes allowed for the peering session is set to 5000. In addition to providing prefix information, your organization is required to summarize all routing announcements to ensure optimal routing table size.

Microsoft network configuration work includes allocation of IP address space for your organization in each Microsoft data center (primary and secondary).

Microsoft will provide publically registered IP addresses from the address space allocated for your organization. Your will need to configure routing on your internal network to route traffic to Microsoft over your private connection.

Please note that network address translation (NAT) is not supported.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
© 2014 Microsoft