Applies to: Office 365
Topic Last Modified: 2014-01-07
This service description presents the Microsoft networking infrastructure components and features that support delivery of Microsoft Office 365 for enterprises services provided under dedicated subscription plans (“dedicated plans”). The information applies to the following services:
Network engineers and system integrators who work with your organization to deploy Office 365 services should review this service description.
The network architecture for Office 365 is divided into three distinct security zones: the Customer Network, the Managed Network, and the Management Network. Each security zone is implemented as a virtual network.
The Customer Network describes your organization's on-premises enterprise network environment. The Customer Network contains the router and your firewall if you want to have these components installed between your IT environment and the Microsoft data center.
There is a Managed Network provided for each organization subcribed to Office 365 Dedicated plans. It is a separate, dedicated security zone that contains the Microsoft hosted systems that provide your Office 365 services and store your email and data. This network also contains an Active Directory forest that includes a replication of your organization's Active Directory user, contact, and distribution group objects.
The Managed Network includes two gateway networks (GNs): one associated with the Internet (GN/I) and the other with the Customer Network (GN/C).
GN/I: The GN/I is a load-balancing hardware component. Only the devices that are deployed on this segment will be virtual IP (VIP) addresses hosted on a hardware load balancer’s network interface. These devices are usually deployed in conjunction with servers on the Managed Network, and are protected using firewalls for external (Internet) traffic.
GN/C: The GN/C is utilized to implement your enterprise-facing hardware load-balancing solutions that replicate the functionality implemented in the GN/I.
The Management Network contains the infrastructure that is shared across multiple organizations subscribing to Office 365. It includes components such as the Microsoft backup and monitoring systems. It also includes an Active Directory forest that contains the user accounts that are needed for operating the services and servers for the Management Network and Managed Network security zones.
The following diagram shows the Microsoft network architecture and security zone components for Office 365 Dedicated plans.
Virtualization is used throughout the network architecture to maintain separation and abstraction on a per-customer basis. This is accomplished using virtual LANs (VLANs) at Layer 2 (Switching), Virtual Routing and Forwarding (VRF) at Layer 3 (Routing), and Layer 3 VPNs at the transport layer. The transport layer relies on the extensive use of multiprotocol label switching (MPLS) within the Microsoft backbone network.
Maintain your internal IT infrastructure and network, and provide connectivity to the Microsoft data centers.
Maintain the Customer Forest, which hosts the primary user accounts that are used for authentication and hosts contacts and distribution groups.
Co-locate the domain controllers that are located within the Customer Network in the Microsoft data centers. This requirement is discussed in more detail in the Identity and Provisioning service description for Office 365 Dedicated plans.