Export (0) Print
Expand All

Customer Connectivity to Services


Applies to: Office 365

Topic Last Modified: 2015-02-02

Microsoft supports both public and private networks to access and consume Office 365 Dedicated services as demonstrated in the following illustration.

Illustration of Public and Private Networks

Private network

  • The private network offering is the default method of service consumption. It offers the greatest variety of service options.

  • Private network connectivity helps enable the direct extension of your corporate/enterprise network environment into the Microsoft datacenter environment.

Public network

  • The Internet is the public network.

  • An Internet Protocol security (IPsec) virtual private network (VPN) connection provides secure connectivity between your on-premises environment and the Microsoft data center.

  • Internet-based clients can connect to applicable services directly from public Internet locations, like hotspots, hotels, or airports.

The following sections describe the two connectivity options in more detail. Connectivity design principles and IP addressing are also covered.

Your organization can connect to Office 365 Dedicated services using connections that (a) you own and operate or (b) are supplied by your designated provider. Private networking is the primary Office 365 Dedicated connectivity option and gives you the ability to host equipment within a Microsoft designated peering point, referred to as an edge site. An edge site is a third-party carrier meet-me Room (MMR) facility associated with a carrier hotel or anchor site. Edge sites have ubiquitous connectivity to the Microsoft global backbone. Microsoft provides only the rack, space, power, cooling, and access to the equipment. You are responsible for ownership and management of the equipment.

Customer Responsibilities

  • Provide a 1 or 10 gigabit (GB) single mode fiber optic Ethernet hand-off from a Layer-3 peering device to Microsoft.

  • Own and manage all aspects of connectivity including equipment and circuits. This includes ensuring that you provide Microsoft with clear, consistent, and updated documentation of deployed hosted network equipment and connectivity.

  • Ensure that your provisioned transport is symmetric to each peering location within a region where hosted data centers are deployed. This symmetry implies mirroring of capacity and capability in the peering locations. For more information, see the Office 365 Dedicated Network Connectivity Guidance document on the Office 365 Dedicated Platform Network Services page for Office 365 Dedicated customers.

  • Provide Microsoft with the port and access speed as well as any type of rate limits, like the committed information rate (CIR).

  • Provide Microsoft with periodic (monthly) updates on capacity and utilization for use by Microsoft as input for network capacity planning.

Microsoft Responsibilities

  • Enable your organization to host network equipment inside an Office 365 Dedicated edge site. Microsoft provides power, space, and cooling for the hosted equipment and access to the equipment. Hosting of your network equipment is limited to a standard network deployment pod. This pod consists of:

    • A pair of industry standard 2-rack unit routers.

    • Layer-2 switches.

    • Firewalls.

    • Other networking equipment that you provide.

  • The total allowance for the pod is 12 rack units (12U). The maximum allowed power consumption of a pod is 1650 watts per edge site. Hosting of network equipment variants that do not fit within this pod design are considered an exception. Exceptions approved by Microsoft will incur additional service fees.

  • Work with you and your carrier personnel to terminate circuits at, and enable connectivity with, the Microsoft data centers serving your region.

  • Provide ongoing support for you or your carrier personnel to access equipment that is located in an Office 365 Dedicated edge site.


  • Microsoft does not provide support for customer-owned wide-area network (WAN) acceleration and caching devices used with Office 365 Dedicated services. If you use a WAN optimization controller to improve performance under conditions of high latency or low bandwidth, you will need to disable it during service request troubleshooting with Microsoft. If the added WAN equipment causes network problems, you must seek support from your device vendor. For more information, see Using WAN Optimization Controller devices with Office 365.

Internet IPsec VPN is an Internet-based, encrypted VPN that uses the same Internet service provider (ISP) on both sides of the VPN to optimize performance and reliability. The Internet IPsec VPN should only be used during the deployment process to mitigate long lead time Multiprotocol Label Switching (MPLS) connections and as a redundancy solution paired with the customer-owned connection. While Internet IPsec VPN is a viable transport technology, experience has shown that interoperability and operational issues reduce its use to a support role and not as the primary means of connectivity.

Microsoft places a limit of six (6) VPNs per customer at each peering location. If more than six VPNs are required, Microsoft allows your organization to host equipment inside an Office 365 Dedicated edge site to provide additional VPN capacity. For assistance with setting up a VPN solution for your environment, contact your Microsoft service delivery manager (SDM).

Customer Responsibilities

  • Confirm that the ISP connects to Microsoft.

  • Ensure that your provisioned transport is symmetric to the primary and secondary data center. This symmetry implies mirroring of capacity and capability in both Office 365 Dedicated edge sites. For more information, see the Office 365 Dedicated Network Connectivity Guidance document on the Office 365 Dedicated Platform Network Services page for Office 365 Dedicated customers.

  • Provide Microsoft with the port and access speed as well as any type of rate limits, such as the CIR.

  • Provide Microsoft with periodic (monthly) updates on network capacity and utilization for use by Microsoft as input for network capacity planning.

  • Provide router equipment at your sites.

Microsoft Responsibilities

  • Provide the terminating router and ISP connectivity for six VPNs.

As an Office 365 Dedicated plans customer, your organization is required to support the following design factors when planning network connectivity to Microsoft data centers:

  • Bandwidth. It is critical that your organization perform initial planning and ongoing capacity analysis to ensure that adequate bandwidth is available to reach Office 365 Dedicated services at all times. These processes require accurately predicting bandwidth demand and ensuring that proper measuring tools are in place to monitor usage. We recommend that you provision a separate link for Internet access if the Internet IPsec VPN option is used as a primary connection link.

  • Latency. Latency is a critical network factor that directly affects perceived and actual performance for a specific Office 365 Dedicated service. Each Office 365 Dedicated service provides general guidance for acceptable round-trip time (RTT) between your data center and the Microsoft data centers. When provisioning VPNs, tests must be conducted ahead of time to ensure that RTT is within acceptable tolerances.

  • Reliability. Microsoft requires that all connectivity is provisioned in a redundant manner. For your customer-owned private connection, this is expected to be accomplished by providing connections relative to the service provisioning points. When selecting Internet-based VPNs, Microsoft does not offer a service-level agreement (SLA) for availability on networks that it does not directly own or operate. A multiple-VPN configuration is required to provide increased reliability and redundancy.

  • Microsoft connectivity. To enable Internet IPsec VPN connections to as many ISPs as possible, Microsoft has a policy of open peering with any carrier that wishes to connect with it. This policy has enabled peering relationships with thousands of ISPs, and has positioned Microsoft in the top five of the best-connected networks in the world. Microsoft actively manages capacity for its owned connections and equipment to ensure that there are no capacity-related outages. Links that are starting to saturate are proactively upgraded as needed.

  • BGP peering. The Border Gateway Protocol (BGP) is used for route exchange over all peering sessions used for connectivity via customer-owned circuits. As part of the networking activation process, information is required about the number of prefixes that your organization plans to advertise. Microsoft requires route summarization or aggregation to limit the number of prefixes received. We also deploy the BGP maximum-prefix feature to ensure that a sudden spike in advertisements does not adversely impact equipment and peering. The maximum number of prefixes allowed for the peering session is set to 5000. In addition to providing prefix information, your organization is required to summarize all routing announcements to ensure optimal routing table size.

Microsoft network configuration work includes allocation of IP address space in order to deploy Office 365 Dedicated services to your organization.

Microsoft provides publically registered IP addresses from the address space allocated for your organization. You will need to configure routing on your internal network to route traffic to Microsoft over your private connection. For more information, see the Office 365 Dedicated Public IP Address Ranges document on the Office 365 Dedicated Platform Network Services page for Office 365 Dedicated customers.

For the Office 365 Dedicated offering, only the IPv4 protocol is supported at this time.
Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
© 2015 Microsoft