Applies to: Office 365
Topic Last Modified: 2015-04-03
|The content of this description applies only to existing Office 365 Dedicated customers with established private networking services. Prospective customers will use the Office 365 Dedicated vNext release and its networking implementation. Contact your Microsoft account team for more details.|
This service description presents the Microsoft networking infrastructure components and features that support the delivery of services for the Dedicated plans of Microsoft Office 365 for enterprises services. The information applies to the following services:
Network engineers and system integrators who work with your organization to deploy Office 365 services should review this service description.
The network architecture for Office 365 Dedicated is divided into three distinct security zones:
Each security zone is implemented as a virtual network.
The Customer Network represents your organization's on-premises enterprise network environment. The Customer Network elements include the router and network security enforcement point (NSEP) equipment. They are installed between your on-premises environment and the Microsoft data center.
There is a Managed Network provided for each organization with an Office 365 Dedicated plans subscription. The network is a separate, dedicated security zone that contains the Microsoft hosted systems that provide your Office 365 Dedicated services and store your email and data. This network also contains an Active Directory forest that includes a replication of your organization's Active Directory user, contact, and distribution group objects.
The Managed Network includes two gateway networks (GNs): one associated with the Internet (GN/I) and the other with the Customer Network (GN/C).
GN/I: This is a load-balancing hardware component. The devices deployed here are represented by virtual IP (VIP) addresses hosted on a hardware load balancer’s network interface. These devices are usually deployed in conjunction with servers on the Managed Network and are protected using NSEP equipment for external (Internet) traffic.
GN/C: This is utilized to implement your enterprise-facing hardware load-balancing solutions that replicate the functionality implemented in the GN/I. GN/C traffic uses the private network connectivity between your on-premises environment and the Microsoft data center.
The Management Network contains the infrastructure elements that are shared across multiple organizations subscribing to Office 365 Dedicated, like Office 365 Dedicated monitoring systems. It includes components such as the Microsoft backup and monitoring systems. It also includes an Active Directory forest that contains the user accounts that are required to operate the services and servers for the Management Network and Managed Network security zones.
The following diagram illustrates the Microsoft network architecture and security zone components for Office 365 Dedicated.
Virtualization is used throughout the network architecture to maintain separation and abstraction on a per-customer basis. Implementation involves using virtual local area networks (VLANs) at Layer 2 (switching), virtual routing and forwarding (VRF) at Layer 3 (routing), and Layer-3 VPNs at the transport layer. The transport layer relies on the extensive use of Multiprotocol Label Switching (MPLS) within the Microsoft backbone network.
Maintain your internal IT infrastructure and network.
Provide connectivity to the Microsoft data centers.
Maintain the Customer Forest in Active Directory which hosts the primary user accounts used for authentication, contacts, and distribution groups.