https www microsoft compeering https azure microsoft comservicesexpressroute

  • Slides: 16
Download presentation

https: //www. microsoft. com/peering https: //azure. microsoft. com/services/expressroute/

https: //www. microsoft. com/peering https: //azure. microsoft. com/services/expressroute/

Saa. S (e. g. Office 365, CRM Online, etc) Iaa. S (e. g. Azure

Saa. S (e. g. Office 365, CRM Online, etc) Iaa. S (e. g. Azure VM/VNET) • • Customers consume features Primarily user facing Focused on user collaboration experiences across boundaries Optimized for standardization Multi-tenant service endpoints Public interfaces Per tenant isolation at the application level • • Cloud controlled URLs and IPs (O(100 s) - rate of change is high) • Customers build solutions Primarily IT facing Focused on customer specific solutions within boundary Optimized for customization Multi-tenant infrastructure Private (and public) interfaces Per tenant isolation is at the infrastructure virtualization and network levels Customer controlled URLs and IPs (O(1 s): rate of change is low)

Networking for #1 (Private peering) Networking for #2 (Public peering) Private endpoints/IPs Public endpoints/IPs

Networking for #1 (Private peering) Networking for #2 (Public peering) Private endpoints/IPs Public endpoints/IPs Target networks instanced and isolated per customer Target network shared across customers and services Extension of customer Intranet External to customer Intranet Typical #IP prefixes: O(100’s) O(1’s) Typical # IP Prefixes: O(1’s) O(100’s)

Office 365 Services

Office 365 Services

Direct Connectivity • Key points: • For Office 365 services #4 is a subset

Direct Connectivity • Key points: • For Office 365 services #4 is a subset of #2 above. See http: //aka. ms/o 365 endpoints • Office 365 experience comes from many places and is always a combination of connections over #1, #2, #3 and optionally #4

 • • Starting point is always #1, #2, #3 Office 365 services are

• • Starting point is always #1, #2, #3 Office 365 services are optimized for Internet based delivery and require #1, #2, #3, even if Express. Route is in place Express. Route offers an alternate network path (#4) for a subset of Office 365 flows that follow #2 • Based on dynamic BGP advertisements of specific subnets with Office 365 services • Allows customers to design a more preferred connectivity path for supported Office 365 services Architecturally, from on-premises network perspective Express. Route for Saa. S is a (dynamic) ‘path override’ • Can be done at layer 3 (routing) or layer 7 (proxying), depending on customer on-premises network

 • Connectivity type (path) doesn’t change the nature of the service it connects

• Connectivity type (path) doesn’t change the nature of the service it connects to • Public endpoints remain public, even if the path to them is over dedicated circuit • Office 365 is a global service • Tenant location is mostly a ‘data at rest’ concept • Collaboration experiences may direct user connections to service endpoints outside of user or customer tenant locations • Express. Route for Office 365 requires premium SKU • Office 365 relies on outbound (On-Premises Cloud) and inbound (Cloud On-Premises) flows • Both need to be planned separately as they have different dependencies and often different customer requirements (based on the level of trust)

 • Presence of both #2 and #4 represents routing path duality between customer

• Presence of both #2 and #4 represents routing path duality between customer networks and Microsoft networks • Path asymmetry is a common failure mode during Express. Route deployment and runstate • Enterprise customer and Microsoft networks are both distributed • Public vs. Express. Route path distance/latency needs to be looked at as an Nx. M matrix • High availability considerations should include MTBF, MTTR and blast radius for the full spectrum of micro and macro failure modes • Customer topology designs for Express. Route connectivity to Office 365 must not reduce end to end service availability

Outbound flows • Must ensure that the outbound NAT does not use the same

Outbound flows • Must ensure that the outbound NAT does not use the same IP blocks for multiple network paths. Otherwise response packets will not be returned. The NAT IP pool advertised to Microsoft must not be advertised to the Internet. This will break connectivity to other Microsoft services. Inbound flows • Must ensure that inbound traffic is responded to on the same network route as the request was received on. Must not be ‘Internet and Express. Route’ or ‘Express. Route circuit 1 and Express. Route circuit 2’ You should NAT traffic destined to IP addresses within your network from Microsoft. * NAT in all of these discussions = source IP NAT