ExpressRoute for Office 365 Training 11/15/2018 11:23 PM ExpressRoute for Office 365 Training Planning for network security and high availability requirements – Session 8 Speaker Name © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Security and availability Minimal pre-deployment risk / High post-deployment risk Dedicated circuit security barrier As availability cost increases, so does security A single dedicated circuit high availability
Documentation ExpressRoute for Office 365 Office 365 endpoints https://aka.ms/expressrouteoffice365 Office 365 endpoints https://aka.ms/o365endpoints Routing with ExpressRoute and Office 365 (Includes what’s inbound) https://aka.ms/erorouting
Security
Security Plan The depth and type of network/security controls may have impact on the performance and scalability of the Office 365 user experience Outbound (on-premises -> Microsoft) & inbound (Microsoft -> on-premises) flows may have different requirements Office 365 endpoint are the same whether traffic is routed through ExpressRoute for Office 365 or via the Internet. Every egress to ExpressRoute for Office 365 must be secured.
Routing Domains and Isolation Microsoft Cloud Internet Customer’s premises Microsoft Peering ExpressRoute Circuit Internet edge Azure Extranet / Public Peering Extranet Azure Private Peering != Core Network
Routing Domains and Isolation Microsoft Cloud Internet Customer’s premises Microsoft Peering ExpressRoute Circuit Internet edge Azure Extranet / Public Peering Extranet Azure Private Peering Core Network
Security Models Network/Security Perimeter Model Co-located at a cloud exchange New or existing security/perimeter infrastructure in the colo. Use colo for routing/interconnect purposes + back haul connections into the on- premises security/perimeter infrastructure. Point-to- Point Ethernet Terminate ExpressRoute in the existing on-premises security/perimeter. Install new security/perimeter specific to the ExpressRoute termination. Any-to-Any IPVPN Leverage existing security/perimeter at all IPVPN egress used for ExpressRoute for Office 365 connectivity. Hairpin the IPVPN used for ExpressRoute for Office 365 to specific on-premises locations designated to serve as the security/perimeter.
Security Plan ExpressRoute security fits neatly between customer internal and external security policies Avoid strict IP routing as a security measure, use Microsoft ASN or port based restrictions instead Outbound (on-premises -> Microsoft) & inbound (Microsoft -> on-premises) flows may have different requirements Every ExpressRoute egress location requires security
Availability and Performance
Availability and Performance Overview Availability and performance are defined by the perception of the person using the service. Any of the physical and virtual systems between the person’s client and the service can cause poor availability and performance. Shortcuts in your end-to-end design will result in poor availability and performance. High Availability & Great Performance = No Shortcuts
Availability and Performance
Availability and Performance
Availability and Performance
Availability and Performance
Availability and Performance
Availability and Performance
Availability and Performance
Availability and Performance
Availability and Performance
Availability and Performance
Availability and Performance
Availability and Performance
Availability and Performance
Designing your availability plan 11/15/2018 11:23 PM Designing your availability plan We strongly recommend that you plan and design high availability and resiliency into your end-to-end connectivity scenarios for Office 365. A design should include; no single points of failure. minimizing the number of people affected and duration of that impact for most anticipated failure modes. optimizing for simple, repeatable, and automatic recovery process from most anticipated failure modes. supporting the full demands of your network traffic and functionality through redundant paths, without substantial degradation. © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Summary Availability and security align to a combination of people and ExpressRoute egress locations. Shortcuts in your end-to-end availability and security design will result in poor availability and security vulnerabilities. Designs should align to and influence existing customer policies Minimize the number of people affected by a security or disaster event Optimize for simple operations and automated recoveries
© 2016 Microsoft Corporation. All rights reserved © 2016 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.