Wednesday, February 20, 2019

Ignite 2018 - BRK3000 - Strategies for building effective, optimal and future proof connectivity to Office 365 that will delight your users


Presented by Konstantin Ryvkin

A very good session explaining Office 365 networking in depth at an understandable level. Please watch it and send this presentation to your network and security team!
 
This session and slide deck can be downloaded here.

Office 365 is a big cloud, and some customers have issues with connectivity and performance while others do not - what is the difference?

There are 3 major types of clouds

  • IaaS - Infrastructure as a Service (Azure virtual machines / virtual network)
  • PaaS - Platform as a Service (Azure SQL or blob storage)
  • SaaS - Software as a Service (Office 365)

The preferred connectivity method to these different clouds differ. (Azure is regional, Office 365 is global)

SaaS disrupts traditional connectivity models

For decades Enterprises have been evolving their networks to protect themselves from the Internet, this means that they now have a lot of security measures in place that might interfere with Office 365 connectivity. The connectivity was not made to be simple, it was made to protect the users from the Internet.

Often a user will get better connectivity "from home"
(if not forced to VPN back to the Enterprise network and go through all the security)

Some of the trends or changes that SaaS networking is binging are that security controls move from the local network into cloud applications, and the Internet path to the Cloud becomes shorter.

Latency becomes a problem - do not backhaul distances and check the ISP and its peering with the Microsoft Global Network.

To measure the latency from an Outlook user to Office 365 PsPing can be used:

psping -n 5 outlook.office365.com:443

(We are using psping to avoid using ICMP, but rather test https transactions.)

The picture above is showing network latency for customers in Australia and shows that customers in the same metro area, same geographical region and with the same Office 365 service, can have very different experiences. Most importantly - it is possible to get great Office 365 latency experience (even from Australia.)

Office 365 comes closer and closer to end users

The Microsoft Global Network (AS8075) with its global reach
and the Distributed Service Front Door infrastructure, makes it close to users anywhere.

On https://aka.ms/o365ip you will find the full list of all Office 365 endpoints. An endpoint is an IP:port combination that clients are connecting to (40.97.143.130:443) The comments received on this list is that it is long, it changes and security guys will not like it. That is why Microsoft have shortened the list from thousands of entries to hundreds and categorized the endpoints into Optimize, Allow and Default endpoints.

The list of "optimize" endpoints will change less than once a year, so it is quite stable. On https://aka.ms/ipurlws there is a REST API available for customers and partners to automate the updating of network devices according to this list.

A hub-and-spoke model have traditionally been used to backhaul traffic into a central location, this works well when users are connecting to services located at the hub, i.e. it does not work as well for Office 365 traffic. Try to evolve away from hub-and-spoke and go for a full mesh when it comes to Office 365 traffic. Consider this for external DNS requests as well.

Office 365 will overtime move some of the data closer to the location where you enter the Microsoft network, e.g. your mailbox, to further decrease latency of getting data. Such moves will only happen within your compliance boundary.

Man-in-the-middle SSL inspection, aka break and inspect, works well for simple web browsing. However, Office 365 traffic is not web traffic, what would the "inspector" do with encrypted audio or video?

Follow these simple principles to delight your users!

Resources

No comments:

Post a Comment