Microsoft global network

This global and sophisticated architecture, spanning more than , miles, connects our datacenters and customers. Every day, customers around the world connect and pass trillions of requests to Microsoft Azure, Bing, Dynamics , Microsoft , XBox, and many others. Regardless of type, customers expect instant reliability and responsiveness from our services.

The Microsoft global network WAN is a central part of delivering a great cloud experience. Connecting our Microsoft data centers across 61 Azure regions and large mesh of edge-nodes strategically placed around the world, our global network offers both the availability, capacity, and the flexibility to meet any demand. Opting for the best possible experience is easy when you use Microsoft cloud.

From the moment when customer traffic enters our global network through our strategically placed edge-nodes, your data travels through optimized routes at near the speed of light.

This ensures optimal latency for best performance. These edge-nodes, all interconnected to more than unique Internet partners peers through thousands of connections in more than locations, provide the foundation of our interconnection strategy. Whether connecting from London to Tokyo, or from Washington DC to Los Angeles, network performance is quantified and impacted by things such as latency, jitter, packet loss, and throughput. At Microsoft, we prefer and use direct interconnects as opposed to transit-links, this keeps response traffic symmetric and helps keep hops, peering parties and paths as short and simple as possible.

Due to the large number of distributed locations with Microsoft entry points and their proximity to end-users, routing Microsoft traffic to any third-party network or security provider can have an adverse impact on Microsoft connections if the provider network is not configured for optimal Microsoft peering. Enterprise customers should review their network security and risk reduction methods specifically for Microsoft bound traffic and use Microsoft security features to reduce their reliance on intrusive, performance impacting, and expensive network security technologies for Microsoft network traffic.

Most enterprise networks enforce network security for Internet traffic using technologies like proxies, SSL inspection, packet inspection, and data loss prevention systems. These technologies provide important risk mitigation for generic Internet requests but can dramatically reduce performance, scalability, and the quality of end user experience when applied to Microsoft endpoints.

Microsoft administrators can use a script or REST call to consume a structured list of endpoints from the Office Endpoints web service and update the configurations of perimeter firewalls and other network devices. This will ensure that traffic bound for Microsoft is identified, treated appropriately and managed differently from network traffic bound for generic and often unknown Internet web sites.

PAC scripts can be used to bypass proxies for Microsoft requests from WAN or VPN users, allowing Microsoft traffic to use direct Internet connections rather than traversing the corporate network. Microsoft is transparent about datacenter security, operational security, and risk reduction around Microsoft servers and the network endpoints that they represent. Office endpoints represent a varied set of network addresses and subnets.

The locations of Office endpoints within the network are not directly related to the location of the Microsoft tenant data. For this reason, customers should look at Microsoft as a distributed and global service and should not attempt to block network connections to Office endpoints based on geographical criteria. In our previous guidance for managing Microsoft traffic, endpoints were organized into two categories, Required and Optional.

Endpoints within each category required different optimizations depending on the criticality of the service, and many customers faced challenges in justifying the application of the same network optimizations to the full list of Office URLs and IP addresses. In the new model, endpoints are segregated into three categories, Optimize , Allow , and Default , providing a priority-based pivot on where to focus network optimization efforts to realize the best performance improvements and return on investment.

The endpoints are consolidated in the above categories based on the sensitivity of the effective user experience to network quality, volume, and performance envelope of scenarios and ease of implementation. Recommended optimizations can be applied the same way to all endpoints in a given category. These endpoints represent Office scenarios that are the most sensitive to network performance, latency, and availability.

All endpoints are hosted in Microsoft datacenters. The rate of change to the endpoints in this category is expected to be much lower than for the endpoints in the other two categories. A condensed list of well-defined critical endpoints should help you to plan and implement high value network optimizations for these destinations faster and easier. Allow endpoints are required for connectivity to specific Office services and features, but are not as sensitive to network performance and latency as those in the Optimize category.

The overall network footprint of these endpoints from the standpoint of bandwidth and connection count is also smaller. These endpoints are dedicated to Office and are hosted in Microsoft datacenters. Not all endpoints in this category are associated with defined dedicated IP subnets. Network optimizations for Allow endpoints can improve the Office user experience, but some customers may choose to scope those optimizations more narrowly to minimize changes to their network.

Default endpoints represent Office services and dependencies that do not require any optimization, and can be treated by customer networks as normal Internet bound traffic. Some endpoints in this category may not be hosted in Microsoft datacenters. For more information about Office network optimization techniques, see the article Managing Office endpoints.

The goal of traditional network security is to harden the corporate network perimeter against intrusion and malicious exploits. As organizations adopt Microsoft , some network services and data are partly or completely migrated to the cloud. As for any fundamental change to network architecture, this process requires a reevaluation of network security that takes emerging factors into account:. Microsoft offers a wide range of Microsoft security features and provides prescriptive guidance for employing security best practices that can help you to ensure data and network security for Microsoft Recommended best practices include the following:.

Traffic via a connection destined to a virtual network in the same region will be processed by the Azure Firewall in the secured hub. This configuration must be done using Azure Firewall Manager. See Route Traffic to your hub to configure all traffic from branches including Users as well as Vnets to Internet via the Azure Firewall.

Configure Vnets and Branches that can send traffic to the internet via the Firewall. Configure which Connections Vnet and Branch can route traffic to the internet 0. This step ensures that the default route is propagated to selected branches and Vnets that are attached to the Virtual WAN hub via the Connections.

In this case, all traffic that is entering the hub from Vnets and branches destined to internet, will be routed to the Azure Firewall or Trusted Security Provider. Currently there is no option to select on-premises Firewall or Azure Firewall and Trusted Security Provider for internet bound traffic originating from Vnets, Branches or Users. The default route learned from the Azure Firewall Manager setting is always preferred over the default route learned from one of the branches.

Skip to main content. This browser is no longer supported. Download Microsoft Edge More info. Contents Exit focus mode. Is this page helpful? Please rate your experience Yes No. Any additional feedback? Note Inter-hub processing of traffic via firewall is currently not supported. Note Inter-hub with firewall is currently not supported. Also, in many enterprise networks, all outbound Internet connections traverse the corporate network, and egress from a central location.

In traditional network architectures, higher latency for generic Internet traffic is a necessary tradeoff in order to maintain network perimeter security, and performance optimization for Internet traffic typically involves upgrading or scaling out the equipment at network egress points.

However, this approach does not address the requirements for optimum network performance of SaaS services such as Microsoft We're making it easier to identify Microsoft network traffic and making it simpler to manage the network identification. The goal of traditional network security is to harden the corporate network perimeter against intrusion and malicious exploits. Most enterprise networks enforce network security for Internet traffic using technologies like proxy servers, firewalls, SSL break and inspect, deep packet inspection, and data loss prevention systems.

These technologies provide important risk mitigation for generic Internet requests but can dramatically reduce performance, scalability, and the quality of end user experience when applied to Microsoft endpoints.

Microsoft helps meet your organization's needs for content security and data usage compliance with built-in security and governance features designed specifically for Microsoft features and workloads. For more information about Microsoft security and compliance, see the Office security roadmap. Microsoft is designed for optimal performance using endpoint security and encrypted network connections, reducing the need for perimeter security enforcement.

Microsoft datacenters are located across the world and the service is designed to use various methods for connecting clients to best available service endpoints. Since user data and processing are distributed between many Microsoft datacenters, there is no single network endpoint to which client machines can connect. In fact, data and services in your Microsoft tenant are dynamically optimized by the Microsoft Global Network to adapt to the geographic locations from which they are accessed by end users.

Certain common performance issues are created when Microsoft traffic is subject to packet inspection and centralized egress:. Shortening the network path to Microsoft entry points by allowing client traffic to egress as close as possible to their geographic location can improve connectivity performance and the end user experience in Microsoft