A move to Office 365 means organizations must access some mission-critical services over the Internet. This isn't often a major issue, and any downsides are outweighed by the benefits of consuming cloud services instead of managing services on premises.
Some organizations have a complex infrastructure and established regional and worldwide networks; they want to retain the same level of traffic management and reliability they're accustomed to when they migrate to Office 365.
Microsoft Azure ExpressRoute connects to Office 365 and is used when you need a high quality of service. Azure's infrastructure as a service offering allows companies to directly connect their organization's wide area network (WAN) to Microsoft's infrastructure, rather than connecting across the Internet. The feature taps into Microsoft Edge nodes located across the globe via its multiprotocol label switching (MPLS) network. It's as close as you can get to having Office 365 on your network.
Should I use Azure ExpressRoute for my Office 365 deployment?
But this feature isn't a necessity for every organization. Azure ExpressRoute won't guarantee a faster connection, but it will guarantee security with better predictability. It may allow for higher quality of service and lower latency connections as well, and makes locking down external access to the service easier for admins.
Azure ExpressRoute isn't required for a successful Office 365 deployment, and can even make for a bad experience under certain circumstances. For example, if a remote site has a faster, less congested Internet link than the WAN connection, then it might be faster to connect to Office 365 over the internet.
Most organizations that deploy the standard ExpressRoute offering connect to a single Edge point -- point of presence -- to connect to the Microsoft network. This requires careful thought for multinational organizations. In a standard Office 365 deployment, clients connect over the Internet from their local Internet service provider. There's usually an Internet breakout in each region, and the client connects over the Internet to Microsoft's global network. With ExpressRoute, clients connect through their internal WAN before reaching Office 365; you can mitigate this by connecting to multiple Edge nodes via the ExpressRoute Premium offering, but this is costly. True cost depends on the organization's environment. For example, if the organization has a good WAN but undesirable Internet links, it may be cheaper to use ExpressRoute rather than upgrade Internet links at multiple sites.
Azure ExpressRoute may make sense if your organization has strict requirements for allowing only internal clients to access the service, and offerings such as Client Access Policies -- where some clients are restricted based on your organization's internet IP addresses -- aren't enough. Organizations have greater control over whether services such as Active Directory Federation Services (AD FS) need to be exposed to the public. However, offerings such as Modern Authentication avoid the reasons why AD FS would need to be published on the Internet. In essence, it allows larger Office clients like Outlook to authenticate directly against the AD FS servers rather than provide credentials to Office 365 first. In turn, it connects back out to the organization's AD FS servers over the Internet.
This Azure feature also controls network traffic. ExpressRoute makes sense if you're planning to migrate Unified Messaging to Office 365, if you use quality of service with conference calls or if you will use future public switched telephone network capabilities for Skype for Business Online. These services work over public Internet, but lack the ability to ensure call quality.
Planning differs from standard deployments
Not all traffic to Office 365 will pass over your Azure ExpressRoute connection. Core services, such as Exchange Online, Skype for Business and SharePoint Online, use ExpressRoute for heavy workloads, including Messaging Application Program Interface, Hypertext Transfer Protocol and voice connections. But services such as Yammer, an Office deployment, or content the Microsoft Content Distribution Networks serves will still travel over a standard Internet connection. Keep this in mind when configuring proxy servers and other equipment that restricts access to Internet sites.
Ensure that the standard Office 365 exceptions are added. Traffic to these destinations should still be allowed. However, you'll add client bypass exceptions for the ExpressRoute IP ranges to confirm that traffic destined for ExpressRoute doesn't pass through your proxy server and out to the Internet.
Network bandwidth performance planning is significantly different. When planning Exchange Online bandwidth, plan for traffic across multiple sites based on per-site or centralized Internet links. The calculations are the same when using the Exchange Bandwidth calculator; however, the figures need to be added based on the MPLS links traffic passes through and the ExpressRoute connection.
Also take WAN usage into account. Since the traffic passing through the Internet links to Office 365 is negligible for workloads -- such as Exchange, Skype for Business or SharePoint -- it isn't necessary or easy to consider negligible traffic. Delivering Office Click-To-Run updates and access to services such as Yammer -- which often includes picture and attachment uploads -- still require significant bandwidth. This is especially important if clients are set to update directly from the Internet. Include these factors when calculating Internet traffic.
About the author:
Steve Goodman is an Exchange MVP and is the head of unified communications at the U.K.'s leading Office 365 partner. Steve has worked in the IT industry for 16 years and has worked extensively with Microsoft Exchange since version 5.5. Goodman is the author of a number of books about Exchange, regularly presents at conferences, co-hosts The UC Architects podcast and regularly blogs about Exchange Server, Office 365 and PowerShell at www.stevieg.org.
What to consider before running Exchange in Azure
Connect to Office 365's PowerShell in the cloud