Securing the physical infrastructure in Microsoft’s data centers is as important as data availability.

As is true with most Microsoft products, there are a number of ways you can architect Office 365 to work with your infrastructure or replace it entirely.

For smaller organizations, it’s an easier decision because those companies typically have fewer on-premises solutions and much less investment in infrastructure, so moving to the cloud is simpler.

Microsoft’s physical architecture uses the same principles most organizations do to secure a data center. Because of the nature of Microsoft data centers and the information kept in them, securing the physical infrastructure is as paramount as data availability.

Physical Architecture: Security Features

Some of the physical protection features in use by Microsoft’s data centers are:

  • High-security perimeter fences
  • 24/7/365 surveillance
  • Vehicle checkpoints
  • World-class access procedures to facilities
    • Multi-factor, biometric entry points
    • Full body metal detection
  • On-site hard drive destruction (shredding)
  • State-of-the-art fire suppression
  • Secure access to physical components
  • Geo-located and Geo-replicated data

You are likely using many of the security features and principles listed above where they make sense in your own organizations. That’s good.

Securing Your Architecture

The question is how you will architect your network for the change, and that depends on what the final goal is.

  • Will you peacefully coexist?
  • Are you going to extend your directory to the cloud?
  • Do you want an isolated tunnel between your location and Office 365?

Option 1

This one is really simple. You keep your infrastructure in place and allow the URLs and IP addresses required for Office 365 through your firewall(s).

This uses your current ISP and the public Internet in the same way your users access it today. Traffic is encrypted and flows through a secure channel. Microsoft SaaS solutions like Office 365 and Dynamics 365 are designed for this type of access.

Option 2

In certain situations, Express Route is recommended. You still keep your infrastructure in place but this is a private connection between your infrastructure and Microsoft’s data center through an Express Route carrier, widely available in the U.S.

This type of connection offers higher security, reliability and speed with lower latencies than internet connections. Pairing these connections with other regions requires an add-on but ensures your routing remains optimal for performance.

You can use Express Route for any of the workloads in the chart below as it helps to secure connections to on-premises applications by apps that run in the cloud.

Option 3

If you’re planning to use an Azure infrastructure workload like a virtual network, or you plan to extend or replace your Active Directory entirely, then you have a few options.

You can use the Express Route solution as we discussed in Option 2, or you can connect your on-premises routers to an Azure Gateway using a site-to-site VPN. The gateway can then provide customized access to resources with user-defined routing.

Option 4

If you’re in-between a site-to-site VPN and Express Route there are plenty of third-party network appliances in the Azure marketplace that can provide faster than site-to-site VPN with secure routing between your routers and an Azure Gateway. These devices sit between options 2 and 3 above. Barracuda and Cisco are popular device providers you can check out.

Final Thoughts

This is in no way a comprehensive look at the infrastructure configurations possible, rather it’s a broad overview to help you start planning.

There are plenty of considerations based on workload, size and directory structure that can either add complexity or simplify the above approaches. You’ll definitely want a partner for this journey!