![\"Microsoft](\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2021\/10\/ms-digital-technical-stories-300x112.png\")
Next-generation connectivity is enabling us to transform our internal enterprise network here at Microsoft.<\/p>\nNext-generation connectivity is enabling us to transform our internal enterprise network here at Microsoft.<\/p>\n
Deploying a more agile, secure, and effective network environment across Microsoft is empowering our employees to thrive in our new hybrid world. This article describes how we\u2019re implementing this new network strategy, including goals, action areas, expected results, and a brief evaluation of anticipated future state and immediate next steps.<\/p>\n
And this transformation is coming at a good time.<\/p>\n
The need for digital transformation is evident across all industries, and our now largely mobile and remote workforce has created challenges and new requirements for our network environment.<\/p>\n
Fortunately, employee productivity and satisfaction with connectivity remain high, despite these challenges as remote work is the new normal. During the pandemic, for example, we\u2014our Microsoft Digital (MSD) team\u2014tallied up to 190,000 unique remote connections daily.<\/p>\n
Our next-generation connectivity strategy must account for both traditional in-building experience and hybrid experiences, and it must accommodate critical industry factors driving the usage of our network resources, including:<\/p>\n
Workplace modernization efforts are creating a surge of digital Internet of Things (IoT) devices and sensors on the network in Microsoft buildings and campuses.<\/p>\n
With these factors in mind, we\u2019re making changes to adapt to new traffic patterns, use cases, security requirements, and other demands of our network infrastructure. Legacy approaches to network operations won\u2019t provide adequate service and security.<\/p>\n
We\u2019re embracing cloud WAN and edge security models associated with user identities, device states, and applications that aren\u2019t directly dependent on the physical network infrastructure. We\u2019re efficiently scaling network deployment and operations with investments in software-defined infrastructure, network automation, data-driven insights and AIOps.<\/p>\n
Software-defined infrastructure has brought network and application security to the places where end users can consume them when needed, regardless of where they\u2019re physically located. Automation and AIOps has started to eliminate some manual operations and eventually could encompass every part of the engineering and operational life cycle, including providing the capability to respond quickly to changing business needs and live site incidents.<\/p>\n
[Discover the lessons we\u2019ve learned in engineering Zero Trust networking.<\/a> | Unpack our Zero Trust networking lessons for leaders.<\/a> | Explore how we\u2019re implementing a Zero Trust security model at Microsoft.<\/a>]<\/em><\/p>\n Transforming our network to support next-generation connectivity requires us to reimagine many of our traditional connectivity models. We\u2019re focusing on several different areas to help us reduce our legacy network dependencies and move to a more modern connectivity design:<\/p>\n We\u2019re informing our strategy with several architecture and design principles for the network that will help us address our focus points while we develop the next-generation connectivity model. The key principles are outlined in the following sections.<\/p>\n A Zero Trust architecture model reduces the risk of lateral movement in any network environment. Identities are validated and secured with multifactor authentication (MFA) everywhere. Using MFA eliminates password expirations and, eventually, passwords. The added use of biometrics ensures strong authentication for user-backed identities.<\/p>\n Enforceable device-health controls protect the network and require applications and services to observe and enforce our device-health policies. The health of all services and applications must be monitored to ensure proper operation and compliance and enable rapid response when those conditions aren\u2019t met.<\/p>\n Least privilege access principles and network segmentation ensure that users and devices have access only to the resources required to perform their role. Both Microsoft Azure Entra ID authentication and conditional access will play a crucial role in establishing a Zero Trust model. The network will also supply mechanisms like wired port security and an 802.1x solution that allows users to register their devices for elevated access.<\/p>\n The internet will be the default connectivity method for laptops, mobile devices, IoT applications, and most end-user processes. We\u2019ll migrate remote offices to use the internet as their primary transport for end-user connectivity, replacing most of our MPLS hub and backbone services.<\/p>\n Some core workloads such as supply chain, high-risk engineering, and specific development workloads will still require private connectivity in the future. However, most users and applications will connect to the cloud via the internet. In these cases, the logical overlay can provide private connectivity over a physical underlay like the internet.<\/p>\n Employee workflows are moving toward flexible use of space both inside and outside the building, and that\u2019s best facilitated through wireless connectivity.<\/p>\n As we migrate remote-office connectivity to internet-first, distributed services and strong network segmentation will be crucial. We\u2019ll replace localized services such as DNS and firewall with distributed, cloud-based services, or deliver those services from a dedicated shared-services network segment.<\/p>\n The shared services segment will enable users to consume services by using firewall-protected data-plane access. This segment will only allow access to those ports and protocols needed for the end-devices to deliver their required functionality.<\/p>\n This segment will host typical network services like DNS and DHCP and management platforms but also security solutions such as identity platforms for authentication.<\/p>\n There has been a recent acceleration in the digital transformation of our user experience and customer service interactions. Microsoft support services are accessible to customers through our Omni-Channel User Experience which includes not only channels such as voice, chat, email, social but also video interactions.<\/p>\n Real-time interactions will be served by peer-to-peer routing and the ability for our voice services to provide the most direct route possible. Network connectivity for voice services will, as available, include class of service (CoS), bandwidth allocation\/management, route optimization and network security.<\/p>\n Internet first will be our preferred path for call routing with an exception for global locations where a private connection for voice is deemed necessary to guarantee quality of service (QoS) for our user experience.<\/p>\n Software-defined infrastructure and network-as-code initiatives will create a more stable and agile network environment. We\u2019re automating our network-provisioning processes to require minimal\u2014and in some cases, zero-touch network provisioning. Network Intent will maintain network and device configuration after provisioning.<\/p>\n End users will be able to request their own preapproved network connectivity using just-in-time access with self-service capabilities through exposed APIs and user interfaces. We\u2019re decoupling the network logical overlay from the physical underlay to allow users to connect to applications and allow devices to talk to each other on dedicated segments across our network while still adhering to security policies. Software-defined infrastructure will supply the flexibility needed to easily interchange connectivity modes and maintain the logical overlay without significant dependency on the network physical underlay.<\/p>\n Data analytics applied to both real-time and historical telemetry help engineers to better understand the current state of our network infrastructure and anticipate future needs. Centralizing and analyzing the vast amount of telemetry we collect across the network helps us more efficiently detect, diagnose, and mitigate incidents to reduce their effects on customers.<\/p>\n Automated incident correlation will reduce pager-storms and incident noise for on-call engineers. Auto-correlation learns from historical incident co-occurrence patterns by using a combination of AI and machine learning techniques to correlate incoming alerts with active incidents.<\/p>\n Incident root cause analysis assists on-call engineers with diagnosing incidents in near real-time. Failure correlation helps engineering teams identify and fix service failures by correlating failure events with telemetry. In the future, we\u2019ll move towards self-healing by using data and analytics to perform predictive problem management and proactive mitigation.<\/p>\n The security controls ensuring the confidentiality, integrity, and availability of the underlying network infrastructure and the control and management stems for the network hardware will continue to evolve and protect from advanced persistent threats, vulnerabilities, and exploitation attempts. Zero-day vulnerabilities and supply-chain risks accelerate strategies to ensure that the foundation of network services remains resilient.<\/p>\n Administrator access to infrastructure and management tools requires the use of hardened workstations, certificate-only identities, and a multiple-approver access-request model to ensure that least privilege access is enforced. We\u2019ll continue to segment network infrastructure and management tools to limit network attack surface.<\/p>\n Network infrastructure control design will continue to focus on creating admin resources that are unreachable and undiscoverable from the internet, other network infrastructure elements, or any other segment except for approved management tools.<\/p>\n While next-generation connectivity involves our entire network infrastructure, our implementation will significantly affect several aspects of the network environment. We\u2019ve established guidelines and anticipated future states for these areas to better define the ongoing implications for our network. These aren\u2019t mandates, but rather suggestions for where we can focus in the future to optimize our investments while we keep our long-term goals in mind.<\/p>\n The layout of our backbone will stay in parallel configuration with the Azure backbone as our services and applications increasingly migrate into Microsoft Azure. However, we expect our private backbone needs to decrease as we continue to adopt the Azure backbone and move our network edge to the cloud. Our end-user segment has limited impact on the required capacity for our backbone.<\/p>\n As we continue to isolate and migrate our engineering workloads into the Azure cloud following our zero-trust principles the required backbone capacity will be further reduced. In development-intensive regions this determines the vast majority of capacity.<\/p>\n Decoupling the underlay from overlay technologies for MPLS WAN will allow us to deploy more agile and dynamic physical connectivity. This will remove the requirement for manually built static point-to-point connections. We\u2019ll use a software-defined overlay layer while permitting the flexibility of a high-bandwidth internet connection as the physical underlay.<\/p>\n Replacing existing MPLS connectivity isn\u2019t the primary objective. We want to provide our users with the connectivity that they need in the most efficient way, with the best and most secure user experience. In situations where it makes sense or where connectivity is up for renewal, we\u2019ll examine the optimal underlay, which might be an Azure based VWAN based connection, and no longer a point-to-point or MPLS connection.<\/p>\n We\u2019ll continue to evaluate more agile connectivity methods for our offices that best serve our objective of a cloud-first, mobile-first model driven by a programmable, intelligent infrastructure.<\/p>\n As we migrate to the cloud, the typical traffic flow is from the end user to the public internet and Microsoft Azure. Using the internet for our end-user segments enables our users to access the Azure cloud using the shortest network path possible and use the capacity and global connectivity of Azure\u2019s network to find the most optimal path to their destination or application. DIA connections or shared internet connections supply the optimal solution for many offices.<\/p>\n Developer and test environments require isolation from unrelated workflows to ensure security and high confidence in product integrity. Additionally, these environments have diverse ranges of client capabilities. Some are fully managed for ease of administration, while others run unmanaged devices to benefit performance testing and simplification of debugging products under test.<\/p>\n By segmenting these environments away from broader shared networks, development teams can build and test their respective products in isolated environments. The goal is to allow communication with the bare minimum number of endpoints to validate code end to end, have the flexibility to host various state clients within, and reduce exposures to and from other outside environments.<\/p>\n We use several private segments that are physically isolated from each other but still require logical connectivity between these physical locations. Examples of these include:<\/p>\n To connect segments, we\u2019ll need to rely on an overlay solution like Microsoft Azure Virtual WAN (VWAN). When we replace WAN links with internet-only underlay connectivity, the any-to-any connectivity model isn\u2019t available via the underlay. If a device in office A needs to communicate with a device in office B hosted on the same segment, VWAN will provide the software-based overlay solution to make this possible.<\/p>\n Most of our network segments will use an internet edge. This shift alone won\u2019t affect overall load on edge processing. However, we do expect a fundamental change in load from our traditional edges to a more distributed model. We\u2019ll also have more security delivered programmatically from the cloud in tandem with our intelligent infrastructure initiative. We will reevaluate the need for large, centralized edge stamps. Edge use and configuration will be influenced by several factors, including:<\/p>\n Our current VPN solution is a hardware-based investment. Although it has proven stability and delivered great value to the company during the COVID-19 pandemic period, classic on-or-off VPN behavior that provides access to all or none of the private applications doesn\u2019t adequately support the Zero Trust model.<\/p>\n Replacing our current VPN environment isn\u2019t a standalone goal. We need to address uncontrolled connectivity in an open corporate network environment that allows all devices to communicate with one another.<\/p>\n The future of our remote access is a blend of direct access to Microsoft Azure-based applications and limited scope access to legacy on-premises resources. Strong identity-based security and monitored traffic flow is a solution requirement. We\u2019ll facilitate this access through multiple technology solutions instead of a single service.<\/p>\n SASE solutions will allow conditional access to applications via the internet and will be based on Microsoft Entra ID authentication. This allows for effective micro-segmentation in those situations where it\u2019s necessary. In parallel, there will be use cases for Microsoft Azure Virtual Desktop and Windows 365 Cloud PC to provide selective access to applications, for example, as an alternative to an extranet connection. A SASE agent can also be installed on these devices to offer a cloud-based PC to vendors (or FTEs), providing virtual hardware in a software-defined environment.<\/p>\n Any reduction in VPN will be contingent on a massive effort to shift and lift hundreds of applications that are dependent on the corporate network. These applications need to become internet facing, whether through a proxy solution or through an intentional migration to the cloud. As these workloads shift, we\u2019ll be able to reduce daily VPN usage and eventually eliminate it entirely for most of the infoworker persona.<\/p>\n With the continued shift to wireless, wired ethernet connectivity in buildings must diverge into two distinctly different use cases and fulfillment methods: concentrated wired centers for remaining high bandwidth workflows, and wired ethernet catering to IoT devices where power and data convergence needs are emerging with Power over Ethernet (PoE).<\/p>\n Pervasive wired Ethernet throughout our facilities has over the years created an unintended consequence\u2014unique developer roles and workloads that have inhibited consolidation of labs, content hosts, and critical development components into centralized real estate spaces.<\/p>\n This creates a cycle of over-provisioning wired networking infrastructure in each new building constructed\u2014wanting to have the capacity there if it\u2019s ever needed\u2014 and has led to today\u2019s current state of drastically underutilized switching infrastructure.<\/p>\n The average user-access switch utilization is currently between 10 percent and 20 percent in many regions, and closer to 30 percent or 40 percent in development-heavy regions like the Puget Sound and Asia.<\/p>\n As devices and services have become more internet facing, gaps in capability or new threats have emerged that require additional security controls to augment the traditional controls that remain.<\/p>\n Cloud-based services often require application firewalls or private access controls to limit attack surfaces, enforce strong authentication, and detect inappropriate or malicious use. Devices often require solutions that are effective if they move between network medias (wired, wireless, cellular), to different network segments, or between corporate and external networks.<\/p>\n The threat landscape is constantly changing, and the way devices or services depend on the network has also become fundamentally different with cloud, mobility, and new types of networked devices.\u00a0 Because of this, the mechanisms to provide effective controls must be adapted and continue to evolve.<\/p>\n As our strategy unfolds, we\u2019ll be making priority decisions on what area in our vision and strategy we\u2019re ready to invest in over time. To that end, we\u2019re currently addressing several questions that directly influence how we move forward with next-generation connectivity:<\/p>\n We\u2019re continuing to make changes to adapt to new traffic patterns, use cases, security requirements, and other use-driven demands of our network infrastructure. We\u2019ll continue to transform our network, embracing new WAN and edge security models associated with user identities, devices, and applications. Software-defined infrastructure and processes will bring the network and application security to the places where end users can consume them when needed, regardless of where they\u2019re physically located, thus providing a more agile, more secure, and more effective network environment throughout Microsoft.<\/p>\n Next-generation connectivity is enabling us to transform our internal enterprise network here at Microsoft. Deploying a more agile, secure, and effective network environment across Microsoft is empowering our employees to thrive in our new hybrid world. This article describes how we\u2019re implementing this new network strategy, including goals, action areas, expected results, and a brief […]<\/p>\n","protected":false},"author":133,"featured_media":9024,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"_hide_featured_on_single":false,"_show_featured_caption_on_single":true,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","enabled":false},"version":2}},"categories":[1],"tags":[361,383],"coauthors":[646],"class_list":["post-9022","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-azure-identity-and-security","tag-azure-networking","program-microsoft-digital-technical-stories","m-blog-post"],"jetpack_publicize_connections":[],"yoast_head":"\nFocus points for next-generation connectivity<\/h2>\n
\n
Key design and architecture principles<\/h2>\n
Enforce, enhance, and expand Zero Trust<\/h3>\n
Adopt an internet-first, wireless-first approach for connectivity<\/h3>\n
Implement distributed, strong network services segmentation<\/h3>\n
Optimize network connectivity for integrated voice\/data services<\/h3>\n
Build software-defined, intelligent infrastructure<\/h3>\n
Intelligent monitoring, diagnosis & self-healing capabilities<\/h3>\n
Secure the network infrastructure<\/h3>\n
Examining network future state<\/h2>\n
Backbone<\/h3>\n
MPLS WAN<\/h3>\n
End-user segments<\/h4>\n
Developer segments<\/h4>\n
Private segments<\/h4>\n
\n
Approaching the internet edge<\/h3>\n
\n
Transforming VPN<\/h3>\n
In-building connectivity<\/h3>\n
Network infrastructure security<\/h3>\n
![\"Key](\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2021\/10\/key-takeaways-300x74.png\")
<\/p>\n\n
![\"Related](\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2021\/10\/related_links-300x81.png\")
<\/p>\n\n