虚拟 WAN 中的 Office 365 控制平面Office 365 control plane in Virtual WAN

使用特定 SDWAN 设备的虚拟 WAN 客户可以在 Azure 门户中为受信任的流量配置 O365 Internet 突围策略。Virtual WAN customers with select SDWAN devices can configure O365 Internet breakout policies for trusted traffic in the Azure portal. 这样可以:This enables:

  • 让 O365 流量进入靠近用户的 Azure 网络,提供优化的用户体验。O365 traffic to enter Azure network close to user giving optimal user experience.
  • 避免流量逆转和迂回,因此节省 WAN 成本。Avoids traffic back-hauling and hair pining, thus saving WAN costs.
  • 按 O365 连接原则传递。Delivering on the O365 connectivity principles.

常见问题FAQs

客户权益有哪些?What is the customer benefit?

在虚拟 WAN 中使用此功能时,客户现在可以指定自己信任的可以直接进行 Internet 突围的 Office 365 流量类别。Using this feature in Virtual WAN, customers can now specify the Office 365 traffic categories that they trust for direct internet breakout. 这种受信任的 O365 流量将绕过代理,直接从用户位置路由到最近的 Azure POP。This trusted O365 traffic will by-pass proxies and route directly from the user location to the nearest Azure POP. 这样就避免了流量逆转和迂回,因此可以提供最佳用户体验并节省 WAN 成本。This avoids traffic back-hauling and hair pining, thus providing optimal user experience and saving WAN costs.

Office 365 流量类别有哪些?What are the Office 365 traffic categories?

Office 365 终结点代表网络地址和子网。Office 365 endpoints represent network addresses and subnets. 终结点可以是 URL、IP 地址或 IP 范围。Endpoints may be URLs, IP addresses, or IP ranges. URL 可以是 FQDN,例如 account.office.net,也可以是通配符 URL,例如 * .office365.comURLs can either be an FQDN like account.office.net, or a wildcard URL like *.office365.com. 终结点根据其重要程度分为三类 - 优化允许默认Endpoints are segregated into three categories - Optimize, Allow, and Default, based on their criticality. 此处提供有关终结点类别的更多详细信息。More details about the endpoint categories are here.

“优化” 类别是最关键的网络终结点,要求绕过 SSL 中断和检查以及其他网络安全设备。The Optimize category is the most critical network endpoints and is required to bypass SSL break and inspect and other network security devices. 它应该有靠近用户的 Internet 直接出口。It should have direct Internet egress close to users. 这些终结点代表的 Office 365 方案对网络性能、延迟和可用性最敏感。These endpoints represent Office 365 scenarios that are the most sensitive to network performance, latency, and availability. 此类别包括一小组(数量级大约为 10)关键 URL 以及一组定义的 IP 子网,专用于核心 Office 365 工作负荷,例如 Exchange Online、SharePoint Online、Skype for Business Online 和 Microsoft Teams。This category includes a small (on the order of ~10) set of key URLs and a defined set of IP subnets dedicated to core Office 365 workloads such as Exchange Online, SharePoint Online, Skype for Business Online and Microsoft Teams.

对于 Internet 直接出口,也建议使用“允许”类别。 The Allow category is recommended for direct Internet egress also. 不过,允许网络流量的同事,可能需要忍受一定程度的网络延迟。Allow network traffic can tolerate some network latency though. “优化”和“允许”类别的终结点都托管在 Azure 数据中心,作为 Office 365 的一部分管理。Endpoints in the Optimize and Allow categories are all hosted in Azure datacenters and managed as part of Office 365. “默认”类别可以定向到默认的 Internet 出口位置,不需要 Internet 直接出口,也不需绕过 SSL 中断和检查设备。The Default category can be directed to a default Internet egress location and does not require direct Internet egress or bypass of SSL break and inspect devices.

如何通过虚拟 WAN 设置 O365 策略?How do I set my O365 policies via Virtual WAN?

可以通过“虚拟 WAN” -> “设置” -> “配置”选项卡来启用策略。可以在这里指定首选的 O365 流量类别,以便进行直接的 Internet 突围。You can enable policies via the Virtual WAN -> Settings -> Configuration tab. Here you can specify your preferred categories of O365 traffic for direct internet breakout.

配置虚拟 WAN 中的 Office 365 控制平面

它的工作原理是什么?How does this work?

  1. O365 流量进入靠近用户的 Azure 网络,提供优化的体验。O365 traffic enters Azure network close to user giving optimal experience.
  2. 路由策略由 SDWAN 使用。Route policies are consumed by SDWAN. 然后,它会为受信任的类别绕过安全代理,并为这些类别执行本地直接突围。It then bypasses security proxies for the trusted categories and performs local direct breakout for these categories.
  3. 避免流量逆转和迂回,节省 WAN 成本。Back hauling and traffic hair pining are avoided saving WAN costs.

哪些合作伙伴设备通过虚拟 WAN 提供此方面的支持?Which partner devices support this via Virtual WAN?

目前,Citrix 通过虚拟 WAN 支持这些策略。Currently, Citrix supports these policies via Virtual WAN.

其余类别(不受信任)的 O365 流量的情况如何?What happens to the remaining categories of (untrusted) O365 traffic?

其余 O365 流量会沿着客户的默认 Internet 流量路径行进。Remaining O365 traffic will follow the customers default internet traffic path.

如果我已通过 SDWAN 提供商指定了 O365 策略,会出现什么情况?What if I have already specified my O365 policies via my SDWAN provider?

如果同时通过 SDWAN UX 和 Azure 虚拟 WAN 指定策略,则以在虚拟 WAN 中设置的策略为准。If you specify policies via both the SDWAN UX and Azure Virtual WAN, the policies set in Virtual WAN will take precedence.

后续步骤Next steps