at&t netbond® for microsoft office 365™ · pdf filenetbond service activation...

© 2016 AT&T Intellectual Property. All rights reserved. AT&T, Globe logo and other marks are trademarks and service marks of AT&T Intellectual Property and/or AT&T affiliated companies.

Microsoft Office 365 marks are the trademarks and service marks of Microsoft. All other marks contained herein are the property of their respective owners. The information contained

herein is not an offer, commitment, representation or warranty by AT&T and is subject to change..

AT&T NetBond® for Microsoft Office 365™

Service Activation Overview

NetBond Service Activation Overview for Microsoft Office 365

2

AT&T NetBond allows AT&T customers to extend their MPLS virtual private network to cloud services such as Microsoft Office 365. With NetBond enabled, the Office 365 service will appear as another site on the VPN. Customers can then reach their Office 365 service with reduced latency, improved security, and greater availability.

Using the AT&T Cloud Services Portal, the NetBond service can be quickly provisioned. The next few slides provide an overview to plan and enable the service.

Prior to enablement, the customer should have or procure both a Microsoft Office 365 subscription and an Azure™ account. They should also work with the AT&T account team to sign up for NetBond cloud services. Upon contract signing, the customer will receive a welcome email for credentials to www.synaptic.att.com.

http://www.synaptic.att.com/


3

Example Scenario – Customer with existing AT&T VPN, Office 365 subscription, and Azure subscription

Customer Network

AT&TVPN

Provider EdgeRouter

Provider EdgeRouter

Customer Edge RouterASN 65200


Azure

Office 365

The next few slides will provide an overview of a typical service activation. In this example, our customer has their network configured through AT&T VPN using BGP Autonomous Systems 65100 and 65200. They have existing an existing Azure subscription and Office 365 subscription in place.


4

Create ExpressRoute

Customer Network

Provider EdgeRouter

Provider EdgeRouter



ExpressRouteCircuit

ASN 12076

Office 365

Using the Azure Resource Manager portal or a PowerShell cmdlet, our customer creates an ExpressRoute circuit, with a Premium Tier, within a specific Microsoft Region using the provider name “AT&T NetBond”. After creation, a service key will be provided that will be used on the AT&T portal.

AT&TVPN


5

Guide to Create ExpressRoute

To create an ExpressRoute, log into https://portal.azure.com using the desired Azure subscription. Choose New -> Networking -> ExpressRoute to get started.

Choose AT&T NetBond for Service Provider and Premium for the Tier.

More details can be found in Steps 1-3 from the following Microsoft guide:

https://azure.microsoft.com/en-us/documentation/articles/expressroute-howto-circuit-portal-resource-manager/

https://portal.azure.com/

https://azure.microsoft.com/en-us/documentation/articles/expressroute-howto-circuit-portal-resource-manager/


6

Step 1 – Create VNC

Using the AT&T Cloud Services Portal, our customer creates a new virtual network connection. At the designated region, NetBond orchestration enables our customer’s private network at the AT&T routers in front of a virtual Network Address Translation, (vNAT), device. In addition, our customer chooses a minimum bandwidth commitment for the virtual network connection.

Customer Network

AT&TVPN

Provider EdgeRouter

Provider EdgeRouter



AT&T Routers

MicrosoftRouters

ASN 13979

ExpressRouteCircuit

ASN 12076

Office 365AT&TNetBond

vNAT


7

Step 2 – Create VLAN

Customer Network

AT&TVPN

Provider EdgeRouter

Provider EdgeRouter



AT&T Routers

MicrosoftRouters

ASN 13979

ExpressRouteCircuit

ASN 12076

Office 365

Using the service key generated during ExpressRoute creation, and a /29 address block from their enterprise IP space, our customer creates a VLAN within the VNC. NetBond orchestration provisions a pair of connections between the virtual routing interface on the AT&T routers and the vNAT device providing network address translation. The /29 space is automatically provisioned as two /30 subnets.

NetBond orchestration also provisions a second MPLS VPN between the vNAT device and AT&T routers collocated within Microsoft. AT&T public address space is applied along the path between the vNAT device and Microsoft.

10.20.10.0/30

.1

VLAN_O365_East10.20.10.0/29

10.20.10.4/30

.5

.2

.6

AT&TNetBond

vNAT


8

Step 2 – Create VLAN (cont.)

Customer Network

AT&TVPN

Provider EdgeRouter

Provider EdgeRouter



AT&T Routers

MicrosoftRouters

ASN 13979

ExpressRouteCircuit

ASN 12076

Office 365

After a few minutes, the two /30’s and all Microsoft Office 365 public route announcements will appear in the customer edge route tables. All traffic destined to Office 365 will traverse the AT&T VPN to NetBond where the original source IP address will be translated to AT&T public IP addresses before being forwarded to Microsoft.

10.20.10.0/30

.1

VLAN_O365_East10.20.10.0/29

10.20.10.4/30

.5

.2

.6

AT&TNetBond

vNAT

Customer Private IP Source Addresses NAT to AT&T Registered IP Addresses

192.0.2.0/24198.51.100.0/24

Route ASPath10.20.10.0/30 13979 I10.20.10.4/30 13979 I192.0.2.0/24 13979 12076 I198.51.100.0/24 13979 12076 I172.16.0.0/24 I172.16.1.0/24 13979 65200 I


9

Placeholder Route

Customer Network

AT&TVPN

Provider EdgeRouter

Provider EdgeRouter



AT&T Routers

MicrosoftRouters

ASN 13979

ExpressRouteCircuit

ASN 12076

Office 365

A NetBond VLAN can also be modified to inject a temporary, “placeholder” route in place of the Microsoft public routes. Thisallows customers to test route propagation or temporarily block Microsoft routes until a future change window. In this example, our customer has entered an RFC5737 IP address, “203.0.113.1/32” in the AT&T Cloud Portal to prevent the Microsoft routes from being advertised into the VPN.

10.20.10.0/30

.1

VLAN_O365_East10.20.10.0/29

10.20.10.4/30

.5

.2

.6

AT&TNetBond

vNAT


192.0.2.0/24198.51.100.0/24

Route ASPath10.20.10.0/30 13979 I10.20.10.4/30 13979 I192.0.2.0/24 13979 12076 I198.51.100.0/24 13979 12076 I172.16.0.0/24 I172.16.1.0/24 13979 65200 I

Route ASPath10.20.10.0/30 13979 I10.20.10.4/30 13979 I203.0.113.1/32 13979 I192.0.2.0/24 13979 12076 I198.51.100.0/24 13979 12076 I172.16.0.0/24 I172.16.1.0/24 13979 65200 I


Integration with On-Premises Environments with Reverse Flows


11

Caution: Office 365 Integration with On-Premises Environments

AT&TVPN

Provider EdgeRouter

Provider EdgeRouter

ASN 13979

ExpressRouteCircuit

ASN 12076


vNAT


192.0.2.0/24198.51.100.0/24

Internet Source: 192.0.2.23Destination: 203.0.113.45

Source: 203.0.113.45Destination: 192.0.2.23 Source: 32.x.x.x

Destination: 192.0.2.23

To integrate Office 365 with on-premises directory servers, Exchange servers, etc. it is important to account for flows initiated by Microsoft to our customer network. If only a “forward” vNAT is configured, sessions initiated by Microsoft to our customer’spremise will continue over the Internet, but the response will follow the Microsoft specific route announcement via NetBond resulting in an asymmetrical routing failure.

Route ASPath10.20.10.0/30 13979 I10.20.10.4/30 13979 I192.0.2.0/24 13979 12076 I198.51.100.0/24 13979 12076 I172.16.0.0/24 I

On-Premise ServerPublic: 203.0.113.45


12

Option 1: NetBond Reverse NAT for Office 365 Integration with On-Premises Environments

AT&TVPN

Provider EdgeRouter

Provider EdgeRouter

ASN 13979

ExpressRouteCircuit

ASN 12076

Office 365

192.0.2.0/24198.51.100.0/24

Using the AT&T Cloud Portal, our customer creates a reverse NAT rule. They provide an additional /29 for the new vNAT device aswell as a public IP registered with the company via a Regional Internet Registry, (RIR). Our customer also supplies translated source and destination IP addresses from their enterprise address space. AT&T will change the Microsoft source address to the customer’s specified “Translated Source”. The public IP address supplied as the “Original Destination” can be changed to a customer specified “Translated Destination” or left unchanged.

Route ASPath10.20.10.0/30 13979 I10.20.10.4/30 13979 I192.0.2.0/24 13979 12076 I198.51.100.0/24 13979 12076 I10.20.30.9/32 13979 I172.16.0.0/24 I

Source: 192.0.2.23Destination: 203.0.113.45


Route ASPath203.0.113.45/32 13979 I32.x.x.x/32 13979 I192.0.2.0/24 I198.51.100.0/24 I

On-Premise ServerPublic: 203.0.113.45Private: 172.16.0.19

203.0.113.45/32

32.x.x.x/32

10.20.10.0/3010.20.10.4/30

10.20.30.4/3010.20.30.0/30

10.20.30.9/32

Direct Subnet Original Destination Translated Source Translated Destination

10.20.30.0/29 203.0.113.45/32 10.20.30.9/32 172.16.0.19/32

NetBond Reverse NAT Rule


13

Public IP Address Validation for NetBond Reverse NAT

Prior to creation of the NetBond reverse NAT rule, the public IP address must be verified by AT&T through the associated Regional Internet Registry. During the onboarding session, we will validate this public IP. If a new public IP is needed, validation will occur within two business days after submission on the AT&T Cloud Portal.

Note: If the RIR “Origin AS” is blank, Microsoft will not automatically validate the public route announcement by NetBond. Our customer must open a ticket with Microsoft to manually validate the route announcement.

Example

Subnet Name: Exchange_CAS_Public

IP Subnet: 203.0.113.45/32

Subnet Type: Public

ASN: Origin AS Associated with IP Address

RIR: ARIN


14

Option 2: DMZ Architecture for Office 365 Integration with On-Premises Environments

AT&TVPN

ASN 13979

ExpressRouteCircuit

ASN 12076


vNAT

192.0.2.0/24198.51.100.0/24

DMZ203.0.113.45

Customer Network

If the on-premise server is located in a DMZ where the firewall does not learn dynamic routing updates from AT&T, our customer can choose to keep the reverse flow on the Internet without any need for AT&T reverse NAT. Because the firewall does not dynamically learn Office 365 routes from NetBond, it will continue to send replies to Microsoft via its default gateway.

Route Target10.20.10.0/30 AT&T VPN10.20.10.4/30 AT&T VPN192.0.2.0/24 AT&T VPN198.51.100.0/24 AT&T VPN203.0.113.45 Firewall172.16.0.0/24 Internal

Route Target0.0.0.0/0 Internet172.16.0.0/12 Internal203.0.113.0/24 DMZ




15

Option 3: Firewall Reverse NAT for Office 365 Integration with On-Premises Environments

AT&TVPN

ASN 13979

ExpressRouteCircuit

ASN 12076


vNAT

192.0.2.0/24198.51.100.0/24172.16.0.19

Customer Network

If our customer wishes to keep the reverse flow over the Internet, but the on-premise host resides in a network that learns routes dynamically from AT&T, they can create a NAT rule on their Internet-facing firewall. The NAT rule must change the original Microsoft address in the source field to an internal IP address so that the enterprise routers route the responses back to the firewall.



Original Source Original Destination Translated Source Translated Destination

Any 203.0.113.45/32 192.168.15.9/32 172.16.0.19/32

Firewall Reverse NAT Rule

Route Target10.20.10.0/30 AT&T VPN10.20.10.4/30 AT&T VPN192.0.2.0/24 AT&T VPN198.51.100.0/24 AT&T VPN192.168.15.0/24 Firewall172.16.0.0/24 Internal



Next Steps


17

Summary Steps

1. Obtain Microsoft Azure and Office 365 subscriptions.

2. Work with the AT&T account team to sign up for NetBond services. A welcome letter will provide credentials to AT&T Cloud Services Portal, (www.synaptic.att.com)

3. Create ExpressRoute circuit at http://portal.azure.com. Choose Premium tier and AT&T NetBond as the service provider.

4. Identify any “reverse” flows required for integration with on premise hosts. Submit public IP addresses for authorization.

5. Create NetBond Virtual Network Connection (Required: Name of AT&T VPN, region, Microsoft routing domain, free-form name for Virtual Network Connection, and minimum bandwidth commitment)

6. Create NetBond VLAN (Required: /29 address space, free-form name, and the service key generated in step 3.)

7. Create the reverse NAT rules. (Required: /29 address space, authorized public IP address, translated source IP address, and translated destination IP address.)

http://www.synaptic.att.com/

http://portal.azure.com/


18

What’s Next After Activation? Confirming Connectivity

1. After successfully creating your Virtual Network Connection (VNC) and VLAN, we want to confirm basic network connectivity to Office 365.

2. To confirm traffic is routing over NetBond, please do a traceroute to a Microsoft destination to verify it is reaching your NetBond VLAN IP address.

3. To confirm connectivity with Microsoft, we ask that you perform a simple test such as accessing a Sharepoint server.

4. After basic connectivity is confirmed, we ask that you take the following five business days to test your applications over NetBond. Our Client Technical Lead, (CTL) is available to assist during this time if you have any questions or concerns, and they can be reached at [email protected].

5. After five business days, our cloud support team is available 24x7 to provide technical support and answer any questions. In addition, if you run into an emergency over these next five days, please open a ticket in the Cloud Portal to engage our cloud support team.

mailto:[email protected]

at&t netbond® for microsoft office 365™ · pdf filenetbond service activation...

Documents