Content Delivery Networks
The information in this topic will help you learn about Content Delivery Networks (CDNs) and how they are used by Office 365.
What exactly is a CDN?
CDNs are used by most enterprise cloud services. Cloud services like Office 365 have millions of customers downloading a mix of proprietary content (such as emails) and generic content (such as icons) at one time. It's more efficient to put images everyone uses, like icons, as close to the user's computer as possible. Yet, it isn't practical for every cloud service to build CDN datacenters that store this generic content in every metropolitan area, or even in every major Internet hub around the world, so some of these CDNs are shared.
CDNs can be private or public. Private CDNs are owned and operated by a single company, and only that company's applications and services can use it. Public CDNs are run by companies who lease usage to multiple companies. Depending on where you're located, it might be most efficient for Office 365 to download generic images for you from a CDN that Office 365 owns and runs, a public CDN, or a combination of the two. Regardless of what type of CDN is used, the steps to retrieve the data are the same.
Your client requests data from Office 365.
Office 365 either returns the data directly to your client or directs your client to a CDN.
If the data is already cached at the CDN, your client downloads the data directly from the nearest CDN location to your client on the internet.
If the data isn't cached at the CDN, the CDN node requests the data from Office 365 and then cache's the data for a period of time after your client downloads the data.
The CDNs pull the files and images from the nearest Office 365 datacenter and in turn, your client pulls the files and images from the nearest CDN. When users are accessing a cloud service, like reading email in Outlook Web App, the user's browser attempts to retrieve the files and images from the Office 365 datacenter. Instead of spending the time and bandwidth delivering the files, Office 365 redirects the browser to the CDN. The CDN figures out the closest datacenter to the user's browser and, using redirection, downloads the generic images from there. Using this CDN redirection is quick, and it saves users a lot of download time.
How do CDNs make services work faster?
Downloading common things like icons over and over again can take up network bandwidth that can be better used for downloading important personal content, like email or documents. Because Office 365 uses an architecture that includes CDNs, the icons, scripts, and other generic content can be downloaded from servers closer to client computers, making the downloads faster. This means faster access to your personal content, which is securely stored in Office 365 datacenters.
How should I set up my network so that CDNs work best with Office 365?
If you're planning Network connectivity to Office 365, it's helpful to understand how CDNs work in general, and how CDN network traffic should be managed.
When you enable a CDN for your Office 365 tenant, you begin by setting policies that govern the content sources (called origins in the context of CDNs), data classifications or file types you want to be distributed over the CDN. Users who access the specified content will be redirected to the closest location of the file in the CDN. Therefore, you should use the best practices outlined in Managing Office 365 endpoints to ensure that your network configuration permits client browsers to access the CDN directly rather than routing CDN traffic through central proxies to avoid introducing unnecessary latency.
Is my data safe?
We take great care to help ensure that we protect the data that runs your business. Customer-specific data stored in CDNs is encrypted both in transit and at rest.
CDN providers may have privacy and compliance standards that differ from the commitments outlined by the Office 365 Trust Center. Data cached through the CDN service may not conform to the Microsoft Data Processing Terms (DPT), and may be outside of the Office 365 Trust Center compliance boundaries.
For in-depth information about privacy and data protection for Office 365 CDN providers, visit the following:
- Learn more about Office 365 privacy and data protection at the Microsoft Trust Center
- Learn more about Azure privacy and data protection at the Azure Trust Center
- Learn more about Akamai’s privacy and data protection at the Akamai Privacy Trust Center
How can I secure my network with all these 3rd party services?
Leveraging an extensive set of partner services allows Office 365 to scale and meet availability requirements as well as enhance the user experience when using Office 365. The 3rd party services Office 365 leverages include both certificate revocation lists; such as crl.microsoft.com or sa.symcb.com, and CDNs; such as r3.res.outlook.com. Every CDN FQDN Office 365 uses is a custom FQDN for Office 365. If you're sent to a FQDN at the request of Office 365 you can be assured that the CDN provider controls the FQDN and the underlying content at that location.
For customers that still want to segregate requests destined for a Microsoft or Office 365 datacenter from requests that are destined for a 3rd party, we've written up guidance on Managing Office 365 endpoints.
Is there a list of all the CDNs that Office 365 uses?
The CDNs in use by Office 365 are always subject to change and in many cases there are multiple CDN partners configured in the event one is unavailable. The primary CDNs in use are:
These CDN solutions have a global reach enhancing the reach of the service to more corners of the world. The content that is stored there includes general Office 365 scripts, files, and images. For example, when you logon to portal.office.com, the images are pulled from the nearest CDN to speed up the page load times. Other examples include Office 365 ProPlus storing the installation bits on a CDN to speed up the amount of time it takes to download the latest version of Office.
There is also some proprietary content that is stored on CDNs such as the video files for Office 365 Video. Once you upload the videos, the files are encrypted and then stored in their encrypted format with Azure Media Services. When the Office 365 video player retrieves the video it is first cached to the nearest CDN before being downloaded to speed up the amount of time it takes to download the video.
For information on how to use the Office 365 CDN, see Use the Office 365 content delivery network with SharePoint Online.
Is there a list of all the FQDNs that leverage CDNs?
The list of FQDNs and how they leverage CDNs change over time, refer to our published Office 365 URLs and IP address ranges page to get up to date on the latest FQDNs that leverage CDNs.
Can I use my own CDN and cache content on my local network?
We're continually looking for new ways to support our customers needs and are currently exploring the use of caching proxy solutions and other on-premises CDN solutions.
I'm using Azure ExpressRoute for Office 365, does that change things?
Azure ExpressRoute for Office 365 provides a dedicated connection to Office 365 infrastructure that is segregated from the public internet. This means that clients will still need to connect over non-ExpressRoute connections to connect to CDNs and other Microsoft infrastructure that is not explicitly included in the list of services supported by ExpressRoute. For more information about how to route specific traffic such as requests destined for CDNs, refer to Office 365 network traffic management.
Here's a short link you can use to come back: https://aka.ms/o365cdns
We'd love to hear your thoughts. Choose the type you'd like to provide:
Our feedback system is built on GitHub Issues. Read more on our blog.