Microsoft 365 網路連線原則Microsoft 365 network connectivity principles

本文適用於 Microsoft 365 企業版和 Office 365 企業版。This article applies to both Microsoft 365 Enterprise and Office 365 Enterprise.

在您開始為 Microsoft 365 網路連線規劃網路之前,務必了解安全管理 Microsoft 365 流量以及可能獲取最佳效能的連線原則。Before you begin planning your network for Microsoft 365 network connectivity, it is important to understand the connectivity principles for securely managing Microsoft 365 traffic and getting the best possible performance. 本文將會協助您了解關於安全最佳化 Microsoft 365 網路連線的最新指引。This article will help you understand the most recent guidance for securely optimizing Microsoft 365 network connectivity.

傳統企業網路的主要設計目的,是為使用者提供應用程式和資料 (裝載於公司運作的資料中心) 的存取權,同時具有強式周邊網路安全性。Traditional enterprise networks are designed primarily to provide users access to applications and data hosted in company operated datacenters with strong perimeter security. 傳統模型假設使用者是從公司網路周邊網路內部存取應用程式和資料,透過分公司的 WAN 連結,或是透過 VPN 連線遠端存取。The traditional model assumes that users will access applications and data from inside the corporate network perimeter, over WAN links from branch offices, or remotely over VPN connections.

採用像是 Microsoft 365 的 SaaS 應用程式,會將某些服務和資料組合移到網路周邊之外。Adoption of SaaS applications like Microsoft 365 moves some combination of services and data outside the network perimeter. 若沒有最佳化,使用者與 SaaS 應用程式之間的流量會受限於封包檢查、網路 hairpin、與遠距端點的不當連線和其他因素所引入的延遲。Without optimization, traffic between users and SaaS applications is subject to latency introduced by packet inspection, network hairpins, inadvertent connections to geographically distant endpoints and other factors. 您可以藉由了解和實作關鍵最佳化指引,確保最佳的 Microsoft 365 效能和可靠性。You can ensure the best Microsoft 365 performance and reliability by understanding and implementing key optimization guidelines.

在本文中,您將了解:In this article, you will learn about:

Microsoft 365 架構Microsoft 365 architecture

Microsoft 365 是分散式軟體即服務 (SaaS) 雲端,透過微服務和應用程式 (例如 Exchange Online、SharePoint Online、商務用 Skype Online、Microsoft Teams、Exchange Online Protection、Office 網頁版等等) 的多元組合,提供生產力和共同作業案例。Microsoft 365 is a distributed Software-as-a-Service (SaaS) cloud that provides productivity and collaboration scenarios through a diverse set of micro-services and applications, such as Exchange Online, SharePoint Online, Skype for Business Online, Microsoft Teams, Exchange Online Protection, Office in a browser, and many others. 雖然特定 Microsoft 365 應用程式在套用至客戶網路以及連線到雲端時,有其獨特的功能,它們都共用一些主要原則、目標和架構模式。While specific Microsoft 365 applications may have their unique features as it applies to customer network and connectivity to the cloud, they all share some key principals, goals, and architecture patterns. 這些連線的原則和架構模式通常適用於其他許多 SaaS 雲端,同時與平台即服務和基礎結構即服務雲端 (例如 Microsoft Azure) 的典型部署模型也有所不同。These principles and architecture patterns for connectivity are typical for many other SaaS clouds and at the same time being different from the typical deployment models of Platform-as-a-Service and Infrastructure-as-a-Service clouds, such as Microsoft Azure.

Microsoft 365 的其中一個最重要架構功能 (經常遭到網路架構遺漏或錯誤解譯) 是在使用者連線方式內容中真正的全域分散式服務。One of the most significant architectural features of Microsoft 365 (that is often missed or misinterpreted by network architects) is that it is a truly global distributed service, in the context of how users connect to it. 目標 Microsoft 365 租用戶的位置對於了解客戶資料儲存在雲端內哪個位置而言相當重要,但是使用者的 Microsoft 365 體驗並未涉及到直接與包含資料的磁碟連線。The location of the target Microsoft 365 tenant is important to understand the locality of where customer data is stored within the cloud, but the user experience with Microsoft 365 doesn't involve connecting directly to disks containing the data. 使用者的 Microsoft 365 體驗 (包括效能、可靠性和其他重要的品質特性) 牽涉到透過高度分散前門服務 (在全球數百個 Microsoft 位置之間相應放大) 的連線。The user experience with Microsoft 365 (including performance, reliability, and other important quality characteristics) involves connectivity through highly distributed service front doors that are scaled out across hundreds of Microsoft locations worldwide. 在大多數情況下,可以藉由允許客戶網路將使用者要求路由傳送到最接近的 Microsoft 365 服務進入點,而無須透過中央位置或區域的出口點連線到 Microsoft 365,達到最佳的使用者體驗。In the majority of cases, the best user experience is achieved by allowing the customer network to route user requests to the closest Microsoft 365 service entry point, rather than connecting to Microsoft 365 through an egress point in a central location or region.

對於大多數客戶而言,Microsoft 365 使用者分散在許多位置之間。For most customers, Microsoft 365 users are distributed across many locations. 若要達到最佳結果,應該從相應放大 (而非相應增加) 觀點來看本文件中所概述的原則,著重在將連線最佳化到 Microsoft 全域網路所在位置的最接近點,而不是 Microsoft 365 租用戶的地理位置。To achieve the best results, the principles outlined in this document should be looked at from the scale-out (not scale-up) point of view, focusing on optimizing connectivity to the nearest point of presence in the Microsoft Global Network, not to the geographic location of the Microsoft 365 tenant. 基本上,這表示即使 Microsoft 365 租用戶資料儲存在特定地理位置,該租用戶的 Microsoft 365 體驗仍是分散,並且可以出現在與租用戶具有的每個終端使用者位置非常靠近 (網路) 的位置。In essence, this means that even though Microsoft 365 tenant data may be stored in a specific geographic location, Microsoft 365 experience for that tenant remains distributed, and can be present in very close (network) proximity to every end-user location that the tenant has.

Microsoft 365 連線原則Microsoft 365 connectivity principles

Microsoft 建議下列原則,以達到最佳的 Microsoft 365 連線和效能。Microsoft recommends the following principles to achieve optimal Microsoft 365 connectivity and performance. 使用這些 Microsoft 365 連線原則,在連線到 Microsoft 365 時,管理您的流量並取得最佳效能。Use these Microsoft 365 connectivity principles to manage your traffic and get the best performance when connecting to Microsoft 365.

網路設計的主要目標應該是透過降低從您的網路到 Microsoft 全域網路、Microsoft 公用網路骨幹 (將所有低延遲 Microsoft 資料中心與遍佈全球的雲端應用程式進入點互連) 的來回行程時間 (RTT),將延遲降至最低。The primary goal in the network design should be to minimize latency by reducing the round-trip time (RTT) from your network into the Microsoft Global Network, Microsoft's public network backbone that interconnects all of Microsoft's datacenters with low latency and cloud application entry points spread around the world. 您可以在 Microsoft 如何建置其快速且可靠的全域網路 中,深入了解 Microsoft 全域網路。You can learn more about the Microsoft Global Network at How Microsoft builds its fast and reliable global network.

識別並區分 Microsoft 365 流量Identify and differentiate Microsoft 365 traffic

識別 Microsoft 365 流量

識別 Microsoft 365 網路流量是能夠區分來自一般網際網路綁定網路流量的第一步。Identifying Microsoft 365 network traffic is the first step in being able to differentiate that traffic from generic Internet-bound network traffic. Microsoft 365 連線可以藉由實作方法的組合 (例如網路路由最佳化、防火牆規則、瀏覽器 Proxy 設定以及略過特定端點的網路檢查裝置等方法),來達到最佳化。Microsoft 365 connectivity can be optimized by implementing a combination of approaches like network route optimization, firewall rules, browser proxy settings, and bypass of network inspection devices for certain endpoints.

先前的 Microsoft 365 最佳化指引是將 Microsoft 365 端點分成兩個類別,必要選擇性Previous Microsoft 365 optimization guidance divided Microsoft 365 endpoints into two categories, Required and Optional. 隨著端點新增支援新的 Microsoft 365 服務和功能,我們已經將 Microsoft 365 端點重新組織為三個類別:最佳化允許預設As endpoints have been added to support new Microsoft 365 services and features, we have reorganized Microsoft 365 endpoints into three categories: Optimize, Allow, and Default. 每個類別的指導方針都適用於該類別的所有端點,讓最佳化更易於了解及實作。Guidelines for each category applies to all endpoints in the category, making optimizations easier to understand and implement.

如需 Microsoft 365 端點類別和最佳化方法的詳細資訊,請參閱新 Office 365 端點類別一節。For more information on Microsoft 365 endpoint categories and optimization methods, see the New Office 365 endpoint categories section.

Microsoft 現在會將所有 Microsoft 365 端點發佈為網頁服務,並且提供如何最佳地使用此資料的指引。Microsoft now publishes all Microsoft 365 endpoints as a web service and provides guidance on how best to use this data. 如需如何取得及使用 Microsoft 365 端點的詳細資訊,請參閱 Office 365 URL 和 IP 位址範圍一文。For more information on how to fetch and work with Microsoft 365 endpoints, see the article Office 365 URLs and IP address ranges.

在當地輸出網路連線Egress network connections locally

在當地輸出網路連線

本機 DNS 和網際網路出口對於降低連線延遲,及確保使用者連線連至與 Microsoft 365 服務最接近的進入點,相當重要。Local DNS and Internet egress is of critical importance for reducing connection latency and ensuring that user connections are made to the nearest point of entry to Microsoft 365 services. 在複雜的網路拓撲中。同時實作本機 DNS 和本機網際網路出口相當重要。In a complex network topology, it is important to implement both local DNS and local Internet egress together. 如需 Microsoft 365 如何將用戶端連線路由傳送到最接近進入點的詳細資訊,請參閱用戶端連線能力 一文。For more information about how Microsoft 365 routes client connections to the nearest point of entry, see the article Client Connectivity.

在諸如 Microsoft 365 的雲端服務問世之前,終端使用者網際網路連線能力作為網路架構中的設計因素而言,相對簡單。Prior to the advent of cloud services such as Microsoft 365, end-user Internet connectivity as a design factor in network architecture was relatively simple. 當網際網路服務和網站散佈在全球各地時,公司出口點與任何指定目的地端點之間的延遲,成為地理距離很大的函數。When Internet services and web sites are distributed around the globe, latency between corporate egress points and any given destination endpoint is largely a function of geographical distance.

在傳統的網路架構中,所有輸出網際網路連線會周遊公司網路,然後從中央位置出口。In a traditional network architecture, all outbound Internet connections traverse the corporate network, and egress from a central location. 隨著 Microsoft 的雲端供應項目成熟,分散式網際網路對應網路架構對於支援延遲敏感雲端服務變得關鍵。As Microsoft's cloud offerings have matured, a distributed Internet-facing network architecture has become critical for supporting latency-sensitive cloud services. Microsoft 全域網路的設計目的是透過分散式服務 Front Door 基礎結構 (這是一個動態全域進入點網狀架構,將輸入雲端服務連線路由傳送到最接近的進入點) 來容納延遲需求。The Microsoft Global Network was designed to accommodate latency requirements with the Distributed Service Front Door infrastructure, a dynamic fabric of global entry points that routes incoming cloud service connections to the closest entry point. 目的在於藉由縮短客戶與雲端之間的路由,為 Microsoft 雲端客戶減少「最後一步」的長度。This is intended to reduce the length of the "last mile" for Microsoft cloud customers by effectively shortening the route between the customer and the cloud.

企業 WAN 通常設計為將網路流量回傳到中央總公司,在出口到網際網路之前進行檢查,通常是透過一或多個 Proxy 伺服器。Enterprise WANs are often designed to backhaul network traffic to a central company head office for inspection before egress to the Internet, usually through one or more proxy servers. 下圖說明此類網路拓撲。The diagram below illustrates such a network topology.

傳統企業網路模型

因為 Microsoft 365 是在 Microsoft 全域網路 (其中包含遍佈全球的前端伺服器) 上執行,所有通常會有接近使用者位置的前端伺服器。Because Microsoft 365 runs on the Microsoft Global Network, which includes front-end servers around the world, there will often be a front-end server close to the user's location. 藉由提供本機網際網路出口,以及設定內部 DNS 伺服器以提供 Microsoft 365 端點的本機名稱解析,目的地為 Microsoft 365 的網路流量可以連線到盡可能接近使用者的 Microsoft 365 前端伺服器。By providing local Internet egress and by configuring internal DNS servers to provide local name resolution for Microsoft 365 endpoints, network traffic destined for Microsoft 365 can connect to Microsoft 365 front end servers as close as possible to the user. 下圖顯示網路拓撲範例,使得從總公司、分公司及遠端位置連線的使用者,可以依照最接近 Microsoft 365 進入點的最短路由。The diagram below shows an example of a network topology that allows users connecting from main office, branch office, and remote locations to follow the shortest route to the closest Microsoft 365 entry point.

具有區域出口點的 WAN 網路模型

以這個方式縮短到 Microsoft 365 進入點的網路路徑,可以改善 Microsoft 365 的連線效能和使用者體驗,也可以協助降低未來對於 Microsoft 365 效能和可靠性在網路架構變更所受到的影響。Shortening the network path to Microsoft 365 entry points in this way can improve connectivity performance and the end-user experience in Microsoft 365, and can also help to reduce the impact of future changes to the network architecture on Microsoft 365 performance and reliability.

此外,如果回應 DNS 伺服器是遠距或忙碌中,則 DNS 要求會導致延遲。Also, DNS requests can introduce latency if the responding DNS server is distant or busy. 您可以藉由在分公司位置佈建本機 DNS 伺服器,並且確定這些伺服器已設定為適當地快取 DNS 記錄,將名稱解析延遲降至最低。You can minimize name resolution latency by provisioning local DNS servers in branch locations and making sure they are configured to cache DNS records appropriately.

雖然區域出口針對 Microsoft 365 可以運作良好,最佳的連線模型應該是一律在使用者的位置提供網路出口,無論這是公司網路或遠端位置,例如住家、旅館、咖啡廳或機場。While regional egress can work well for Microsoft 365, the optimum connectivity model would be to always provide network egress at the user's location, regardless of whether this is on the corporate network or remote locations such as homes, hotels, coffee shops, and airports. 下圖呈現這個本機直接出口模型。This local direct egress model is represented in the diagram below.

本機出口網路架構

已採用 Microsoft 365 的企業可以透過確定使用者與 Microsoft 365 的連線是採取與最接近 Microsoft 全域網路進入點的可能最短路由,利用 Microsoft 全域網路的分散式前門服務架構。Enterprises who have adopted Microsoft 365 can take advantage of the Microsoft Global Network's Distributed Service Front Door architecture by ensuring that user connections to Microsoft 365 take the shortest possible route to the nearest Microsoft Global Network entry point. 本機出口網路架構是藉由允許 Microsoft 365 流量透過最接近的出口 (無論使用者位置在哪裡) 進行路由傳送,來達到這個目的。The local egress network architecture does this by allowing Microsoft 365 traffic to be routed over the nearest egress, regardless of user location.

本機出口架構相較於傳統模型,具有以下優點:The local egress architecture has the following benefits over the traditional model:

  • 藉由最佳化路由長度,提供最佳的 Microsoft 365 效能。Provides optimal Microsoft 365 performance by optimizing route length. 終端使用者連線是由分散式前門服務基礎結構,動態地路由傳送到最接近的 Microsoft 365 進入點。end-user connections are dynamically routed to the nearest Microsoft 365 entry point by the Distributed Service Front Door infrastructure.
  • 藉由允許本機出口,降低公司網路基礎結構的負載。Reduces the load on corporate network infrastructure by allowing local egress.
  • 藉由利用用戶端端點安全性和雲端安全性功能,保護兩個端點的連線。Secures connections on both ends by leveraging client endpoint security and cloud security features.

避免網路 hairpinAvoid network hairpins

避免 hairpin

根據一般經驗法則,使用者與最接近 Microsoft 365 端點之間的最短、最直接路由,可以提供最佳效能。As a general rule of thumb, the shortest, most direct route between user and closest Microsoft 365 endpoint will offer the best performance. 當前往特定目的地的 WAN 或 VPN 流量首先導向到另一個中間位置 (例如雲端型 Web 閘道的安全性堆疊、雲端存取代理程式) 時,會發生網路 hairpin,導致延遲並且可能重新導向至遠距端點。A network hairpin happens when WAN or VPN traffic bound for a particular destination is first directed to another intermediate location (such as security stack, cloud access broker, of cloud-based web gateway), introducing latency and potential redirection to a geographically distant endpoint. 網路 hairpin 也可能由於路由/對等互連不足或次佳 (遠端) DNS 查閱所導致。Network hairpins can also be caused by routing/peering inefficiencies or suboptimal (remote) DNS lookups.

若要確保 Microsoft 365 連線即使在本機出口案例中也不會受限於網路 hairpin,請檢查用來為使用者位置提供網際網路出口的 ISP,是否具有與該位置近接 Microsoft 全域網路的直接對等互連關係。To ensure that Microsoft 365 connectivity is not subject to network hairpins even in the local egress case, check whether the ISP that is used to provide Internet egress for the user location has a direct peering relationship with the Microsoft Global Network in close proximity to that location. 您也會想要將出口路由設定為直接傳送信任的 Microsoft 365 流量,而不是透過處理網際網路流量的第三方雲端或雲端型網路安全性廠商來進行 Proxy 處理或通道傳送。You may also want to configure egress routing to send trusted Microsoft 365 traffic directly, as opposed to proxying or tunneling through a third-party cloud or cloud-based network security vendor that processes your Internet-bound traffic. Microsoft 365 端點的本機 DNS 名稱解析會協助確定除了直接路由之外,也為使用者連線使用最接近的 Microsoft 365 進入點。Local DNS name resolution of Microsoft 365 endpoints helps to ensure that in addition to direct routing, the closest Microsoft 365 entry points are being used for user connections.

如果您將雲端型網路或安全性服務用於您的 Microsoft 365 流量,請確定已評估 hairpin 效果,並了解它對 Microsoft 365 效能的影響。If you use cloud-based network or security services for your Microsoft 365 traffic, ensure that the result of the hairpin is evaluated and its impact on Microsoft 365 performance is understood. 可以藉由檢查服務提供者位置 (流量經由這些位置轉送) 的數量和位置,與您的分公司和 Microsoft 全域網路對等互連點的關係、服務提供者與您的 ISP 和 Microsoft 的網路對等互連關係品質,以及服務提供者基礎結構回傳的效能影響,來完成這項操作。This can be done by examining the number and locations of service provider locations through which the traffic is forwarded in relationship to number of your branch offices and Microsoft Global Network peering points, quality of the network peering relationship of the service provider with your ISP and Microsoft, and the performance impact of backhauling in the service provider infrastructure.

由於 Microsoft 365 進入點及其使用者近接的分散式位置數量相當大,所有將 Microsoft 365 流量路由傳送到任何第三方網路或安全性提供者時,如果提供者網路未針對最佳化 Microsoft 365 對等互連進行設定,則對於 Microsoft 365 連線會有負面影響。Due to the large number of distributed locations with Microsoft 365 entry points and their proximity to end-users, routing Microsoft 365 traffic to any third-party network or security provider can have an adverse impact on Microsoft 365 connections if the provider network is not configured for optimal Microsoft 365 peering.

評估略過 Proxy、流量檢查裝置和重複安全性技術Assess bypassing proxies, traffic inspection devices, and duplicate security technologies

略過 Proxy、流量檢查裝置和重複安全性技術

企業客戶應該特別針對 Microsoft 365 繫結流量檢閱他們的網路安全性和降低風險方法,並且使用 Microsoft 365 安全性功能來降低對於 Microsoft 365 網路流量干擾、效能影響及昂貴網路安全性技術的依賴。Enterprise customers should review their network security and risk reduction methods specifically for Microsoft 365 bound traffic and use Microsoft 365 security features to reduce their reliance on intrusive, performance impacting, and expensive network security technologies for Microsoft 365 network traffic.

大部分企業網路會針對使用如 Proxy、SSL 檢查、封包檢查及資料外洩防護系統等技術的網際網路流量,強制執行網路安全性。Most enterprise networks enforce network security for Internet traffic using technologies like proxies, SSL inspection, packet inspection, and data loss prevention systems. 這些技術為一般網際網路要求提供重要的風險降低,但是當套用至 Microsoft 365 端點時,可能會大幅降低效能、延展性和使用者體驗的品質。These technologies provide important risk mitigation for generic Internet requests but can dramatically reduce performance, scalability, and the quality of end user experience when applied to Microsoft 365 endpoints.

Office 365 端點 Web 服務Office 365 Endpoints web service

Microsoft 365 系統管理員可以使用指令碼或 REST 呼叫,使用來自 Office 365 端點 Web 服務的結構化清單,並且更新周邊防火牆和其他網路裝置的組態。Microsoft 365 administrators can use a script or REST call to consume a structured list of endpoints from the Office 365 Endpoints web service and update the configurations of perimeter firewalls and other network devices. 這樣可確保前往 Microsoft 365 的流量得以識別、適當地進行處理,並且以不同於前往一般且通常未知網際網路網站的網路流量方式進行管理。This will ensure that traffic bound for Microsoft 365 is identified, treated appropriately and managed differently from network traffic bound for generic and often unknown Internet web sites. 如需如何使用 Office 365 端點 Web 服務的詳細資訊,請參閱 Office 365 URL 和 IP 位址範圍一文。For more information on how to use the Office 365 Endpoints web service, see the article Office 365 URLs and IP address ranges.

PAC (Proxy 自動設定) 指令碼PAC (Proxy Automatic Configuration) scripts

Microsoft 365 系統管理員可以建立 PAC (Proxy 自動設定) 指令碼,透過 WPAD 或 GPO 傳遞給使用者電腦。Microsoft 365 administrators can create PAC (Proxy Automatic Configuration) scripts that can be delivered to user computers via WPAD or GPO. PAC 指令碼可以用來針對來自 WAN 或 VPN 使用者的 Microsoft 365 要求略過 Proxy,讓 Microsoft 365 流量使用直接網際網路連線,而不是周遊公司網路。PAC scripts can be used to bypass proxies for Microsoft 365 requests from WAN or VPN users, allowing Microsoft 365 traffic to use direct Internet connections rather than traversing the corporate network.

Microsoft 365 安全性功能Microsoft 365 security features

Microsoft 對於 Microsoft 365 伺服器和它們所呈現網路端點相關的資料中心安全性、運作安全性和風險降低是透明的。Microsoft is transparent about datacenter security, operational security, and risk reduction around Microsoft 365 servers and the network endpoints that they represent. Microsoft 365 內建安全性功能可用於降低網路安全性風險,例如資料外洩防護、防毒、Multi-Factor Authentication、Customer Lock Box、適用於 Office 365 的 Defender、Microsoft 365 威脅情報、Microsoft 365 安全分數、Exchange Online Protection 及 Network DDOS Security。Microsoft 365 built-in security features are available for reducing network security risk, such as Data Loss Prevention, Anti-Virus, Multi-Factor Authentication, Customer Lock Box, Defender for Office 365, Microsoft 365 Threat Intelligence, Microsoft 365 Secure Score, Exchange Online Protection, and Network DDOS Security.

如需 Microsoft 資料中心和全域網路安全性的詳細資訊,請參閱 Microsoft 信任中心For more information on Microsoft datacenter and Global Network security, see the Microsoft Trust Center.

新的 Office 365 端點類別New Office 365 endpoint categories

Office 365 端點代表不同的網路位址和子網路集合。Office 365 endpoints represent a varied set of network addresses and subnets. 端點可能是 URL、IP 位址或 IP 範圍,部分端點與特定 TCP/UDP 連接埠一起列出。Endpoints may be URLs, IP addresses or IP ranges, and some endpoints are listed with specific TCP/UDP ports. URL 可以是 FQDN,例如 account.office.net,或是萬用字元 URL,例如 *.office365.comURLs can either be an FQDN like account.office.net, or a wildcard URL like *.office365.com.

注意

網路內 Office 365 端點的位置不會直接與 Microsoft 365 租用戶資料的位置相關。The locations of Office 365 endpoints within the network are not directly related to the location of the Microsoft 365 tenant data. 基於這個原因,客戶應該將 Microsoft 365 視為分散式和全域服務,不應該嘗試根據地理準則封鎖與 Office 365 端點的網路連線。For this reason, customers should look at Microsoft 365 as a distributed and global service and should not attempt to block network connections to Office 365 endpoints based on geographical criteria.

在我們先前針對管理 Microsoft 365 流量的指引中,端點組織為兩個類別,必要選擇性In our previous guidance for managing Microsoft 365 traffic, endpoints were organized into two categories, Required and Optional. 根據服務嚴重性的不同,每個類別中的端點所需的最佳化也不同,許多客戶在將相同網路最佳化應用到 Office 365 URL 和 IP 位址完整清單時面臨了挑戰。Endpoints within each category required different optimizations depending on the criticality of the service, and many customers faced challenges in justifying the application of the same network optimizations to the full list of Office 365 URLs and IP addresses.

在新的模型中,端點分為三個類別,最佳化允許預設,提供優先順序型樞紐,讓使用者知道要將網路最佳化努力焦點放在哪裡,以便實現最佳效能改善並且獲得投資回報。In the new model, endpoints are segregated into three categories, Optimize, Allow, and Default, providing a priority-based pivot on where to focus network optimization efforts to realize the best performance improvements and return on investment. 端點會根據網路品質、案例的數量和效能封套,以及簡化實作的有效使用者體驗敏感度,合併到上述類別中。The endpoints are consolidated in the above categories based on the sensitivity of the effective user experience to network quality, volume, and performance envelope of scenarios and ease of implementation. 建議的最佳化可以相同方式套用到指定類別中的所有端點。Recommended optimizations can be applied the same way to all endpoints in a given category.

  • 最佳化 端點是連線至每個 Office 365 服務所需的端點,並代表超過 75% 的 Office 365 頻寬、連線和資料量。Optimize endpoints are required for connectivity to every Office 365 service and represent over 75% of Office 365 bandwidth, connections, and volume of data. 這些端點代表對網路效能、延遲和可用性最敏感的 Office 365 案例。These endpoints represent Office 365 scenarios that are the most sensitive to network performance, latency, and availability. 所有端點都裝載於 Microsoft 資料中心。All endpoints are hosted in Microsoft datacenters. 此類別中端點的變更率預期遠比其他兩個類別中的端點低。The rate of change to the endpoints in this category is expected to be much lower than for the endpoints in the other two categories. 此類別包含小型 (順序為 ~10) 的主要 URL 組合和已定義 IP 子網路組合,專用於核心 Office 365 工作負載,例如 Exchange Online、SharePoint Online、商務用 Skype Online 及 Microsoft Teams。This category includes a small (on the order of ~10) set of key URLs and a defined set of IP subnets dedicated to core Office 365 workloads such as Exchange Online, SharePoint Online, Skype for Business Online, and Microsoft Teams.

    一份定義好的重要端點精簡清單,應該能協助您更快且更容易為這些目的地規劃並實作大量網路最佳化。A condensed list of well-defined critical endpoints should help you to plan and implement high value network optimizations for these destinations faster and easier.

    「最佳化」 端點範例包含 https://outlook.office365.comhttps://<tenant>.sharepoint.comhttps://<tenant>-my.sharepoint.comExamples of Optimize endpoints include https://outlook.office365.com, https://<tenant>.sharepoint.com, and https://<tenant>-my.sharepoint.com.

    最佳化方法包括:Optimization methods include:

    • 略過網路裝置和服務 (執行流量攔截、SSL 解密、深入封包檢查及內容篩選)的 「最佳化」 端點。Bypass Optimize endpoints on network devices and services that perform traffic interception, SSL decryption, deep packet inspection, and content filtering.
    • 略過通常用於一般網際網路瀏覽的內部部署 Proxy 裝置和雲端型 Proxy 服務。Bypass on-premises proxy devices and cloud-based proxy services commonly used for generic Internet browsing.
    • 優先評估您的網路基礎結構和周邊系統完全信任的這些端點。Prioritize the evaluation of these endpoints as fully trusted by your network infrastructure and perimeter systems.
    • 優先降低或消除 WAN 回傳,並且輔助這些端點使用盡可能接近使用者/分公司位置的直接分散式網際網路型出口。Prioritize reduction or elimination of WAN backhauling, and facilitate direct distributed Internet-based egress for these endpoints as close to users/branch locations as possible.
    • 藉由實作分割通道,為 VPN 使用者促成與這些雲端端點的直接連線。Facilitate direct connectivity to these cloud endpoints for VPN users by implementing split tunneling.
    • 確定 DNS 名稱解析所傳回的 IP 位址符合這些端點的路由出口路徑。Ensure that IP addresses returned by DNS name resolution match the routing egress path for these endpoints.
    • 優先處理這些端點的 SD-WAN 整合,以取得進入 Microsoft 全域網路最接近網際網路對等互連點的直接、最低延遲路由。Prioritize these endpoints for SD-WAN integration for direct, minimal latency routing into the nearest Internet peering point of the Microsoft global network.
  • 「允許」 端點是連線至特定 Microsoft 365 服務與功能所需的端點,但對網路效能和延遲不如 「最佳化」 類別中的項目敏感。Allow endpoints are required for connectivity to specific Office 365 services and features, but are not as sensitive to network performance and latency as those in the Optimize category. 從頻寬和連線計數立場而言,這些端點的整體網路佔用空間也較小。The overall network footprint of these endpoints from the standpoint of bandwidth and connection count is also smaller. 這些端點是專用於 Office 365,並且裝載於 Microsoft 資料中心。These endpoints are dedicated to Office 365 and are hosted in Microsoft datacenters. 它們代表廣泛的 Office 365 微服務及其相依性的集合 (順序為 ~100 URL),並且預期變更率比 「最佳化」 類別中的端點高。They represent a broad set of Office 365 micro-services and their dependencies (on the order of ~100 URLs) and are expected to change at a higher rate than those in the Optimize category. 並非此類別中的所有端點都與已定義專用 IP 子網路相關聯。Not all endpoints in this category are associated with defined dedicated IP subnets.

    「允許」 端點的網路最佳化可以改善 Office 365 使用者體驗,但是部分使用者選擇將最佳化範圍更縮小,讓他們的網路變更降至最低。Network optimizations for Allow endpoints can improve the Office 365 user experience, but some customers may choose to scope those optimizations more narrowly to minimize changes to their network.

    「允許」 端點的範例包括 https://*.protection.outlook.comhttps://accounts.accesscontrol.windows.netExamples of Allow endpoints include https://*.protection.outlook.com and https://accounts.accesscontrol.windows.net.

    最佳化方法包括:Optimization methods include:

    • 略過網路裝置和服務 (執行流量攔截、SSL 解密、深入封包檢查及內容篩選)的 「允許」 端點。Bypass Allow endpoints on network devices and services that perform traffic interception, SSL decryption, deep packet inspection, and content filtering.
    • 優先評估您的網路基礎結構和周邊系統完全信任的這些端點。Prioritize the evaluation of these endpoints as fully trusted by your network infrastructure and perimeter systems.
    • 優先降低或消除 WAN 回傳,並且輔助這些端點使用盡可能接近使用者/分公司位置的直接分散式網際網路型出口。Prioritize reduction or elimination of WAN backhauling, and facilitate direct distributed Internet-based egress for these endpoints as close to users/branch locations as possible.
    • 確定 DNS 名稱解析所傳回的 IP 位址符合這些端點的路由出口路徑。Ensure that IP addresses returned by DNS name resolution match the routing egress path for these endpoints.
    • 優先處理這些端點的 SD-WAN 整合,以取得進入 Microsoft 全域網路最接近網際網路對等互連點的直接、最低延遲路由。Prioritize these endpoints for SD-WAN integration for direct, minimal latency routing into the nearest Internet peering point of the Microsoft global network.
  • 「預設」 端點表示不需要任何最佳化的 Office 365 服務和相依性,可以由客戶網路視為一般網際網路繫結流量。Default endpoints represent Office 365 services and dependencies that do not require any optimization, and can be treated by customer networks as normal Internet bound traffic. 此類別中的部分端點可能不是裝載於 Microsoft 資料中心。Some endpoints in this category may not be hosted in Microsoft datacenters. 範例包括 https://odc.officeapps.live.comhttps://appexsin.stb.s-msn.comExamples include https://odc.officeapps.live.com and https://appexsin.stb.s-msn.com.

如需有關 Office 365 網路最佳化技術的詳細資訊,請參閱管理 Office 365 端點 一文。For more information about Office 365 network optimization techniques, see the article Managing Office 365 endpoints.

比較網路周邊網路安全性與端點安全性Comparing network perimeter security with endpoint security

傳統網路安全性的目標是強化公司網路周邊網路,免於入侵和惡意攻擊。The goal of traditional network security is to harden the corporate network perimeter against intrusion and malicious exploits. 隨著組織採用 Microsoft 365,某些網路服務和資料會部分或全部遷移至雲端。As organizations adopt Microsoft 365, some network services and data are partly or completely migrated to the cloud. 針對網路架構的任何基礎變更,這個程序需要重新評估網路安全性,將新的因素列入考量:As for any fundamental change to network architecture, this process requires a reevaluation of network security that takes emerging factors into account:

  • 採用雲端服務之後,網路服務和資料會在內部部署資料中心與雲端之間散佈,周邊安全性本身已不足夠。As cloud services are adopted, network services and data are distributed between on-premises datacenters and the cloud, and perimeter security is no longer adequate on its own.
  • 遠端使用者從不受控制的位置 (如住家、旅館和咖啡廳) 連線到位於內部部署資料中心和雲端中的公司資源。Remote users connect to corporate resources both in on-premises datacenters and in the cloud from uncontrolled locations such as homes, hotels, and coffee shops.
  • 有目的建置的安全性功能大量內建到雲端服務,也許可以補充或取代現有的安全性系統。Purpose-built security features are increasingly built into cloud services and can potentially supplement or replace existing security systems.

Microsoft 提供大範圍的 Microsoft 365 安全性功能,並且提供採用安全性最佳做法的規範指引,可協助您確保 Microsoft 365 的資料和網路安全性。Microsoft offers a wide range of Microsoft 365 security features and provides prescriptive guidance for employing security best practices that can help you to ensure data and network security for Microsoft 365. 建議的最佳做法包括下列項目:Recommended best practices include the following:

  • 使用多重要素驗證 (MFA) MFA 會藉由在使用者輸入密碼之後,要求使用者在其智慧型手機上確認電話來電、簡訊或應用程式通知,對強式密碼策略增加另外一層的保護。Use multi-factor authentication (MFA) MFA adds an additional layer of protection to a strong password strategy by requiring users to acknowledge a phone call, text message, or an app notification on their smart phone after correctly entering their password.

  • 使用 Microsoft Cloud App Security 設定原則以追蹤異常活動並且採取動作。Use Microsoft Cloud App Security Configure policies to track anomalous activity and act on it. 使用 Microsoft Cloud App Security 設定警示,讓管理員可以檢閱不尋常或是有風險的使用者活動,例如下載大量的資料、多次失敗的登入嘗試或是來自未知或危險 IP 位址的連線。Set up alerts with Microsoft Cloud App Security so that admins can review unusual or risky user activity, such as downloading large amounts of data, multiple failed sign-in attempts, or connections from a unknown or dangerous IP addresses.

  • 設定資料外洩防護 (DLP) DLP 可讓您識別敏感性資料,並且建立原則,協助防止使用者意外或故意共用資料。Configure Data Loss Prevention (DLP) DLP allows you to identify sensitive data and create policies that help prevent your users from accidentally or intentionally sharing the data. DLP 可在 Microsoft 365 之間運作,包括 Exchange Online、SharePoint Online 和 OneDrive,因此您的使用者可以保持符合規範,而不會中斷他們的工作流程。DLP works across Microsoft 365 including Exchange Online, SharePoint Online, and OneDrive so that your users can stay compliant without interrupting their workflow.

  • 使用 Customer Lockbox 身為 Microsoft 365 系統管理員,您可以使用 Customer Lockbox 控制 Microsoft 技術支援工程師如何在協助工作階段期間存取您的資料。Use Customer Lockbox As a Microsoft 365 admin, you can use Customer Lockbox to control how a Microsoft support engineer accesses your data during a help session. 在工程師需要存取您的資料來排解及修正問題的情況下,Customer Lockbox 可讓您核准或拒絕存取要求。In cases where the engineer requires access to your data to troubleshoot and fix an issue, Customer Lockbox allows you to approve or reject the access request.

  • 使用 Office 365 安全分數 一種安全性分析工具,為您建議可以執行的動作以進一步降低風險。Use Office 365 Secure Score A security analytics tool that recommends what you can do to further reduce risk. 「安全分數」會查看您的 Microsoft 365 設定和活動,並且將它們與 Microsoft 所建立的基準進行比較。Secure Score looks at your Microsoft 365 settings and activities and compares them to a baseline established by Microsoft. 您的得分將會以您與最佳安全性實作的相符程度為準。You'll get a score based on how aligned you are with best security practices.

用來增強安全性的整體方法應該包含下列考量:A holistic approach to enhanced security should include consideration of the following:

  • 藉由套用雲端型和 Office 用戶端安全性功能,將重點從周邊安全性切換到端點安全性。Shift emphasis from perimeter security towards endpoint security by applying cloud-based and Office client security features.
    • 將安全性周邊縮小到資料中心Shrink the security perimeter to the datacenter
    • 針對公司內部或遠端位置的使用者裝置,啟用對等信任Enable equivalent trust for user devices inside the office or at remote locations
    • 專注於保護資料位置和使用者位置Focus on securing the data location and the user location
    • 受控使用者電腦具有端點安全性的更高信任Managed user machines have higher trust with endpoint security
  • 從整體管理所有資訊安全性,而不是單獨專注在周邊上Manage all information security holistically, not focusing solely on the perimeter
    • 藉由允許受信任的流量略過安全性裝置,並且將非受控裝置分隔為來賓 Wi-Fi 網路,以重新定義 WAN 並且建置周邊網路安全性。Redefine WAN and building perimeter network security by allowing trusted traffic to bypass security devices and separating unmanaged devices to guest Wi-Fi networks
    • 降低公司 WAN 邊緣的網路安全性需求Reduce network security requirements of the corporate WAN edge
    • 仍然需要某些網路周邊安全性裝置 (例如防火牆),但是負載會減少Some network perimeter security devices such as firewalls are still required, but load is decreased
    • 確保 Microsoft 365 流量的本機出口Ensures local egress for Microsoft 365 traffic
  • 改進可以逐漸實施,如同增量最佳化一節中所述。Improvements can be addressed incrementally as described in the Incremental optimization section. 取決於您的網路架構,某些最佳化技術可能會提供更佳的成本/效益比,因此您應該選擇對組織最有意義的最佳化。Some optimization techniques may offer better cost/benefit ratios depending on your network architecture, and you should choose optimizations that make the most sense for your organization.

如需有關 Microsoft 365 安全性與合規性的詳細資訊,請參閱文章 Microsoft 365 安全性Microsoft 365 合規性For more information on Microsoft 365 security and compliance, see the articles Microsoft 365 security and Microsoft 365 compliance.

增量最佳化Incremental optimization

我們稍早在本文中呈現了 SaaS 的理想網路連線模型,但是對於具有歷史複雜網路架構的許多大型組織而言,直接做以上所有變更並不實際。We have represented the ideal network connectivity model for SaaS earlier in this article, but for many large organizations with historically complex network architectures, it will not be practical to directly make all of these changes. 在本節中,我們會討論一些增量變更,可以協助改善 Microsoft 365 效能和可靠性。In this section, we discuss a number of incremental changes that can help to improve Microsoft 365 performance and reliability.

您用來最佳化 Microsoft 365 流量的方法,將會根據您的網路拓撲和您所實作的網路裝置,而有所不同。The methods you will use to optimize Microsoft 365 traffic will vary depending on your network topology and the network devices you have implemented. 具有許多位置和複雜網路安全性實務的大型企業,必須開發策略,其中包含 Microsoft 365 連線原則一節中列出的大部分或所有原則,而較小型的組織只需要考量其中一或兩項。Large enterprises with many locations and complex network security practices will need to develop a strategy that includes most or all of the principles listed in the Microsoft 365 connectivity principles section, while smaller organizations might only need to consider one or two.

您可以透過增量程序來達到最佳化,接續地套用各個方法。You can approach optimization as an incremental process, applying each method successively. 下表列出關鍵最佳化方法,編排方式是依照方法對於最大量使用者延遲和可靠性的影響。The following table lists key optimization methods in order of their impact on latency and reliability for the largest number of users.

最佳化方法Optimization method 描述Description 影響Impact
本機 DNS 解析和網際網路出口Local DNS resolution and Internet egress
在每個位置中佈建本機 DNS 伺服器,並且確保 Microsoft 365 連線出口到盡可能接近使用者位置的網際網路。Provision local DNS servers in each location and ensure that Microsoft 365 connections egress to the Internet as close as possible to the user's location.
將延遲降至最低Minimize latency
將可靠連線改善到最接近的 Microsoft 365 進入點Improve reliable connectivity to the closest Microsoft 365 entry point
新增區域出口點Add regional egress points
如果您的公司網路具有多個位置,但是只有一個出口點,請新增區域出口點,讓使用者可以連線到最接近的 Microsoft 365 進入點。If your corporate network has multiple locations but only one egress point, add regional egress points to enable users to connect to the closest Microsoft 365 entry point.
將延遲降至最低Minimize latency
將可靠連線改善到最接近的 Microsoft 365 進入點Improve reliable connectivity to the closest Microsoft 365 entry point
略過 Proxy 和檢查裝置Bypass proxies and inspection devices
使用 PAC 檔案 (會將 Microsoft 365 要求直接傳送到出口點) 來設定瀏覽器。Configure browsers with PAC files that send Microsoft 365 requests directly to egress points.
設定邊緣路由器和防火牆,允許 Microsoft 365 流量不用經過檢查。Configure edge routers and firewalls to permit Microsoft 365 traffic without inspection.
將延遲降至最低Minimize latency
減少網路裝置上的負載Reduce load on network devices
針對 VPN 使用者啟用直接連線Enable direct connection for VPN users
針對 VPN 使用者,藉由實作分割通道,讓 Microsoft 365 連線直接從使用者的網路連線,而無須透過 VPN 通道。For VPN users, enable Microsoft 365 connections to connect directly from the user's network rather than over the VPN tunnel by implementing split tunneling.
將延遲降至最低Minimize latency
將可靠連線改善到最接近的 Microsoft 365 進入點Improve reliable connectivity to the closest Microsoft 365 entry point
從傳統 WAN 遷移至 SD-WANMigrate from traditional WAN to SD-WAN
SD-WAN (軟體定義廣域網路) 藉由以虛擬設備來取代傳統 WAN 路由器,簡化 WAN 管理以及改進效能,類似於使用虛擬機器 (VM) 的計算資源虛擬化。SD-WANs (Software Defined Wide Area Networks) simplify WAN management and improve performance by replacing traditional WAN routers with virtual appliances, similar to the virtualization of compute resources using virtual machines (VMs).
改善 WAN 流量的效能和管理性Improve performance and manageability of WAN traffic
減少網路裝置上的負載Reduce load on network devices

Microsoft 365 網路連線概況Microsoft 365 Network Connectivity Overview

管理 Office 365 端點Managing Office 365 endpoints

Office 365 URL 與 IP 位址範圍Office 365 URLs and IP address ranges

Office 365 IP 位址和 URL Web 服務Office 365 IP Address and URL Web service

評估 Microsoft 365 網路連線能力Assessing Microsoft 365 network connectivity

Microsoft 365 的網路規劃和效能調整Network planning and performance tuning for Microsoft 365

使用基準與效能歷程記錄進行 Office 365 效能調整Office 365 performance tuning using baselines and performance history

Office 365 的效能疑難排解規劃Performance troubleshooting plan for Office 365

內容傳遞網路Content Delivery Networks

Microsoft 365 連線測試Microsoft 365 connectivity test

Microsoft 如何建置其快速且可靠的全域網路How Microsoft builds its fast and reliable global network

Office 365 網路部落格Office 365 Networking blog