Client connectivity

Summary:    Explains how client computers connect to Office 365 tenants, depending on the location of the client computer and Office 365 tenant datacenter.

Office 365 resides in Microsoft datacenters around the world which help keep the service up and running even when there's a major problem in one region, such as an earthquake or a power outage. When you connect to your Office 365 tenant, the client connection will be directed to the appropriate datacenter where your tenant is being hosted. The rules that determine where your tenant can be hosted are defined by your agreement with Microsoft. The rules that determine how your client acquires the data from that datacenter location depend on the architecture of the service you're using.

For example, when you log on to the Office 365 portal, you're usually connected to the closest datacenter to the client and then directed depending on the service you use next. If you launch email, the initial connection to display the UI may still come from the nearest datacenter, but a second connection might be opened between the nearest datacenter and the datacenter where your tenant is located to show you what's in the emails you read. Microsoft operates one of the top ten networks in the world resulting in incredibly fast datacenter-to-datacenter connections fast.

After you read the article, you'll likely understand why we don't provide Office 365 URLs and IP address ranges per datacenter, they are simply too interconnected and reliant on each other to make that feasible.

If you're using Azure ExpressRoute for Office 365, in most cases your connectivity will go over a private connection to Office 365 instead of the public connection described here. The principles about how clients connect are still accurate. Learn more about Azure ExpressRoute for Office 365.

For more depth on Skype for Business network requests, read the article Media Quality and Network Connectivity Performance in Skype for Business Online.

This article is part of Network planning and performance tuning for Office 365

Note: We take great care to manage customer data so it's secure and private in our datacenters. Details about the steps we take to manage privacy are included in the Trust Center.

Connecting to the nearest datacenter

This is the most common type of connection, and it's used by both the Office 365 portal and Exchange Online. In this situation, when clients attempt to connect to Office 365, their computer's DNS query determines the region of the world their computer is coming from, and Office 365 redirects the request to the nearest datacenter.

Connections to the portal stop at the nearest datacenter, and the client computer is presented with information about the client's tenant from that location.

Exchange Online goes a step further. Once the client computer is connected to the nearest datacenter, an Exchange server in that datacenter connects to the datacenter where the tenant is actually located as illustrated in the How does this work section below. The Exchange Online servers in the nearest datacenter then proxy the requests from the client computer to the mailbox server. This speeds up the experience for the client computer by moving the heavy lifting of retrieving emails and calendar items to the Microsoft network.

How does this work for standard cloud offerings?

This connection process is standard for high traffic, high value web applications like Office 365. In this section, we outline and illustrate the steps in the process. When the client computer is not in the same region as the tenant, the connection looks much different depending on the service the client is connecting to.

This diagram depicts a customer using a standard Office 365 offering with a tenant in North America. In this scenario, the person making the request has traveled to Europe and is using Office 365 from that location..

1. The client computer asks the local DNS servers for the IP address associated with Office 365.

2. The client computer's local DNS servers ask the Microsoft DNS servers for the IP address associated with Office 365.

3. Microsoft's DNS servers return the regional server name (based on the location of the client's DNS servers), and the client computer repeats steps 1 and 2 to obtain the IP address of the regional Office 365 datacenter.

4. The client computer connects to the regional datacenter IP address.

5. The Exchange Online servers establish a connection to the active datacenter where the customer's tenant resides.

How does this work for sovereign cloud offerings?

This connection is slightly different for sovereign cloud offerings such as Office 365 operated by 21 Vianet. With the tenant in a sovereign instance of Office 365, the nearest Office 365 servers that will accept portal connections are the servers within the sovereign region where the tenant resides. Similarly, customers accessing SharePoint Online in our sovereign cloud or standard offerings will be directed to front end servers where the tenant resides. See connecting to the active datacenter below.

1. The client computer asks the local DNS servers for the IP address associated with Office 365.

2. The client computer's local DNS servers ask the Microsoft DNS servers for the IP address associated with Office 365.

3. Microsoft's DNS servers return the regional server name (based on the location of the client's DNS servers), and the client computer repeats steps 1 and 2 to obtain the IP address of the regional Office 365 datacenter.

4. The client computer connects to the regional datacenter IP address.

5. The Exchange Online servers establish a connection to the active datacenter where the customer's tenant resides.

Connecting to the active datacenter

Connecting to the active datacenter is designed for heavier data transfer workloads and is currently used by SharePoint Online. In this situation, when clients attempt to connect to Office 365, their browser is redirected to the active datacenter for their SharePoint Online tenant.

How does this work?

When the client computer is connecting to SharePoint Online from a different region, the connection is redirected to the active SharePoint Online datacenter. In this scenario, the customer is using a standard offering, resulting in the portal connections remaining local and the SharePoint Online connections being directed to the active datacenter.

1. The client computer asks the local DNS servers for the IP address associated with Office 365.

2. The client computer's local DNS servers ask the Microsoft DNS servers for the IP address associated with Office 365.

3. Microsoft's DNS servers return the server name of the active SharePoint Online datacenter (based on the location of the client's Office 365 tenant), and the client computer repeats steps 1 and 2 to obtain the IP address of the active Office 365 datacenter.

4. The client computer connects to the active datacenter IP address.

Connecting over Virtual Private Networks (VPNs)

This type of connection applies only when a virtual private network (VPN) is used by client computers. In reality, Office 365 behavior isn't changed simply because a VPN is used, but VPNs are commonly used to control how client computers establish connections to Office 365 and usually results in a degraded experience, so it's important to cover.

How does this work?

When the client computer establishes a VPN connection to a corporate office in a different region, the DNS servers at that office are used instead of the DNS servers at the client computer's location. In most cases, this extra connection over the VPN will degrade the Office 365 experience. The Office 365 services are optimized to service customer connections as close to the end user as possible. Many services leverage the Azure edge network, Content Delivery Networks, and the reliable network capacity on the Microsoft network to deliver the best possible user experience when network requests for Office 365 services are made as close to the client computer as possible.

1. The client computer asks the VPN DNS servers for the IP address associated with Office 365.

2. The client computer's VPN DNS servers ask the Microsoft DNS servers for the IP address associated with Office 365.

3. Microsoft's DNS servers return the regional server name (based on the location of the VPN DNS servers), and the client computer repeats steps 1 and 2 to obtain the IP address information of the regional Office 365 datacenter.

4. The client computer connects to the datacenter IP address that's closest to the corporate office they established a VPN connection with.

Here's a short link you can use to come back: https://aka.ms/o365clientconnectivity

See Also

Managing Office 365 endpoints

Network connectivity to Office 365