Home / Blog / IT Managed Services / Microsoft 365 Architecture: Solving Network Latency Issues

February 10, 2020

What’s the recommended network architecture requirement for Microsoft 365? Many enterprises have experienced performance issues after migrating to M365, as well as significant increases in bandwidth usage. All of which has resulted in troublesome deployments and a poor user experience. The underlying cause of the problem is the need to meet Microsoft’s network architecture & bandwidth requirements for Microsoft 365. But this is a common issue to overcome and a challenge many enterprises face on their network transformation journey.

Office 365 architecture: Solving network latency issues

Causes of Microsoft 365 network latency

So, what are the causes of M365 network latency? In its report on Microsoft 365, Gartner noted that “Existing internet connectivity to Microsoft 365 will not be ‘good enough’ for most Microsoft 365 usage scenarios.”

With user experience being the number one measure of a successful O365 migration, this places the need for LAN-like performance for all users.

Of the estimated 80% of organisations who have migrated to Microsoft 365, more than 60% encounter weekly network issues – caused by insufficient bandwidth, underpinned by an underestimation of the requirements.

Firewalls experience between 12 – 20 persistent connections per user. Microsoft also recommend no more than 2,000 users behind each public IP.

Microsoft 365 network connectivity requirements

Microsoft recommends a direct internet connection, bypassing Microsoft 365 traffic through your proxies. Which is why Microsoft came up with ExpressRoute – essentially, a private high-speed circuit with low latency. However, Microsoft now no longer recommends ExpressRoute!

“Azure ExpressRoute is not required or recommended for Microsoft 365 except where mandated to use direct networking for regulatory purposes or where a network assessment for Skype for Business connectivity requires it.” https://docs.microsoft.com/en-us/office365/enterprise/azure-expressroute

Microsoft now offers the following guidance for connection routing to minimise latency:

  • A well-configured, direct internet connection is the optimal method to connect to Microsoft 365.
  • Avoid centralised proxies, which can increase latency.
  • Ensure proxies are in the local region of the client.

Local internet breakouts

Providing users with local internet breakouts to access Microsoft 365 will provide a good user experience, assuming that bandwidth requirements are well managed. However, many organisations have underestimated the growth in bandwidth requirements over time. And of course, Microsoft 365 will not be the only cloud-based traffic, with the growth in SaaS services continuing unabated.

Bandwidth requirements with Microsoft 365

With Microsoft 365 migration, you should assume bandwidth consumption will increase 40%. You should also assume that existing firewalls/proxies will see some level of port exhaustion, and that users will quickly wipe out your bandwidth estimates. Microsoft offers the following guidance when it comes to bandwidth planning for Microsoft 365:

  • Up to 25 users: Use Excel calculators.
  • Over 25 users: Start with the calculators as an estimate, then run a pilot and measure the usage during that time.

What about proxy architecture?

Proxies often do not scale well – and were not designed with SaaS services in mind, resulting in poor performance with applications like Microsoft 365. If a proxy must be used, then ensure:

  • Devices are scaled up to cope with SaaS services, both in terms of processing and NAT capability.
  • Avoid centralised proxies (which can increase latency) and ensure proxies are in the local region of the client.
  • Avoid using Skype for Business, even when optimised.
  • Avoid unnecessary packet inspection.

Zscaler for Microsoft 365 (and any SaaS service)

Through direct peering with Microsoft’s Azure network, Zscaler’s cloud security platform provides a low latency connection to Microsoft 365 (or any other SaaS service), regardless of location. There is simply nothing better than going direct. And with granular bandwidth control (to both cloud applications and general internet traffic), you can guarantee Microsoft 365 bandwidth to all users. In fact, Zscaler is the first cloud security provider to be a certified partner in the Microsoft Networking Partner Program (NPP) for Microsoft 365. The program is designed to offer customers a set of partners whose deployment practices and guidance are aligned with Microsoft’s networking recommendations for Microsoft 365 to provide users a fast and secure user experience. Gartner Magic Quadrant for Secure Web Gateways 2019 As a Gartner magic quadrant leader, Zscaler moves your security stack to the cloud, providing fast, secure connections between users and cloud applications (not just Microsoft 365)… regardless of device, location, or network. Which is why Zscaler is the default choice for enterprises of all sizes looking to migrate to Microsoft 365 (or other large-scale apps, for that matter).

  1. Low latency O365 connectivity – for a great user experience for all users.
  2. Avoid increasing bandwidth costs.
  3. Visibility of all internet traffic, with granular control.
  4. Rapid deployment – overlays legacy networks to enable secure cloud transformation.

Want to learn more? Download the full eBook

Read the Essential Network Connectivity Guide for Microsoft 365 (and other large-scale applications). Deliver LAN-like performance, with full visibility and control of bandwidth usage – even across legacy network architectures…


Related articles:


About CyberOne

CyberOne is a government-approved Cyber Security and IT Managed Service Provider, supporting clients 24/7 from our ISO27001-accredited UK Security Operations Centre (SOC). With a dedicated in-house team to Zscaler specialists providing 1st and 2nd-line support to clients, CyberOne helps dramatically simplify the migration to Microsoft 365.