GDPR

EU M365 data streams to a US IP-Address?

About M365 GDPR-concerns regarding a US-IP-Address

Bernhard Flür

08 Mar 2023 — 1 min read

Hello!

As a customer of mine had concerns about the routing of Microsoft 365 traffic from his local on-premise firewall towards a US IP-Address, I want to take the opportunity to clear up this here a little bit!

The story

As I'm based in Austria, which is a member of the European Union, we're required to hold every piece of company data related to a person inside the European Union, excepted for a couple of exceptions.

Microsoft did recognize this need and is fulfilling this requirement, luckily for all the commercial customers here. (Link)

Knowing of that, a customer was extremely wondering and unsettled about having huge amount of outgoing traffic, according his firewall, in direction to an IP-Address located in the United States.

Why that isn't a problem...

Routing the traffic through US-datacenter would definitely break european law, which would be... not cool.

But actually this doesn't happen, as Microsoft using a Front Door Infrastructure for assigning the data flows to the POP (Point-of-presence) with the best latency.

"The Front Door"

Front Door is a globally operating Azure service with the mission, mediate traffic to the nearest point of presence (POP). You can compare it with bus stops inside the Microsoft Global Network, where traffic from/to an Azure Region (M365 Datacenter) can enter and exit the network.

Here is a list of all POPs worldwide: Link

To provide this feature, Front Door is using a technique named "Anycast". (Wikipedia)

AnyCast enables Front Door to offer a service, which is distributed on many locations all over the world, via a single IP-Address.

AnyCast Routing data stream — Source: wikipedia.com

ConclusioN

What brings us to a clear statement about the location, related to this single IP-Address:

It's not possible to name the location of this specific IP, as there are many locations behind it.

Microsoft also confirms, that the location of the IP does not have any association with the terminating location of the data stream.

You can find this statement here in the purple info box.

Cheers! :)

New! Azure VM Image Browser

Hey guys! After spending some time wrestling with the Azure CLI to find the right images for the right VMs, I built a solution (together with Kiro.dev) to make this easier. It shows you the available images for a specific subscription in a specific region. I called it VMIB

Azure “At-Cost” Data Transfer: More diversity for the cloud!

Hi guys! Moving data out of Azure has always carried a premium price tag, often turning data mobility into a budget line item that CIOs and architects dread. But Microsoft has quietly introduced a change that could make inter-cloud transfers far more affordable — especially for customers in Europe, the EEA,

VM Default Outbound Access - What's Changing and How to Prepare

Hello guys! After a period of silence I want to provide you with fresh content out of Azure. Today we're going to talk about the topic "VM Default Outbound Access". What's changing? By default, Azure virtual machines (VMs) can currently reach the Internet without

Auto assign invoice sections via tag

Hi together! Today I want to share a billing management thing with you, applicable for all MCA customers! Basics If you're in an enterprise company (or maybe mid-size ones), you'll have the need to separate Azure costs between the departments and subsidiaries, who are cause them.