When discussing network configuration for Office 365, there will be a series of issues and challenges that need to be addressed. Ideally this is all done in a proactive manner, with the final items addressed in the POC phase.
One of the cornerstone issues is around how access to and from Office 365 will be managed. This has to address end user access from workstations and publishing your on-premises infrastructure to the Internet. Specifically for this post, the discussion is around how Exchange Online Protection (EOP) connects to on-premises Exchange for SMTP.
If we look at the current Office 365 URLs and IP address ranges article, there are a couple of things to point out. This article is focused on end user access from their workstation or device. You need to ensure that you are looking at the correct flavour of Office 365, typically this is WW commercial but if you manage a sovereign cloud instance or a US federal instance please ensure you refer to the correct article.
There is also the Other endpoints article, which is meant to facilitate the network discussion of hybrid services such as Exchange and SharePoint. It is not 100% complete, hence the point about facilitating the discussion for your hybrid servers.
On this point, back to EOP and the IP ranges that it uses.
Current EOP IP Ranges
The EOP SMTP endpoints have been included in the the main Office 365 URLs and IP addresses article for sometime now. You can see them under the Exchange Online section, at the time of writing they are ID 10.
These are pretty large netblocks, note the /14 /15 /16 and /17 ranges for the IPv4 space.
That is roughly 490,000 IP addresses. It sounds a lot, but remember this is WW commercial so that has to scale for a few million mailboxes and allow for HA and DR.
From a firewall admin’s perspective, it’s a simple rule as there are only those 4 CIDR ranges to add to include all the WW commercial EOP addresses.
Previous EOP IP Ranges - 2018
Compare this to before October 2018, where the list of EOP IPs that had to be allowed was much larger. In those days there was a unique page for the EOP addresses:
While that page is no longer with us, we can use the Wayback Machine to set the time circuits to 2018. The below is a drive by scrolling of the old IPs, note that there were considerably more…
If you want a high resolution of the above, click here.
Previous EOP IP Ranges 2015
For even older iterations of the EOP IP documentation, there used to be another separate page on TechNet. Remember TechNet???
Note that there were 31 separate IPv4 ranges.
And two IPv6 ranges
Previous EOP IP Ranges – 2014
Jumping back to when Exchange 2010 servers still walked the Earth…
And a single IPv6 range: