Microsoft Core Infrastructure Segmentation

Klimko Vasiliy 21 Reputation points

Hi. Like many companies we are forced to run an on-premise Exchange server since we are in a hybrid Exchange configuration. There is no practical way to get rid of our on-prem Exchange server at this time but I want to mitigate the security risks of having an on-prem Exchange server.

Do I need to segment basic infrastructure such as ADDS, ADCS, Exchange, AzureAD Connect into separate VLANs? If I have Exchange Hybrid, I need to put it on a separate VLAN because it has traffic in and out of Microsoft 365 ? There are best practices for partitioning into VLANs Microsoft basic infrastructure ?

Exchange Server
Exchange Server
A family of Microsoft client/server messaging and collaboration software.
1,066 questions
Windows Network
Windows Network
Windows: A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.Network: A group of devices that communicate either wirelessly or via a physical connection.
639 questions
Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,335 questions
Microsoft Exchange Hybrid Management
Microsoft Exchange Hybrid Management
Microsoft Exchange: Microsoft messaging and collaboration software.Hybrid Management: Organizing, handling, directing or controlling hybrid deployments.
1,875 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Jing Zhou 1,475 Reputation points Microsoft Vendor



    Thank you for posting in Q&A forum.

    As a support engineer instead of a architecture, I would recommend you follow the principle of least privilege.

    For safety purpose, you can separate exchange hybrid into a single vlan, and only allow necessary traffic between other vlans. In this scenario, it will have least access to any other sensitive resources.

    Hope this answer can help you well.


    Best regards,

    Jill Zhou

    0 comments No comments