Running the specific scenario:
1 Splunk heavy forwarder with no direct internet access (on-prem Splunk 8.1.7.2)
Splunk Add-on for Microsoft Cloud Services on the HF (4.3.3)
1 internet proxy
Express route for private network traffic to Azure
When trying to ingest data from an event hub input on the above setup with the proxy configuration enabled on the add-on:
1 - Service principal authentication succeeds (over internet proxy as expected)
2 - Connection to event hub fails because the event hub only accepts connections over the express route link and the heavy forwarder tries to connect through a public IP using the configured proxy - I've confirmed the HF resolves the event hub FQDN to a private IP but it still sends the connection request to the proxy. I've also confirmed this on the add-on code.
When trying to ingest data from an event hub input on the above setup with the proxy configuration disabled on the add-on:
1 - Service principal authentication fails (no internet access)
In the above scenario, the add-on needs internet access to get an authentication token from the Microsoft API, but the connection to the event hub to ingest data needs to happen through the express route private link. The Add-on just seems to do all one way or the other depending on the proxy configuration being enabled or not. Is there a solution for this?
Having the proxy configuration enabled also breaks all storage account inputs as they use a SAS key (no internet required for authentication) but are not routed through the express route link despite the storage account FQDN being resolved into a private IP.
Regards,
Marco
