Assume the best practices of Splunk AWS is deployed on production AWS region (e.g. London).
How to design the DR of Splunk?
1. create another best practice design in another region (e.g. Paris) and extend the SH cluster and indexer cluster to the Paris region?
2. what if a hot-stanby is no required, is it able to take a whole of the Splunk (including VPC, AZ, subnets, Security groups, instances, EBS) and archive it in S3 bucket and restore it in Paris region manually?
Best Practice Architecture:
This is a HUGE questions. What parts do you nee DRd? How much downtime can you have? Do you have budget/constraints?
the real question is, what is the problem you are trying to solve?
what is it you would like to protect against?
do you need DR for your search components? Index (data) components?
do you need HA?
Please share what is it that you would like to achieve
if the primary AWS region is down, we have to resume the SIEM in another AWS region within 4 hours.
no HA between AWS region is needed.
HA is required within same AWS region.
I need DR for search components and index components as the applications will also failover to the DR AWS region.