Deployment Architecture

Query on Heavy forwarder with SSL connecting to indexer with SSL. So should all the UF agent connections also have SSL

smartpraseetha
New Member

Hello All,

I have a UFs in  cloud DCs.

Proposed solution is to have SSL between the Indexer and the Heavy forwarders.

Plan is 1 indexer to connect with 3 HF (Both indexer and HF having SSLS)

I assume this all 3 connections should connect to different ports to indexer

Indexer 9997-1 connection HF

Indexer-9998-2 HF

Indexer-9999-3 HF

 

Also another question is that Is there a criteria that if HF is sending the data via SSL.

All the UF agents connecting to the HF also needs to have SSL ?

 

Cheers,

Praseetha

 

 

 

Tags (1)
0 Karma

The_Simko
Path Finder

Taking this one step by step.

1. Indexers listen on the same port for each server. If all indexers are on SSL, then 9997 for each (or whatever port you like, but 9997 is convention)
2. Each HF forwards data to the indexer.  That's where you require SSL if I'm understanding your design. The UFs forward to the HF which then send to IDX?  
3. UFs to HF is allowed to be SSL if your requirements specify it. Else, that could be unencrypted, and then the SSL out to your IDX is encrypted.

Now, you asked if HF is required to use SSL to send to the IDX?  Splunk doesn't mandate it, that is dependent upon your customer's needs.  Do you need SSL? If not, don't do it. If you need it, then turn on SSL.  Always take it back to the customer's requirements.

That said, are you sure you need HFs? Could the UFs just send directly to the IDX? If so, do that. Even if security team is whining that it makes them do work.

 

0 Karma

smartpraseetha
New Member

Thank you Micheal

 

1. Indexers listen on the same port for each server. If all indexers are on SSL, then 9997 for each (or whatever port you like, but 9997 is convention)

I have only 1 Indexer- I have other 3 HF in other Clouds which it will connect to.

Both Indexer and HF will need SSL for secured data flow.

So question is 1 indexer with SSL on  9997 = connecting to 3 HF with SSL  on 9997. Is this possible ?

Or do we need to connect each 3 HF with SSL to 9997,9998,9999 ports of  Indexer with SSL.


2. Each HF forwards data to the indexer.  That's where you require SSL if I'm understanding your design. The UFs forward to the HF which then send to IDX?   yes correct each UFs forward to HF.


3. UFs to HF is allowed to be SSL if your requirements specify it. Else, that could be encrypted, and then the SSL out to your IDX is encrypted.

UF and HF are in the same environment. But the question is that HF has SSL and connecting to Indexer to a different environment.

Since HF is having SSL is it required that all the UFs in the same environment.? is my question


Now, you asked if HF is required to use SSL to send to the IDX?  Splunk doesn't mandate it, that is dependent upon your customer's needs.  Do you need SSL? If not, don't do it. If you need it, then turn on SSL.  Always take it back to the customer's requirements.

0 Karma

anilchaithu
Builder

@smartpraseetha 

Since UFs are not sending directly to indexers, they won't require SSL. But gain this will be a vulnerability between UF & HF.

 

0 Karma
Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...