Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk infrastructure recommendations

kaboom1
Explorer
‎08-23-2023 06:31 AM

Hello all,

I need some suggestions/recommendations about enlarging our splunk infra.

What are the considerations of putting a Heavy forwarders in a different network/vlan than the deployment server and the indexers ?

What are the considerations of putting the indexers on different networks/vlans than the other indexers and the cluster master? will there be any synchronization issues?

The context here is that we will onboard new logs from a different network/domain/vlan and we were thinking of putting the heavy forwarder in the "new domain" to reduce the overhead with the firewall rules/to centralize data that will be later sent to the indexers. 

and we were also wondering why not putting a heavy forwarder and an indexer in the "new domain" and open the required flows towards/from the deployment server/cluster master/other indexers search heads.

Any comments or suggestions ?

 

Thank you soo much.

Tags (2)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-23-2023 08:53 AM

Hi @kaboom1,

this isn't a question for the Community, this request requires analysis and design from a Splunk Architect otherwise you have a big risk.

Anyway, all the considerations from @isoutamo are correct and you could use them, but I hint to ask to an Architect.

Anyway, I use an HF when there's the request to segregate networks, in other words if you want to limit the channels between networks, you can use an HF (better two, to avoid Single Points of Failure) as a concentrator, so you have to open routes only for this server.

If the clients in the subnetwork are less than 50, you can use the same HF as Deployment Server, but a twl leve Deployment Architecture, isn't so immediate ans still requires an Architect.

Ciao.

Giuseppe

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎08-23-2023 07:10 AM

Hi

I said that most important thing to consider when you are putting your HF and also for indexers is your company security policy. This is true especially for indexers. Usually those should put into some security core or something similar where access is quite limited. Heavy forwarders could be on same zone/vlan than indexers and/or DS, but it's not needed. The main thing is allow needed access on FW to communication from HF to DS and Indexers. Quite often or almost always DS and HFs' are on different zones/vlans. And same for indexers vs. HFs. You should do it just like your company security policy said.

Also new indexers could be on different VLAN than old ones and CM if needed. But again in this kind of situation be sure that FW is opened on both directions as needed!

Personally I like to keep all indexers on same VLAN, if I have single site cluster. On multisite cluster it depends how its network has done. Those could be on one or one VLAN per site.

Anyhow try to keep all indexers and also SHs as close as possible each other both physical and logical point of view. That will helps your later on as there are as few network equipments between those. You should remember that probably the highest traffic will be between indexers and also between indexers and SH.

r. Ismo

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...