Per the Splunk Cloud documentation, it is possible to have a Hybrid Search model where an on-premise Search Head essentially connects to the Master Node in the Cloud, which then allows the Cloud Indexers to be searched from the on-premise Search Head. In order to facilitate this, it seems that the URI of the Master Node would be required and also the Cloud Indexer clustering configuration key. However, how does this work on the internal certificate side for communication?
I am assuming the SH would communicate with the MN over port 8089. Are certificates provided to facilitate this communication or is only the Splunk default certificate being used?
Communication is secured using the pass4symmkey. (Shared Secret). You should file a ticket asking asking for Hybrid search to be setup, then support will send your the URI to your c0m1 (clustermaster) and a secret key.
Note: Hybrid search must be requested as its not setup by default. Also, you should provide a whitelist of IPs for your on-prem searchheads.