We are in the process of moving from Splunk on premise to Splunk Cloud and we need to configure LDAPS authentication (such a shame ADFS or SAML aren't supported!).
This requires we open up LDAPS on our firewall and for obvious reasons we want to limit this to only the IP's used by Splunk Cloud. Can anyone confirm these please?
Contact Splunk Cloud Ops support and get the IPs of your Search Heads, and supporting management servers. Only your search heads should have direct user access. When you setup ldap.conf you will need to specify the secure port. Use good SSL certificates to complete the connection.
On large Splunkcloud deployments, use an nslookup on your search-head, and you will have the IP.
example : nslookup megazilla.splunkcloud.com
if you have several search-heads, use sh1.megazilla.splunkcloud.com sh2.megazilla.splunkcloud.com etc...
Remark : this does not apply to self service splunkcloud instances, as they use your splunk.com username for the authentication, and cannot use LDAP
For your indexers, use the same technique with the 5 dns load balanced addresses: