Thank you for your reply.

Could you tell me how to set up indexes in a private subnet without using an NLB, and how to configure forwards?

Splunk have internal LB in UF/HF -> HF/Indexers. There are two options to use it. If you have static IPs on your indexers then you can just create outputs.conf which contains those. But if you have not so static IP on indexers (those are e.g. in cloud, or you need more indexers frequently) then you could use indexer discovery feature. This keeps list of indexers on master node and UFs/HFs is asking it and then those can modify their output targets on fly.

https://docs.splunk.com/Documentation/Splunk/latest/Indexer/indexerdiscovery

Thank you for providing the link. Let me confirm once again.

My client requires all nodes to be kept in a private subnet.

So, by using indexer discovery, I can place both the manager node and peer nodes in the private subnet, then set up an NLB in the public subnet in front of the manager node, with TLS communication encryption enabled.

In this case, in the forwarders’ configuration, I only need to set this NLB to the manager_uri, correct?

You should set pair of HF or UF as a gateway / “NLB” between the source client in public subnet and cluster peers in private network. Those gateway nodes use indexer discovery towards splunk indexers in private subnet. The they have static IPs towards public subnet and they received events from source systems. Then in source systems are static outputs.conf where are static ips of those gateway nodes. There is no direct connections between source systems and splunk indexers or manager node. NLB cannot be e.g. F5, AWS NLB or any similar real load balancer.