I was wondering if there was a page detailing the network security we need to setup? I believe we will just need to point at the indexers on port 9997 and the deployment server on 8089. Along those lines, we have a direct connection to amazon and a lot of our logs are coming from our own VPC, is there just a way we can connect directly?
to use Splunk Cloud, you must allow your forwarders to talk to your Splunk Cloud instance over TCP port 9997.
To determine what indexers you are using, open the SplunkForwarderapp that you got when you signed up and look at the outputs.conf file :
#SPLUNK CLOUD BASE SETTINGS [tcpout] defaultGroup =splunk_cloud [tcpout:splunk_cloud] useACK = true disabled = false server = idx1.poc5.splunkcloud.com:9997,idx2.poc5.splunkcloud.com:9997,idx3.poc5.splunkcloud.com:9997 ==CHOP==
You will see the list of indexers after server= . Resolve those to get the list of IPs.
You will also need to allow TCP 443 to access yourdomain.splunkcloud.com.
Regarding Deployment Servers, that is presently something that the end-user runs, and is not part of the Splunk Cloud Service. But locally, yes, you need to allow TCP 8089 from UFs to DS. (see this for more info on Regular Splunk Ports: http://answers.splunk.com/answers/58888/what-are-the-ports-that-i-need-to-open)
Regarding your VPC. Splunk Cloud environments each have their own VPCs. So you would send data out of your VPC, through AWS and into our VPCs. Splunk Cloud doesn't run in your VPC, and "direct connecting" VPCs is not currently offered.
That first sentence troubles me. The forwarders connect to Splunk Cloud via SSL. The configuration to make this happen is available in the SplunkForwarderApp as mentioned. The piece about allowing the forwarders to "talk to your Splunk Cloud instance over TCP port 9997" is not correct to the best of my knowledge.