Splunk Dev
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to design Splunk Enterprise in AWS using Privatelink

ajamu
New Member
‎04-20-2022 01:00 PM

We have merged with another company that has a Splunk cluster in AWS. They would like to extend services to other environments in AWS. Instead of routing to the other environments by connecting the Splunk VPC to the other VPCs using transit gateways, I would like to put the indexers behind a network load balancer and use AWS privatelink. 

Privatelink requires putting a NLB [network load balancer] in front of the cluster and configuring them as targets. The reciever builds an endpoint service in the VPC that assigns local address that can be hit without routing. The DNS name for the service must be made to resolve to the local address by creating a hosted zone in the Route 53. So for example if the local VPC of the log sender is 10.1.1.0/24 and the name is splink.cluster.com PrivateLink will use and IP address in the 10.1.1.0/24 range and splunk.cluster.com will resolve to that IP address.

I have read that you must be able to resolve multiple IP address for that name. I have asked my AWS representative to investigate of this would work and he told me that other users are designing access this way.  There are 5 indexers spread across 3 availability zones. The domain controllers that want to send the logs will be using UF to send the logs. The advantage of using PrivateLink is so that we can provide access to the Spunk across different VPCs and organizations without having to open up cidr block access and filtering access with Security Groups and NACLs.

Labels (1)
Labels
0 Karma
Reply

Kyle_Sandoval
Explorer
‎04-26-2022 02:33 PM

I'm also curious on how this would work in a slightly different scenario - Search Peering. Where Indexers/CM is in one VPC and SHC/Deployer is in a different VPC. 

I would also assume you would need a 1-to-1 number of NLB in the Splunk Indexer VPC, and a 1-to-1 PrivateLink in the Splunk SHC VPC for each indexer in the you'd want to connect to. 

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎04-21-2022 12:12 PM

Hi

Splunk don't support any NLB between indexers and UFs when you are using normal S2S protocol to send events from UF to indexers! If you want to use NLB you must use e.g. HEC to send events via VIP/NLB to splunk indexers.

If you have static environment (no dynamically added indexers), you could assign additional interfaces to those nodes and used those as receivers. Then you have reasonable amount of IPs/ports to open in FW and SGs.

r. Ismo

0 Karma
Reply
Get Updates on the Splunk Community!

Enter the Dashboard Challenge and Watch the .conf24 Global Broadcast!

The Splunk Community Dashboard Challenge is still happening, and it's not too late to enter for the week of ...

Join Us at the Builder Bar at .conf24 – Empowering Innovation and Collaboration

What is the Builder Bar? The Builder Bar is more than just a place; it's a hub of creativity, collaboration, ...

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

This article is the continuation of the “Combine multiline logs into a single event with SOCK - a step-by-step ...