You can deploy the Splunk app for AWS in a several different ways. You should think about the app as having 3 functions: data collection, storage, and UI. You can run all or some of those functions in your data center, in AWS or in a hybrid deployment.
For example, you could run an entirely on-prem solution, with a search head that runs the AWS app (provides the UI capability), but also collects data from AWS (data collection), and forwards that data to an indexer (the storage). Or you could deploy a search head in your corporate data center with the AWS app installed, and then perform the collection on a forwarder running the AWS app in AWS and send data to an indexer also running in AWS.
You might want an indexer in each account (VPC) if you are running forwarders on your EC2 instances. If not, there isn't any direct connection between your account/VPCs and the Splunk app for AWS. The app just needs connectivity to AWS endpoints which are accessible over the internet.
... View more