Splunk Dev
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to design Splunk Enterprise in AWS using Privatelink

ajamu
New Member
‎04-20-2022 01:00 PM

We have merged with another company that has a Splunk cluster in AWS. They would like to extend services to other environments in AWS. Instead of routing to the other environments by connecting the Splunk VPC to the other VPCs using transit gateways, I would like to put the indexers behind a network load balancer and use AWS privatelink. 

Privatelink requires putting a NLB [network load balancer] in front of the cluster and configuring them as targets. The reciever builds an endpoint service in the VPC that assigns local address that can be hit without routing. The DNS name for the service must be made to resolve to the local address by creating a hosted zone in the Route 53. So for example if the local VPC of the log sender is 10.1.1.0/24 and the name is splink.cluster.com PrivateLink will use and IP address in the 10.1.1.0/24 range and splunk.cluster.com will resolve to that IP address.

I have read that you must be able to resolve multiple IP address for that name. I have asked my AWS representative to investigate of this would work and he told me that other users are designing access this way.  There are 5 indexers spread across 3 availability zones. The domain controllers that want to send the logs will be using UF to send the logs. The advantage of using PrivateLink is so that we can provide access to the Spunk across different VPCs and organizations without having to open up cidr block access and filtering access with Security Groups and NACLs.

Labels (1)
Labels
0 Karma
Reply

Kyle_Sandoval
Explorer
‎04-26-2022 02:33 PM

I'm also curious on how this would work in a slightly different scenario - Search Peering. Where Indexers/CM is in one VPC and SHC/Deployer is in a different VPC. 

I would also assume you would need a 1-to-1 number of NLB in the Splunk Indexer VPC, and a 1-to-1 PrivateLink in the Splunk SHC VPC for each indexer in the you'd want to connect to. 

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎04-21-2022 12:12 PM

Hi

Splunk don't support any NLB between indexers and UFs when you are using normal S2S protocol to send events from UF to indexers! If you want to use NLB you must use e.g. HEC to send events via VIP/NLB to splunk indexers.

If you have static environment (no dynamically added indexers), you could assign additional interfaces to those nodes and used those as receivers. Then you have reasonable amount of IPs/ports to open in FW and SGs.

r. Ismo

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...