The following diagram represents a single-site Splunk SOAR (On-premises) clustered deployment topology.

This deployment topology is implemented with multiple Splunk SOAR (On-premises) nodes and external services. This architecture is suitable for organizations that need high capacity processing of events or have a high number of users accessing the system.

The topology is suitable for one of the following situations:

• Your event ingestion is > 30,000 events per hour
• You have more than 50 concurrent users accessing Splunk SOAR (On-premises)

The primary benefits of this topology include the following:

• Scalable to increase automation capacity
• Automation and ingestion redundancy to handle a node failure
• Increased uptime during upgrades and maintenance

The primary limitations of this topology include the following:

• No High Availability for ingestion and automation
• Complex administration and setup
• External services (load balancer, file share, database) are required

When using the topology, you may find the following information helpful:

• A minimum of three Splunk SOAR (On-premises) nodes is required for a cluster
• For enhanced availability and resilience, consider utilizing cloud-native services for the external shared services.