The following diagram represents a Splunk SOAR (On-premises) Warm Standby topology that can support single or multi-site environments.

This deployment topology is implemented with Active/Passive nodes that provides full disaster recovery with multi-regional support. This architecture maintains the simplicity of keeping all of the Splunk SOAR (On-premises) services contained on one server while providing an additional instance for failover in the event of a primary outage or site-level disaster, with recovery in minutes.

The topology is suitable for one of the following situations:

• Your event ingestion is < 30,000 events per hour
• You have less than 50 users accessing Splunk SOAR (On-premises)
• You have the need to recover your Splunk SOAR (On-premises) deployment in hours

The primary benefits of this topology include the following:

• Ability to quickly and easily switch to a passive instance
• Greater availability for running automation and user access
• Reduced downtime and data loss

The primary limitations of this topology include the following:

• No High Availability for action and container state, causing potential ingestion and automation failures
• Scalability limited by hardware capacity
• Additional resources required
• No built in automated failover - could be automated with external resources
• Cannot use externalized services for the database or file system

When using the topology, you may find the following information helpful:

• Nodes can be geographically separated to provide greater redundancy
• DNS records can be used to easily connect when failed over
• Steps are required to recreate the warm standby after a failover