The following diagram represents a Splunk SOAR (Cloud) Deployment topology.

This deployment topology is implemented using Splunk SOAR (Cloud) with an on-premises automation broker, if needed. Splunk handles a large portion of the Splunk SOAR (Cloud) administration tasks including updates and system availability. The Automation Broker provides a secure way to interact with resources in your environment.

The topology is suitable for one of the following situations:

• You have requirements to provide high-availability or automatic disaster recovery for your Splunk SOAR (On-premises) Deployment.
• Your event ingestion is less than the current Splunk SOAR Cloud ingestion service limit.

The primary benefits of this topology include the following:

• Easy manageability and a fixed TCO.
• High availability levels defined in SOAR cloud service levels.
• Scalability provided by Splunk managed infrastructure.
• Regularly updated with the latest features and performance improvements.

The primary limitations of this topology include the following:

• Constrained to regional deployments.
• Forwarding Splunk SOAR (On-premises) logs to Splunk Enterprise will require access from Splunk SOAR (Cloud).
• Differences Between Splunk SOAR (Cloud) and Splunk SOAR (On-premises).
• Available in specific cloud service providers.
• Bound to service limits and constraints.

When using the topology, you may find the following information helpful:

• Multiple Automation Brokers can be deployed to connect with resources in different parts of the environment.