Configure IP allow lists using Splunk Web
IP allow lists control which IP addresses on your network have access to specified features in your Splunk Cloud Platform deployment. You can use the IP allow list management page in Splunk Web to add IP subnets to allow lists and manage access to Splunk Cloud Platform features in a self-service manner without assistance from Splunk Support.
Alternatively, you can configure IP allow lists programmatically using the Admin Config Service (ACS) API. For more information, see Configure IP allow lists for Splunk Cloud Platform in the Admin Config Service Manual.
Requirements
To configure IP allow lists using Splunk Web, you must:
- Have Splunk Cloud Platform version 8.2.2201 or higher.
- Hold a role that has the edit_ip_allow_listcapability, including inherited roles. Thesc_adminrole has this capability by default.
- Enable token authentication. See Enable or disable token authentication.
Determine IP allow list use case
Splunk Cloud Platform supports several common IP allow list use cases. In each case, the IP allow list controls access to a particular Splunk Cloud Platform feature, for example Search head API access, HEC access for ingestion, and so on.
IP allow list management supports the following IP allow list use cases:
| Use Case | Port | Description | 
|---|---|---|
| Search head API access | 8089 | Grants access for customer subnets to Splunk search head api (applies to automated interfaces) | 
| HEC access for ingestion | 443 | Allows customer's environment to send HTTP data to Splunk indexers. | 
| Indexer ingestion | 9997 | Allows subnets that include UF or HF to send data to Splunk indexers. | 
| Search head UI access | 80/43 | Grant explicit access to search head UI in regulated customer environments. | 
| IDM UI access | 443 | Grant explicit access to IDM UI in regulated customer environments. | 
| IDM API | 8089 | Grant access for add-ons that require an API. (Allows add-ons to send data to Splunk Cloud Platform.) | 
Add or remove subnets from IP allow lists
The IP allow list management page lets you add or remove subnets from IP allow lists for specified Splunk Cloud Platform features. You can add or remove one or more IP subnets for multiple different features in a single page update. You must click save for any changes that you make to the page to propagate through the system.
Add subnets to IP allow lists
To add a subnet to an IP allow list:
- In Splunk Web, click Settings > Server settings > IP allow list.
- If token authentication is not enabled, click Go to tokens page and enable token authentication. Once token authentication is enabled, return to the IP allow list management page and refresh the page.
- Select the tab of the feature to which you wish to grant access. For example, click the "Search head UI access" tab to grant access to the search head UI.
- Click Add IP subnet.
- Enter the subnet using CIDR notation. For example 192.0.0.0/24
- Optionally, click Add IP subnet to add more subnets.
- Click Save. This saves all changes to the IP allow list management page since the last page update, including any subnets that you have added or removed, across all feature tabs.
Remove subnets from IP allow lists
To delete a subnet from an IP allow list:
- Select the tab for the feature from which you wish to revoke access.
- Click X to delete the existing subnet.
- Click Save. This saves all changes to the IP allow list management page since the last page update, including any subnets that you have added or removed, across all feature tabs.