Set up egress private connectivity

Configure egress private connectivity using the Admin Configuration Service (ACS) API.

Set up egress private connectivity for secure, private outbound connections from Splunk Cloud Platform to customer-owned services via AWS PrivateLink. Supported use cases include DB Connect, Federated Search, and UBA.

You can configure egress private connectivity on a self-service basis using the Admin Config Service (ACS) API.

Note: Egress private connectivity is an opt-in feature and does not affect existing public internet egress or NAT IP behavior. You can run public and private egress paths simultaneously during migration or testing.

For detailed information on how egress private connectivity works, see About egress private connectivity.

Requirements

Before you configure egress private connectivity, ensure the following:

  • Your Splunk Cloud Platform stack is deployed on AWS (Azure and GCP are not supported).
  • Your Splunk Cloud Platform deployment is a commercial or GovCloud environment (DoD IL5 is not supported).
  • Your VPC Endpoint Service and the Splunk Cloud Platform stack are provisioned in the same AWS region.
  • You have a valid ACS API authentication token. For information on obtaining a token, see Basic setup and usage concepts for the ACS API.

Prepare AWS resources before using the ACS API

  1. Create a new VPC Endpoint Service in the same AWS region as your Splunk Cloud stack.
  2. Associate a private DNS name with the VPC Endpoint Service and verify the domain. This step is required if you plan to enable private DNS resolution (dnsEnabled: true) on your endpoints.
  3. Deploy a Network Load Balancer (NLB) that spans all Availability Zones in the region.
  4. Configure security groups and rules to allow ingress traffic from the Splunk Cloud VPC endpoint.

Configure egress private connectivity using the ACS API

Configure and manage egress private connectivity for your Splunk Cloud Platform deployment using the ACS API.

Use ACS API endpoints to configure and manage egress private connectivity for your Splunk Cloud Platform stack. All requests require an Authorization header with a valid Bearer token, for example: Authorization: Bearer <your-token>

To configure egress private connectivity for the first time, complete the following ACS API requests in order:

  1. Check eligibility
  2. Retrieve Splunk AWS Account ID
  3. Enable egress private connectivity

After initial setup, use the remaining ACS API endpoints to manage your egress private connectivity configuration.

Check eligibility for egress private connectivity

Before enabling egress private connectivity, verify that your Splunk Cloud Platform stack is eligible for the feature. A stack must be deployed on AWS to be eligible.

Endpoint

CODE 
GET /{stack}/adminconfig/v2/egress-private-connectivity/eligibility

Example request

JSON 
curl -X GET "https://admin.splunk.com/{stack}/adminconfig/v2/egress-private-connectivity/eligibility" \
  -H "Authorization: Bearer <your-token>"

Example response

JSON 
{
  "eligible": true
}

Response codes

Code Description
200 Success. Indicates the stack is eligible.
Note: Only stacks deployed on AWS are eligible. Azure and GCP are not supported at this time.

Retrieve Splunk AWS Account ID

Retrieve the AWS Account ID and region where your Splunk Cloud Platform stack is deployed. You need this information to add the Splunk account as an allowed principal on your VPC Endpoint Service before enabling egress private connectivity.

Endpoint

CODE 
GET /{stack}/adminconfig/v2/egress-private-connectivity/account-id

Example request

JSON 
curl -X GET "https://admin.splunk.com/{stack}/adminconfig/v2/egress-private-connectivity/account-id" \
  -H "Authorization: Bearer <your-token>"

Example response

JSON 
{
  "accountId": "123456789012",
  "region": "us-east-1"
}

Response codes

Code Description
200 Success. Returns the AWS Account ID and region.
Important: After retrieving the Account ID, add it as an allowed principal on your VPC Endpoint Service before proceeding to enable egress private connectivity. This allows Splunk Cloud to connect to your VPC Endpoint Service.

Enable egress private connectivity

Specify one or more VPC Endpoint Service names to initiate the connection between Splunk Cloud and your VPC Endpoint Service. If your stack already has egress private connectivity enabled, send a PATCH request to add or update endpoints.

Endpoint

CODE 
POST /{stack}/adminconfig/v2/egress-private-connectivity/endpoints

Example request (without DNS)

JSON 
curl -X POST "https://admin.splunk.com/{stack}/adminconfig/v2/egress-private-connectivity/endpoints" \
  -H "Authorization: Bearer <your-token>" \
  -H "Content-Type: application/json" \
  -d '{
  "endpoints": [
    {
      "endpoint": "com.amazonaws.vpce.us-east-1.vpce-svc-0e123abc123198abc"
    }
  ]
}'

Example response

JSON 
{
  "endpoints": [
    {
      "endpoint": "com.amazonaws.vpce.us-east-1.vpce-svc-0e123abc123198abc"
    }
  ]
}

Response codes

Code Description
202 Accepted. The request has been accepted and provisioning is in progress.
400 Bad request. Possible causes: no endpoints provided, invalid endpoint name format, or egress private connectivity is already enabled (use PATCH instead).
403 Forbidden. The stack is not eligible for egress private connectivity.

Request body parameters

Parameter Required Description
endpoint Yes The VPC Endpoint Service name. Must follow the format com.amazonaws.vpce.<region>.vpce-svc-<id>.
dnsEnabled No Set to true to enable private DNS resolution for the endpoint. Defaults to false if not specified.
Note: After sending the POST request, you must approve the Splunk connection request on your VPC Endpoint Service. Depending on your configuration, this is either done manually or auto-approved.
Important: To enable DNS, use a two-step approach: send a POST request to create the endpoint, then send a PATCH request to enable DNS after completing domain validation. See Update endpoints or enable DNS.

Update endpoints or enable DNS

Add additional endpoints or enable private DNS on existing endpoints. You can also combine both operations in a single request.

Endpoint

CODE 
PATCH /{stack}/adminconfig/v2/egress-private-connectivity/endpoints

Example request (enable DNS on an existing endpoint)

JSON 
curl -X PATCH "https://admin.splunk.com/{stack}/adminconfig/v2/egress-private-connectivity/endpoints" \
  -H "Authorization: Bearer <your-token>" \
  -H "Content-Type: application/json" \
  -d '{
  "endpoints": [
    {
      "endpoint": "com.amazonaws.vpce.us-east-1.vpce-svc-0e123abc123198abc",
      "dnsEnabled": true
    }
  ]
}'

Example request (add a new endpoint and update an existing one)

JSON 
curl -X PATCH "https://admin.splunk.com/{stack}/adminconfig/v2/egress-private-connectivity/endpoints" \
  -H "Authorization: Bearer <your-token>" \
  -H "Content-Type: application/json" \
  -d '{
  "endpoints": [
    {
      "endpoint": "com.amazonaws.vpce.us-east-1.vpce-svc-0e123abc123198abc",
      "dnsEnabled": true
    },
    {
      "endpoint": "com.amazonaws.vpce.us-east-1.vpce-svc-0e123xyz123198xyz"
    }
  ]
}'

Example response

JSON 
{
  "endpoints": [
    {
      "endpoint": "com.amazonaws.vpce.us-east-1.vpce-svc-0e123abc123198abc",
      "dnsEnabled": true
    },
    {
      "endpoint": "com.amazonaws.vpce.us-east-1.vpce-svc-0e123xyz123198xyz"
    }
  ]
}

Response codes

Code Description
202 Accepted. The update request has been accepted and changes are being provisioned.
400 Bad request. Possible causes: no body, missing endpoint field, empty endpoints array, or egress private connectivity is not yet initialized.
Important: You must enable egress private connectivity using POST before you can use PATCH to update endpoints or enable DNS. To avoid provisioning failures, ensure that existing endpoints have a status of available before enabling DNS (dnsEnabled: true).

Check endpoint status

Retrieve the current status and provisioning progress of all configured egress private connectivity endpoints.

Endpoint

CODE 
GET /{stack}/adminconfig/v2/egress-private-connectivity/endpoints

Example request

JSON 
curl -X GET "https://admin.splunk.com/{stack}/adminconfig/v2/egress-private-connectivity/endpoints" \
  -H "Authorization: Bearer <your-token>"

Example response

JSON 
{
  "endpoints": [
    {
      "endpoint": "com.amazonaws.vpce.us-east-1.vpce-svc-0e123abc123198abc",
      "status": "available",
      "reason": "initialized",
      "dnsEnabled": true
    },
    {
      "endpoint": "com.amazonaws.vpce.us-east-1.vpce-svc-0e123xyz123198xyz",
      "status": "unavailable",
      "reason": "initialization is in progress",
      "dnsEnabled": false
    }
  ]
}

Response codes

Code Description
200 Success. Returns the status of all endpoints.

Endpoint status values

Status Reason Description
available initialized The VPC endpoint is provisioned and ready for use.
unavailable initialization is in progress The endpoint is being provisioned. Wait and check status again.
unavailable initialization failed Endpoint provisioning failed. Verify your VPC Endpoint Service configuration and try again.

Delete an endpoint

Remove specific endpoints by name, or pass an empty array ("endpoints": []) to remove all endpoints. Removing all endpoints automatically disables egress private connectivity on your stack.

Endpoint

CODE 
DELETE /{stack}/adminconfig/v2/egress-private-connectivity/endpoints

Example request (remove a specific endpoint)

JSON 
curl -X DELETE "https://admin.splunk.com/{stack}/adminconfig/v2/egress-private-connectivity/endpoints" \
  -H "Authorization: Bearer <your-token>" \
  -H "Content-Type: application/json" \
  -d '{
  "endpoints": [
    "com.amazonaws.vpce.us-east-1.vpce-svc-0e123abc123198abc"
  ]
}'

Example response

JSON 
{
  "endpoints": [
    "com.amazonaws.vpce.us-east-1.vpce-svc-0e123abc123198abc"
  ]
}

Example request (delete all endpoints)

JSON 
curl -X DELETE "https://admin.splunk.com/{stack}/adminconfig/v2/egress-private-connectivity/endpoints" \
  -H "Authorization: Bearer <your-token>" \
  -H "Content-Type: application/json" \
  -d '{
  "endpoints": []
}'

Example response

JSON 
{
  "endpoints": []
}

Response codes

Code Description
204 Success. The endpoint has been removed.
400 Bad request. Possible causes: the endpoint is not found in the current configuration, or egress private connectivity is not initialized.