About private connectivity
Splunk Cloud Platform private connectivity allows you to route ingestion and search traffic between your cloud provider's private virtual network and Splunk Cloud Platform using private link technologies, bypassing the public internet.
Splunk Cloud Platform encrypts all data in flight using Transport Layer Security (TLS) 1.2+ for ingest and HTTPS for search. You can restrict traffic further by establishing firewall rules or creating an IP allow list. While these protections are sufficient for most customers, private connectivity supports organizations with stricter security and compliance requirements.
AWS
Azure
This diagram illustrates how private connectivity links an Azure virtual network to a Splunk Cloud Platform deployment.
GCP
This diagram illustrates how private connectivity links a GCP project to a Splunk Cloud Platform deployment via Google Private Service Connect.
To configure private connectivity, use the Admin Config Service (ACS) API to confirm eligibility and enable the feature. Splunk Cloud Platform will provision service endpoints so that your Splunk Cloud Platform deployment accepts your data. For more information, see Turn on private connectivity.
Requirements
To use private connectivity with your Splunk Cloud Platform deployment:
- You must be using AWS, Azure, or GCP infrastructure.
- You must be on the Victoria Experience for AWS and Azure standard regions or the Classic Experience for USGov and FedRAMP Moderate regions, or the Victoria Experience or the Classic Experience for GCP.
- Your deployment must have one or more standalone search heads or a search head cluster. Private connectivity requires ACS, which is not supported on single instance deployments.
- You must have
sc_adminrole for the ACS API. - For IPv6 private connectivity, Splunk Cloud Platform must be deployed on AWS and have IPv6 enabled. IPv6 is not supported for GCP or Azure private connectivity.
Scope and considerations
Consider the following before enabling the private connectivity feature:
- Data that you send to the Splunk Cloud Platform from a universal forwarder, heavy forwarder, or HTTP Event Collector (HEC) for ingest into Splunk Cloud Platform will flow over your cloud provider's private link technology.
- Search, API and UI access traffic to Splunk Cloud Platform can be enabled to flow over your private link.
- Data other than searches and data sent for ingestion (for example, Inputs Data Manager data) will continue to use the public internet, unless the cloud provider offers a private connection to the data.
-
AWS
- AWS PrivateLink supports unidirectional data traversal only. Communication other than your AWS environment to Splunk Cloud Platform traffic will continue to flow using the public internet.
- To connect multiple AWS accounts through private connectivity, you need to create a VPC and PrivateLink endpoint for each account.
-
All data other than searches and data sent for ingestion to Splunk Cloud Platform over PrivateLink (for example, Inputs Data Manager data, Splunk Cloud to Splunk Enterprise Federated Search, and so on) will continue to use public endpoints. This includes app data or services that require HTTP Event Collector (HEC) acknowledgments.
However, even when using public endpoints, data sent from an AWS VPC or service to Splunk Cloud will remain on the AWS network and will not traverse the public internet. In addition, any access to customer S3 buckets from Splunk Cloud (such as DDSS, FSS3, or AWS TA) uses a gateway endpoint to ensure a private connection.
- You are responsible for AWS costs associated with your VPC. For more information, see: AWS PrivateLink pricing.
- To leverage IPv6:
- First, enable the IPv6 feature on your AWS Splunk Cloud Platform
- Enable IPv6 support within the VPC in your AWS account
- Create IPv6 subnets that can be assigned with the IPv6 endpoint
-
Azure
- To connect multiple Azure accounts through private connectivity, you need to create a private virtual network and private link endpoint for each account.
- You are responsible for Azure costs associated with your virtual network. For more information, see Azure Private Link pricing.
-
GCP
- GCP private connectivity uses Google Private Service Connect (PSC) for both ingest and search traffic.
- By default, private connectivity is enabled in Mixed-Mode, which allows data to flow over both the private PSC endpoint and the existing internet-facing endpoint simultaneously. This lets you migrate ingestion at your own pace before disabling public access.
- Private connectivity for search applies to all standalone search heads and search head clusters on the stack. You cannot configure it on a per-search-head basis.
- PSC connections are limited to 100 connections per service per project. Contact your Splunk account representative if you require additional connections.
- Private connectivity is available across all GCP regions. For cross-region connectivity, enable global access on your PSC connections and configure firewall rules to allow traffic on the appropriate ports from cross-region subnets.
- You are responsible for GCP costs associated with your virtual network and PSC endpoints. For more information, see Google Private Service Connect documentation.