About egress private connectivity
Use egress private connectivity for private outbound connections from Splunk Cloud Platform to your AWS VPC endpoints.
Egress private connectivity allows you to initiate connections from Splunk Cloud Platform to endpoints in your AWS Virtual Private Cloud (VPC) without routing traffic over the public internet. This feature operates independently from private connectivity (ingress), which provides private access to your search and ingestion tiers.
Endpoints are protected by stack-specific security groups, ensuring connectivity is properly segmented even when stacks share a VPC. Use egress private connectivity with features such as DB Connect and Federated Search, where Splunk Cloud Platform initiates outbound connections to customer-owned resources.
To configure egress private connectivity for your deployment, see Set up egress private connectivity.
Requirements
Requirements for using egress private connectivity
Splunk Cloud Platform supports egress private connectivity in the following environments:
- AWS (GCP and Azure are not supported)
-
Amazon GovCloud IL2 and IL5 (but not for U.S. Department of Defense)
Note: GovCloud stacks must be in the same region as the VPC endpoint service.
Load balancing and DNS considerations
Specific additional considerations for egress private connectivity
You can use advanced load balancing configurations, such as NLB with an Application Load Balancer (ALB) target, to support TLS termination and Server Name Indication (SNI) routing rules.
Load balancer examples
Examples of egress private connectivity load balancer configurations
The following examples illustrate two common load balancing configurations for your VPC endpoint service. Your configuration may differ based on your requirements.
TCP Passthrough
In this example, you set up a simple NLB with unique listener ports. Where backends share a port, configure the listener to perform port translation so the backend receives traffic on the correct port. Document the port relationships so you can configure Splunk with the correct port.
NLB/ALB Target
In this example, SNI rules on the ALB target groups route traffic to the appropriate backend. Use this configuration when you require specific hostnames for TLS validation.
Private DNS name sharing
Configure private DNS name sharing for egress private connectivity.
You can implement private DNS name sharing in several ways. You must validate in a public zone, or a subdomain within one, that you own. Shared or exclusively private zones are not supported by AWS.
Single record resolution
With single record resolution, a single FQDN resolves to one endpoint. Use this approach with simple TCP passthrough on your NLB when you don't need SNI routing.
When you specify a FQDN, only that record resolves from the Splunk stack to the VPC endpoint.
In the following example, only abc.mydomain.com resolves. Use separate ports to route traffic to the appropriate backend.
# Example
abc.subdomain.mydomain.com
Pros
- Best for TCP passthrough-only load balancing.
- Allows multiple DNS records in the same zone to separate VPC endpoint services.
- Supports TLS validation.
Cons
- Not compatible with complex load balancing or SNI rules.
- May require several VPC endpoint services.
Multi-record resolution
With multi-record resolution, a wildcard FQDN resolves to a single endpoint. Use this approach when you need complex load balancing configurations or SNI routing to direct requests to the appropriate backend using specific host headers.
When you specify a wildcard FQDN, any record in the zone resolves to the VPC endpoint.
In the following example, *.mydomain.com resolves. Use separate ports or SNI rules to ensure the load balancing tier in your VPC routes traffic to the appropriate backend.
# Example
*.subdomain.mydomain.com
Pros
- Best for complex load balancing configurations and SNI routing.
- Resolves multiple DNS records for a given zone to a single VPC endpoint.
- Supports TLS validation.
Cons
- Resolves zones to a single VPC endpoint only.
- Additional endpoints require a separate zone.
- May require several VPC endpoint services.
For configuration instructions, see Set up egress private connectivity.