Prerequisites

To connect Splunk Observability Cloud to AWS using AWS PrivateLink, you need the following:

• An active AWS account

• A basic understanding of VPC concepts and networking principles

Connect different accounts within or across regions

You can use AWS PrivateLink to connect different accounts within or across AWS regions. The following diagram showsdiagram shows an overview of how AWS PrivateLink for Splunk Observability Cloud works:

AWS PrivateLink types of endpoint

You can use any of these endpoints with AWS PrivateLink:

• Ingest endpoint. Use the Ingest endpoint to send data points directly from your applications to Splunk Observability Cloud. Data sent using the Ingest API is handled in the same manner as data gathered by Splunk Observability Cloud through other methods, such as integrations with AWS cloud services. See Connect AWS to Splunk Observability Cloud.

• API endpoint. Use the API endpoint to allow applications to communicate with each other by sending and receiving data. These endpoints serve as the points of interaction with different components like charts, dashboards, dashboard groups, and so on.

• Stream endpoint. Use the Stream endpoint for continuous, real-time transmission of observability data such as logs, metrics, or traces. This endpoint is key for monitoring and analyzing system performance, identifying issues quickly, and maintaining overall system health.

AWS PrivateLink availability and service name

See the following sections for information on the available AWS source account regions, AWS PrivateLink endpoint URLs and service names for each AWS region.

AWS source account regions

See the following list for the supported AWS source account regions. Your AWS account region must be one of these regions:

• US East (N. Virginia) us-east-1

• US East (Ohio) us-east-2

• US West (N. California) us-west-1

• US West (Oregon) us-west-2

• Africa (Cape Town) af-south-1

• Asia Pacific (Hong Kong) ap-east-1

• Asia Pacific (Hyderabad) ap-south-2

• Asia Pacific (Jakarta) ap-southeast-3

• Asia Pacific (Melbourne) ap-southeast-4

• Asia Pacific (Mumbai) ap-south-1

• Asia Pacific (Osaka) ap-northeast-3

• Asia Pacific (Seoul) ap-northeast-2

• Asia Pacific (Singapore) ap-southeast-1

• Asia Pacific (Sydney) ap-southeast-2

• Asia Pacific (Tokyo) ap-northeast-1

• Canada (Central) ca-central-1

• Canada West (Calgary) ca-west-1

• Europe (Frankfurt) eu-central-1

• Europe (Zurich) eu-central-2

• Europe (Ireland) eu-west-1

• Europe (London) eu-west-2

• Europe (Paris) eu-west-3

• Europe (Milan) eu-south-1

• Europe (Stockholm) eu-north-1

• Middle East (Bahrain) me-south-1

• Middle East (UAE) me-central-1

• South America (São Paulo) sa-east-1

AWS PrivateLink endpoint URLs

AWS PrivateLink service names

Configure your AWS PrivateLink VPC endpoints

Follow these steps to create, use, and manage your AWS PrivateLink VPC endpoint:

• Step 1: Request to add your AWS Account ID to the allow list

• Step 2: Verify AWS Account ID is added to allow list

• Step 3: Create a VPC endpoint

• Step 4: Modify the endpoint to activate a Private DNS Name

Step 1: Request to add your AWS Account ID to the allow list

Reach out to Splunk Customer Support with the following information to include your AWS Account ID to the allow list:

• AWS Account ID

• Endpoint type

  • Ingest

  • API

  • Stream

• AWS source account region: It must be one of the regions listed in AWS source account regions.

• Splunk Observability AWS account region: It must be one of the regions listed in AWS PrivateLink service names.

Step 2: Verify AWS Account ID is added to allow list

To verify your AWS Account ID is allowed, follow these steps:

1. Log in to the AWS Management Console and open the Amazon VPC service in the specific region where you intend to set up AWS PrivateLink.

2. On the left navigation pane, navigate to PrivateLink and Lattice > Endpoints.

3. Select Create endpoint, then Endpoint services that use NLBs and GWLBs.

4. Under Service Settings, enter the Service Name based on the AWS region where you're configuring the VPC endpoint. Identify the appropriate service name using the AWS PrivateLink service names.

5. If you are setting up cross-region PrivateLink connectivity, check the Enable Cross Region endpoint checkbox. Based on the service name you used in point 4, select the appropriate Splunk Observability region.

   CAUTION: If you are setting up PrivateLink connectivity in the same region do not check the Enable Cross Region endpoint checkbox.
6. Select Verify Service.
   1. If you see the "Service name verified" message, proceed with Step 3: Create a VPC endpoint.
   2. If you see the "Service name could not be verified" error message, your account ID is not yet allowed for the given service name. Reach out to Splunk Customer Support to check the status of your request from Step 1: Request to add your AWS Account ID to the allow list.

Step 3: Create a VPC endpoint

To create a VPC endpoint, follow these steps:

1. Under Network settings select the VPC where the endpoint will reside.

   CAUTION: Under Additional setting do not select Enable DNS name at this point. Select this option after the VPC endpoint has been successfully created in Step 4: Modify the endpoint to activate a Private DNS Name.

2. Under Subnets select the subnet(s) where the endpoint will reside.

3. Under Security groups select the security group(s) controlling traffic for the endpoint. Make sure to set the outbound rule to HTTPS protocol and the 443 port.

4. Select Create endpoint.

Step 4: Modify the endpoint to activate a Private DNS Name

1. Log in to the AWS Management Console.

2. Navigate to the Amazon VPC service in the region where you have created the VPC endpoint.

3. On the left navigation pane, select Endpoints.

4. Select the VPC endpoint you want to modify.

5. Under the Actions dropdown, select Modify private DNS name.

6. Under Modify private DNS name settings, check the Enable private DNS names > Enable for this endpoint checkbox.

7. Select Save Changes.

You can now start using the AWS PrivateLink URL mentioned in the AWS PrivateLink endpoint URLs table.

Delete a VPC endpoint

You can list, modify, tag, or delete your VPC endpoints.

To delete an endpoint, follow these steps:

1. Log in to the AWS Management Console and open the Amazon VPC service.

2. On the left navigation pane, select Endpoints.

3. Select the VPC endpoint you want to delete.

4. Confirm the deletion when prompted.

Use AWS PrivateLink with VPC peering

If the workloads that you're monitoring with Splunk Observability Cloud are not in the AWS source account regions list, follow the steps below:

1. In your AWS account, either use an existing VPC or create a new VPC in one of Splunk Observability's AWS account regions mentioned in the AWS PrivateLink service names.

2. Set up AWS VPC peering between the regions where the workloads are being monitored and the region where the VPC used in step 1 is located.

3. Follow Configure your AWS PrivateLink VPC endpoints to activate the AWS PrivateLink endpoint connection from the region where the VPC used in step 1 is located.

Learn more about VPC Peering in the AWS documentation at https://docs.aws.amazon.com/vpc/latest/peering/peering-configurations-full-access.html#two-vpcs-full-access.

Use AWS PrivateLink with the OpenTelemetry Collector

To use AWS PrivateLink URLs in your Collector instance, update the necessary variables in your Collector configuration to point to the given endpoint type:

See all PrivateLink URLs at AWS PrivateLink endpoint URLs.

For information about the Collector’s environment variables, see Environment variables.