Splunk Cloud Platform

Splunk Cloud Platform Admin Manual

This documentation does not apply to the most recent version of Splunk Cloud Platform. For documentation on the most recent version, go to the latest release.

Configure IP allow lists using Splunk Web

IP allow lists control which IP addresses on your network have access to specified features in your Splunk Cloud Platform deployment. You can use the IP allow list management page in Splunk Web to add IP subnets to allow lists and manage access to Splunk Cloud Platform features in a self-service manner without assistance from Splunk Support.

You can also manage access to Splunk Cloud Platform features programmatically using the Admin Config Service (ACS) API. For more information, see Configure IP allow lists for Splunk Cloud Platform in the Admin Config Service Manual.

Requirements

To configure IP allow lists using Splunk Web, you must:

IP allow list management is not currently supported on AWS GovCloud or FedRAMP environments.

Enable automatic UI updates

Before you can access the IP allow list management page in Splunk Web, you must enable automatic UI updates for your deployment. After you enable automatic UI updates, you can access the IP allow list management page in Splunk Web under Settings > Server settings. For more information, see Enable automatic UI updates.

Determine IP allow list use case

Splunk Cloud Platform supports several common IP allow list use cases. In each case, the IP allow list controls access to a particular Splunk Cloud Platform feature, for example Search head API access, HEC access for ingestion, and so on.

IP allow list management supports the following IP allow list use cases:

Use Case Description
Search head API access Grants access for customer subnets to Splunk search head api (applies to automated interfaces)
HEC access for ingestion Allows customer's environment to send HTTP data to Splunk indexers.
Indexer ingestion Allows subnets that include UF or HF to send data to Splunk indexers.
Search head UI access Grant explicit access to search head UI in regulated customer environments.
IDM UI access Grant explicit access to IDM UI in regulated customer environments.
IDM API Grant access for add-ons that require an API. (Allows add-ons to send data to Splunk Cloud Platform.)

Add or remove subnets from IP allow lists

The IP allow list management page let you add or remove subnets from IP allow lists for specified Splunk Cloud Platform features. You can add or remove one or more IP subnets for multiple different features in a single page update. You must click save for any changes that you make to the page to propagate through the system.

Add subnets to IP allow lists

To add a subnet to an IP allow list:

  1. In Splunk Web, click Settings > Server settings > IP allow list.
  2. If token authentication is already enabled, skip this step. If token authentication is not enabled, click Go to tokens page and enable token authentication. Once token authentication is enabled, return to the IP allow list management page and refresh the page.
  3. Select the tab of the feature to which you wish to grant access. For example, click the "Search head UI access" tab to grant access to the search head UI.
  4. Click Add IP subnet.
  5. Enter the subnet using CIDR notation. For example 192.0.0.0/24
  6. Optionally, click Add IP subnet to add more subnets.
  7. Click Save.
    This saves all changes to the IP allow list management page since the last page update, including any subnets that you have added or removed, across all feature tabs.

Remove subnets from IP allow lists

To delete a subnet from an IP allow list:

  1. Select the tab for the feature from which you wish to revoke access.
  2. Click X to delete the existing subnet.
  3. Click Save.
    This saves all changes to the IP allow list management page since the last page update, including any subnets that you have added or removed, across all feature tabs.

You cannot delete the final IP subnet on the allow list for a feature. This is a safety measure that prevents inadvertently revoking all access to a feature. To delete the final subnet on an IP allow list, you must contact Splunk Support.

Changes can take up to 15 mins or more to propagate through the system.

Last modified on 22 August, 2023
Upgrade your Forwarders   Manage HTTP Event Collector (HEC) tokens in Splunk Cloud Platform

This documentation applies to the following versions of Splunk Cloud Platform: 8.2.2201, 8.2.2202


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters