Splunk Cloud Platform

Splunk Cloud Platform Admin Manual

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Configure IP allow lists for Splunk Cloud Platform

Splunk Cloud Platform IP allow lists control which IP addresses on your network have access to specified components (features) in your Splunk Cloud Platform deployment. You can use the Splunk Cloud Admin Config Service (ACS) API to add or remove subnets from the allow list and manage access to features in your Splunk Cloud Platform environment programmatically.

If your Splunk Cloud Platform deployment is in an AWS region, before you can use the ACS API, your account must be enabled. To enable your account, contact Splunk Support. If your Splunk Cloud Platform deployment is in a Google Cloud region, your account does not need to be enabled to use the ACS API.

Requirements

  • Splunk Cloud Platform version 8.0.2007 or higher.
  • You must have the sc_admin role.
  • cURL or equivalent API client tool, such as Postman.

The ACS API does not currently support AWS GovCloud or FedRAMP environments.

Determine IP allow list use case

The ACS API supports several common IP allow list use cases. In each use case, the IP allow list controls access to a particular Splunk Cloud Platform feature. When you send a request to the ACS endpoint, you must specify the {feature} argument, such as search-api, hec, s2s, and so on. Note that the value of {feature} refers to a logical grouping of subnets that are granted access to a Splunk component.

The ACS API supports the following IP allow list use cases:

Use Case Feature Type Port Description
Search head API access search-api 8089 Grants access for customer subnets to Splunk search head api (applies to automated interfaces)
HEC access for ingestion hec 443 Allows customer's environment to send HTTP data to Splunk indexers.
Indexer ingestion s2s 9997 Allows subnets that include UF or HF to send data to Splunk indexers.
SH UI access search-ui 80/443 Grant explicit access to search head UI in regulated customer environments.
IDM UI access idm-ui 443 Grant explicit access to IDM UI in regulated customer environments.
IDM API idm-api 8089 Grant access for add-ons that require an API. (Allows add-ons to send data to Splunk Cloud Platform.)

Set up the ACS API

Retrieve the ACS Open API 3.0 specification

ACS provides an OpenAPI 3.0 specification that includes all parameters, response codes, and other meta data that you need to send requests to the ACS API endpoint.

To retrieve the ACS Open API 3.0 specification, send an HTTP GET request to:

https://admin.splunk.com/service/info/specs/v1/openapi.json

Generate an authentication token

The ACS API accepts a SAML authentication token. You can generate this token in the Splunk Cloud Platform UI. If your Splunk Cloud Platform environment does not support SAML, you can use local accounts as an alternate authentication method.

To generate a token in Splunk Cloud Platform:

  1. In Splunk Web, click Settings > Token > Enable Token Authentication > New Token.
  2. Configure the new token. Set an expiration time that meets your organization's needs. An expiration time of 60d fits most use cases.
  3. Copy/paste your token into your API client or save for use in curl requests.

Set up API client (optional)

When setting up an API client, such as Postman, specify the following parameters:

  • {baseURL}: The base URL of the ACS API (https://admin.splunk.com).
  • {stack}: The URL prefix of your Splunk Cloud Platform deployment (e.g. csms-2io6tw-47150)
  • {feature}: The feature to which IP allow list requests apply.
  • {token}: The token generated by Splunk Cloud Platform. See Generate an authentication token.

When using the curl command, you must pass the above parameters with the ACS API request.

Configure IP allow list

The following sections show you how to update and manage Splunk Cloud IP allow lists using the ACS API.

View current IP Allow list

To view the full list of existing subnets for a particular IP allow list feature type, send an HTTP GET request to the following endpoint:

{baseUrl}/{stack}/adminconfig/v1/access/{feature}/ipallowlists

For example, to view the full list of subnets for the s2s IP allow list feature type, send the following request:

curl https://admin.splunk.com/{stack}/adminconfig/v1/access/s2s/ipallowlists

The request returns the current allow list subnets for the s2s feature type only. For example:

{
  "subnets": [
     ": #.0.0.0/24",
     ": #.0.0.0/24",
     ": #.0.10.6/32"
  ]
}

To view the current allow list subnets for a different feature, you must specify that feature type in the request. See Determine IP allow list use case.

Add subnets to IP allow list

To add a new subnet to the IP allow list:

Send an HTTP POST request to the {feature}/ipallowlists endpoint, specifying the subnet that you want to add. For example, to add new subnets to the IP allow list for the s2s feature:

curl -X POST 'https://admin.splunk.com/mystack/adminconfig/v1/access/s2s/ipallowlists' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer eyJraWQiOiJzcGx1bmsuc2VjcmV0Iiw...' \
--data '{
"subnets": [
"###.0.0.0/24",
"##.0.10.6/32"
]
}'

A 200 response code indicates that your request was submitted successfully. Note however that the ACS request process is asynchronous and it can take several minutes for the subnet update to be applied to your Splunk Cloud deployment. You can check the status of your subnet update request, as follows:

Send a GET request that passes the {stack} value (URL prefix of your Splunk Cloud Platform deployment) as the only argument.

curl GET https://admin.splunk.com/{stack}/adminconfig/v1/status

ACS returns one of the following status responses:

  • Ready: The environment is ready, and infrastructure is up to date.
  • Pending: The stack has some pending changes that haven't been applied to the environment yet. The changes could be internal system changes for the environment or user requested changes like a modification to allow lists.
  • Failed: There were some errors while applying changes to the environment. The changes could be internal system changes for environments or user requested changes like a modification to allow lists. If you continue to experience errors, contact Splunk Support.

Remove subnets from IP allow list

To remove a subnet from an IP allow list:

Send an HTTP DELETE request specifying the subnet you want to delete. For example, to remove subnets from the IP allow list for the s2s feature:

curl -X DELETE 'https://admin.splunk.com/mystack/adminconfig/v1/access/s2s/ipallowlists' \
--header 'Authorization: Bearer eyJraWQiOiJzcGx1bmsuc2Vj...' \
--header 'Content-Type: application/json' \
--data '{
"subnets": [
"###.0.0.0/24",
"##.0.10.6/32"
]
}'

Confirm IP allow list update

To verify that your IP allow list has been updated as expected by POST or DELETE requests:

Send an HTTP GET request specifying the {stack} value (URL prefix of your Splunk Cloud Platform deployment) as follows:

curl https://admin.splunk.com/mystack/adminconfig/v1/status\
--header 'stack: mystack' \
--header 'Authorization: Bearer eyJraWQiOiJzcGx1bmsuc2...'

Example: Allow a universal forwarder to send data to Splunk Cloud Platform indexers

To allow a Splunk universal forwarder on your network to send data to indexers in your Splunk Cloud Platform deployment, you must add the IP subnet that contains the forwarder's IP address to the correct IP allow list in Splunk Cloud Platform.

  1. Create an authentication token in Splunk Cloud Platform for use with the ACS API. See Generate an authentication token.
  2. Determine the IP subnet that contains your forwarder. For example:
    122.0.0.0/24
    
  3. Determine the feature type of the IP allow list to which you must add the forwarder's subnet. In this example, you want to allow Splunk Cloud Platform indexers to ingest data from an external forwarder, so the use case is indexer ingestion and the corresponding IP allow list feature type is s2s. See Determine IP allow list use case.
  4. Send a POST request to add the new subnet to the s2s IP allow list.
    curl -X POST 'https://admin.splunk.com/mystack/v1/access/s2s/ipallowlists' \
    --header 'Content-Type: application/json' \
    --header 'Authorization: Bearer eyJraWQiOiJzcGx1bmsuc2VjcmV0Iiw...' \
    --data '{
    "subnets": [
    "122.0.0.0/24"
    ]
    }'
    
  5. Send a GET request to confirm that the updated s2s IP allow list now includes the forwarder's subnet. For example:
    curl https://admin.splunk.com/mystack/adminconfig/v1/access/s2s/ipallowlists
    

    The response shows the s2s IP allow list includes the forwarder's subnet:

    {
      "subnets": [
         ": 122.0.0.0/24",
         ": 50.0.10.6/32"
      ]
    }
    

Endpoint reference: {feature}/ipallowlists

https://admin.splunk.com/{stack}/adminconfig/v1/{feature}/ipallowlists

Perform CRUD operations on IP allow lists.


Authentication and Authorization
Requires a token (JWT) or local account.


GET

List subnets on the existing IP allow list for a feature.


Request parameters

Name Type Description
stack String The URL prefix of the Splunk Cloud Platform deployment.
feature String The IP allow list feature type.


Returned values

Name Type Description
subnets String The IP subnets currently listed on the IP allow list for a given feature.

Example request and response

JSON Request

curl https://admin.splunk.com/mystack/adminconfig/v1/access/s2s/ipallowlists

JSON Response

{
  "subnets": [
     ": #.0.0.0/24",
     ": #.0.0.0/24",
     ": #.0.10.6/32"
  ]
}

POST

Add subnets to the IP allow list for a feature.


Request parameters

Name Type Description
stack String The URL prefix of the Splunk Cloud Platform deployment.
feature String The IP allow list feature type.
subnets String List of subnets to add to IP allow list


Returned values
None


Example request and response

JSON Request

curl -X POST 'https://admin.splunk.com/mystack/adminconfig/v1/access/s2s/ipallowlists' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer eyJraWQiOiJzcGx1bmsuc2VjcmV0Iiw...' \
--data '{
"subnets": [
"###.0.0.0/24",
"##.0.10.6/32"
]
}'

JSON Response

{
"code": "200"
}

DELETE

Delete subnets from the IP allow list for a feature


Request parameters

Name Type Description
stack String The URL prefix of the Splunk Cloud Platform deployment.
feature String The IP allow list feature type.
subnets String List of subnets to delete from IP allow list


Returned values
None


Example request and response

JSON Request

curl -X DELETE 'https://admin.splunk.com/mystack/adminconfig/v1/access/s2s/ipallowlists' \
--header 'Authorization: Bearer eyJraWQiOiJzcGx1bmsuc2Vj...' \
--header 'Content-Type: application/json' \
--data '{
"subnets": [
"###.0.0.0/24",
"##.0.10.6/32"
]
}'

JSON Response

{
"code": "200"
}
Last modified on 08 September, 2021
PREVIOUS
Upgrade your Forwarders
  NEXT
Manage Splunk Cloud users and roles

This documentation applies to the following versions of Splunk Cloud Platform: 8.1.2011, 8.1.2012, 8.1.2101, 8.1.2103, 8.2.2104, 8.2.2105 (latest FedRAMP release), 8.2.2106, 8.2.2107


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters