Splunk Cloud Platform

Admin Config Service Manual

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Configure IP allow lists for Splunk Cloud Platform

Splunk Cloud Platform IP allow lists control which IP addresses on your network have access to specified components (features) in your Splunk Cloud Platform deployment. You can use the Admin Config Service (ACS) API to add or remove subnets from the allow list and manage access to features in your Splunk Cloud Platform environment programmatically.

Requirements

To configure IP allow lists using the ACS API, you must:

  • Have the sc_admin (Splunk Cloud Platform Administrator) role.
  • Have Splunk Cloud Platform version 8.0.2007 or higher.

The ACS API does not currently support AWS GovCloud or FedRAMP environments.

Set up the ACS API

Before using the ACS API, you must download the ACS Open API 3.0 specification, which includes the parameters, codes, and other data you need to work with the ACS API. You must also create an authentication token in Splunk Cloud Platform for use with ACS endpoint requests. For details on how to set up the ACS API, see Set up the ACS API.

Determine IP allow list use case

The ACS API supports several common IP allow list use cases. In each use case, the IP allow list controls access to a particular Splunk Cloud Platform feature. When you send a request to the ACS endpoint, you must specify the {feature} argument, such as search-api, hec, s2s, and so on. Note that the value of {feature} refers to a logical grouping of subnets that are granted access to a Splunk component.

The ACS API supports the following IP allow list use cases:

Use Case Feature Port Description
Search head API access search-api 8089 Grants access for customer subnets to Splunk search head api (applies to automated interfaces)
HEC access for ingestion hec 443 Allows customer's environment to send HTTP data to Splunk indexers.
Indexer ingestion s2s 9997 Allows subnets that include UF or HF to send data to Splunk indexers.
SH UI access search-ui 80/443 Grant explicit access to search head UI in regulated customer environments.
IDM UI access idm-ui 443 Grant explicit access to IDM UI in regulated customer environments.
IDM API idm-api 8089 Grant access for add-ons that require an API. (Allows add-ons to send data to Splunk Cloud Platform.)

Configure IP allow list

The following sections show you how to update and manage Splunk Cloud IP allow lists using the ACS API.

View current IP allow list

To view the full list of existing subnets for a particular IP allow list feature type, send an HTTP GET request to the following endpoint:

admin.splunk.com/{stack}/adminconfig/v2/access/{feature}/ipallowlists

For example, to view the full list of subnets for the s2s IP allow list feature type, send the following request:

curl https://admin.splunk.com/{stack}/adminconfig/v2/access/s2s/ipallowlists \
--header 'Authorization: Bearer eyJraWQiOiJzcGx1bmsuc2...'

The request returns the current allow list subnets for the s2s feature type only. For example:

{
  "subnets": [
     ": #.0.0.0/24",
     ": #.0.0.0/24",
     ": #.0.10.6/32"
  ]
}

To view the current allow list subnets for a different feature, you must specify that feature type in the request. See Determine IP allow list use case.

For ACS IP allow list endpoint details, see access/{feature}/ipallowlist in the ACS API endpoint reference.

Add subnets to IP allow list

To add a new subnet to the IP allow list:

Send an HTTP POST request to the access/{feature}/ipallowlists endpoint, specifying the subnet that you want to add. For example, to add new subnets to the IP allow list for the s2s feature:

curl -X POST 'https://admin.splunk.com/mystack/adminconfig/v2/access/s2s/ipallowlists' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer eyJraWQiOiJzcGx1bmsuc2VjcmV0Iiw...' \
--data '{
"subnets": [
"###.0.0.0/24",
"##.0.10.6/32"
]
}'

A 200 response code indicates that your request was submitted successfully.

It can take several minutes for the subnet update to be applied to your Splunk Cloud Platform stack.

To check the status of your subnet update request, send an HTTP GET request specifying the {stack} value (URL prefix of your Splunk Cloud Platform deployment) as the only argument. For example:

curl https://admin.splunk.com/{stack}/adminconfig/v2/status \
--header 'Authorization: Bearer eyJraWQiOiJzcGx1bmsuc2...'

ACS returns one of the following status responses:

  • Ready: The environment is ready, and infrastructure is up to date.
  • Pending: The stack has some pending changes that haven't been applied to the environment yet. The changes could be internal system changes for the environment or user requested changes like a modification to allow lists.
  • Failed: There were some errors while applying changes to the environment. The changes could be internal system changes for environments or user requested changes like a modification to allow lists. If you continue to experience errors, contact Splunk Support.

Remove subnets from IP allow list

To remove a subnet from an IP allow list:

Send an HTTP DELETE request specifying the subnet you want to delete. For example, to remove subnets from the IP allow list for the s2s feature:

curl -X DELETE 'https://admin.splunk.com/mystack/adminconfig/v2/access/s2s/ipallowlists' \
--header 'Authorization: Bearer eyJraWQiOiJzcGx1bmsuc2Vj...' \
--header 'Content-Type: application/json' \
--data '{
"subnets": [
"###.0.0.0/24",
"##.0.10.6/32"
]
}'

For ACS IP allow list endpoint details, see access/{feature}/ipallowlist in the ACS API endpoint reference.

Confirm IP allow list update

To verify that your IP allow list has been updated as expected by POST or DELETE requests:

Send an HTTP GET request specifying the {stack} value (URL prefix of your Splunk Cloud Platform deployment) as follows:

curl https://admin.splunk.com/mystack/adminconfig/v2/status\
--header 'Authorization: Bearer eyJraWQiOiJzcGx1bmsuc2...'

Example: Allow a universal forwarder to send data to Splunk Cloud Platform indexers

To allow a Splunk universal forwarder on your network to send data to indexers in your Splunk Cloud Platform deployment, you must add the IP subnet that contains the forwarder's IP address to the correct IP allow list in Splunk Cloud Platform.

  1. Create an authentication token in Splunk Cloud Platform for use with the ACS API. See Generate an authentication token.
  2. Determine the IP subnet that contains your forwarder. For example:
    122.0.0.0/24
    
  3. Determine the feature type of the IP allow list to which you must add the forwarder's subnet. In this example, you want to allow Splunk Cloud Platform indexers to ingest data from an external forwarder, so the use case is indexer ingestion and the corresponding IP allow list feature type is s2s. See Determine IP allow list use case.
  4. Send a POST request to add the new subnet to the s2s IP allow list.
    curl -X POST 'https://admin.splunk.com/mystack/v2/access/s2s/ipallowlists' \
    --header 'Content-Type: application/json' \
    --header 'Authorization: Bearer eyJraWQiOiJzcGx1bmsuc2VjcmV0Iiw...' \
    --data '{
    "subnets": [
    "122.0.0.0/24"
    ]
    }'
    
  5. Send a GET request to confirm that the updated s2s IP allow list now includes the forwarder's subnet. For example:
    curl https://admin.splunk.com/mystack/adminconfig/v2/access/s2s/ipallowlists
    

    The response shows the s2s IP allow list includes the forwarder's subnet:

    {
      "subnets": [
         ": 122.0.0.0/24",
         ": 50.0.10.6/32"
      ]
    }
    

For ACS IP allow list endpoint details, see access/{feature}/ipallowlist in the ACS API endpoint reference.

Last modified on 13 May, 2022
PREVIOUS
Basic setup and usage concepts for the Admin Config Service (ACS) API
  NEXT
Configure outbound ports for Splunk Cloud Platform

This documentation applies to the following versions of Splunk Cloud Platform: 8.2.2109, 8.2.2111, 8.2.2112, 8.2.2201 (latest FedRAMP release), 8.2.2202


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters