Implement Cross-Region Disaster Recovery in your Splunk Cloud Platform environment

If you want to use cross-region disaster recovery in your Splunk Cloud Platform environment, follow these steps.

1. Learn what the service does and what it doesn't do
2. Speak with your account team and schedule a conversation with service experts
3. Purchase the service
4. Provide maintenance windows for Splunk Support to integrate the service into your environment
5. Update Internet Protocol (IP) allow lists at your firewall to access your integrated Splunk Cloud Platform environment
6. Confirm that your supporting infrastructure use DNS host names for the Splunk Cloud Platform environment
7. If you use the Splunk Cloud Data Manager application, create an Amazon Web Services (AWS) identity access management (IAM) role and modify the role trust relationship
8. (Optional) After integration, schedule planned failovers to test that the process works

Learn what the service does and doesn't do

Before you implement Cross-Region Disaster Recovery for your Splunk Cloud Platform instance, understand what the service is, what it can do for you, and what its limitations are. As the service is currently in Early Access, you can leave feedback to further improve and strengthen the service. Splunk does not make any guarantees outside of the service level agreements it specifically agrees to with regards to the service, as described in this manual.

Speak with your account team and schedule a conversation with Cross-Region Disaster Recovery service experts

When you are ready to implement the service in your SCP environment, contact your account team and indicate that you want to sign up for the service. Your account representative will connect you with Splunk disaster recovery experts to learn about your needs and determine if the service is a fit for your specific use case.

Purchase the service

After you speak with your account team and schedule a talk with Splunk experts about the service, purchase the service and have it integrated into your Splunk Cloud Platform environment. After you make the purchase, Splunk will work with you to schedule maintenance windows to set up the service.

Provide maintenance windows for Splunk Support to integrate the service into your environment

After you agree to the terms for using the service and purchase the service, you must coordinate with Splunk Support to establish maintenance windows to integrate the service into your environment.

Multiple maintenance windows are required to perform this integration because the integration requires a number of infrastructure updates to the instance. For example, when you integrate the service into your instance, Splunk rekeys any stored data within your environment with a multi-region encryption key so that the data is accessible in the production SCP environment and the environment in the secondary region.

Update IP allow lists at your firewall to access your integrated Splunk Cloud Platform environment

After integration, Splunk Support provides you with IP network addresses which you must configure to allow egress of network traffic from your Splunk Cloud Platform environment. For more information on how to configure IP network allow lists, see Configure IP allow lists for Splunk Cloud Platform.

If you use the Splunk Cloud Data Manager application, create an Amazon Web Services (AWS) identity access management (IAM) role and modify the role trust relationship

After Splunk Support integrates CRDR into your Splunk Cloud Platform environment, if you use the Splunk Cloud Data Manager application in that environment, then either you or your AWS administrator must create an AWS role and adjust its trust relationship between AWS and Splunk Cloud Platform.

1. Log into AWS IAM Console.
2. Create an AWS IAM role called SplunkDMReadOnly by following the procedure at https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-service.html.
3. Change the trust relationship for the SplunkDMReadOnly role by following the procedure at https://docs.aws.amazon.com/directoryservice/latest/admin-guide/edit_trust.html.
4. In the Trust Relationship section, locate the following text within the JavaScript Object Notation (JSON) object and update the ACCOUNT_ID, STACK_ID_1, and STACK_ID_2 with the account ID and stack IDs for your Splunk Cloud Platform environment, respectively:

"Principal": {
        "AWS": [
          "arn:aws:iam::<ACCOUNT_ID>:role/<STACK_ID_1>",
          "arn:aws:iam::<ACCOUNT_ID>:role/<STACK_ID_2>"
        ]
      },

For more information on the Splunk Cloud Data Manager application, see About Data Manager in the **Data Manager Manual**.

Confirm that your supporting infrastructure use DNS host names for the Splunk Cloud Platform environment

When you implement Cross-Region Disaster Recovery into your Splunk Cloud Platform environment, confirm that all environment users and the infrastructure that supports data ingestion into that environment, such as forwarders, HTTP Event Collector clients, and applications, connect to the instance through DNS, rather than through an IP network address. During a failover, Splunk changes the DNS for the Splunk Cloud Platform environment from the primary cloud service provider (CSP) region to the secondary CSP region.

(Optional) Schedule planned failovers to test that the process works

Up to twice a year, you can optionally schedule a planned failover for your Splunk Cloud Platform deployment. These planned failovers let you test your environment to confirm all data and configurations are available in the secondary instance.