Docs » Authentication and Security » Allow Splunk Observability Cloud services in your network

Allow Splunk Observability Cloud services in your network 🔗

A number of different services make up Splunk Observability Cloud. If your organization has stringent networking security policies that apply to sending data to third parties, use one of the following methods to ensure network access to Splunk Observability Cloud services:

Note

If you write to http://domain/path, the request must happen on port 80. Similarly, if you write to https://domain/path, the request must happen on port 443. If you want to use a different port, you must use http[s]://domain:port/path

Use a simple HTTP/HTTPS proxy 🔗

If you can get out to the internet using a proxy, then using an HTTP/HTTPS proxy is your simplest option.

Ensure that you give the proxy the ability to resolve the network names and make outbound HTTP/HTTPS network connections to the URLs listed in URLs to allow in your network or the domains listed in Domains to allow in your network.

Use the Splunk Distribution of OpenTelemetry Collector 🔗

Use the Splunk Distribution of OpenTelemetry Collector in data forwarding (gateway) mode. You can forward metrics locally to the Splunk Distribution of OpenTelemetry Collector, which serves as your local store-and-forward service for telemetry.

Ensure that you give the Splunk Distribution of OpenTelemetry Collector the ability to resolve the network names and make outbound HTTPS network connections to the URLs listed in URLs to allow in your network or the domains listed in Domains to allow in your network. Verify also the list of exposed ports and endpoints.

Configure proxy settings for the Collector 🔗

You might have to configure proxy settings for two separate actions:

  • Download the Collector files, either through the installer script or manually.

  • Allow the Collector to send telemetry through the inline or transparent proxy.

To configure proxy settings, set one of the following environment variables according to your needs and following the best practices for your environment and platform:

  • HTTP_PROXY: The HTTP proxy address

  • HTTPS_PROXY: The HTTPS proxy address

  • NO_PROXY: If you have a proxy, this option sets addresses that don’t use the proxy

The following examples show how to set the HTTP_PROXY and HTTPS_PROXY environment variable for hosts and containers:

# Add proxy settings to the environment for the installer script

cat <<EOF | sudo tee -a /etc/environment
NO_PROXY=<address,anotheraddress>
HTTP_PROXY=http://<proxy.address:port>
HTTPS_PROXY=http://<proxy.address:port>
EOF

# You might need to restart your shell session at this point.

# Add proxy configuration to the service-proxy.conf
# file in /etc/systemd/system/splunk-otel-collector.service.d/

sudo mkdir -p /etc/systemd/system/splunk-otel-collector.service.d/

cat <<EOF | sudo tee -a /etc/systemd/system/splunk-otel-collector.service.d/service-proxy.conf
[Service]
Environment="NO_PROXY=<address,anotheraddress>"
Environment="HTTP_PROXY=http://<proxy.address:port>"
Environment="HTTPS_PROXY=http://<proxy.address:port>"
EOF

# Reload systemd and splunk-otel-collector service afterwards

sudo systemctl daemon-reload
sudo systemctl restart splunk-otel-collector

Restart the Collector after adding these environment variables to your configuration.

URLs to allow in your network 🔗

Note

Note about realms

A realm is a self-contained deployment of Splunk Observability Cloud in which your organization is hosted. Different realms have different API endpoints. For example, the endpoint for sending data in the us1 realm is https://ingest.us1.signalfx.com, while the endpoint for sending data in the eu0 realm is https://ingest.eu0.signalfx.com.

When you see a placeholder realm name in the documentation, such as <YOUR_REALM>, replace it with your actual realm name. To find your realm name, open the left navigation menu in Observability Cloud, select Settings, and select your username. The realm name appears in the Organizations section. If you don’t include the realm name when specifying an endpoint, Observability Cloud defaults to the us0 realm.

If your organization’s networking security policies require you to individually allow services delivered over the internet, ensure that you allow the following service URLs on your network:

\*.signalfx.com

\*.<YOUR_REALM>.signalfx.com

If you’re unable to allow all URLs as shown here, see Domains to allow in your network.

Domains to allow in your network 🔗

If you’re unable to allow all URLs as described in URLs to allow in your network, ensure that you allow the following domains on your network:

# Observability Cloud API base URL (https://dev.splunk.com/observability/docs/apibasics/api_list)
api.<YOUR_REALM>.signalfx.com

# Splunk Observability Cloud user interface
app.<YOUR_REALM>.signalfx.com
customer-api.<YOUR_REALM>.signalfx.com

# CDN for Splunk Observability Cloud files and installers
dl.signalfx.com

# Backfill API base URL (https://dev.splunk.com/observability/reference/api/backfill/latest)
backfill.<YOUR_REALM>.signalfx.com

# Data ingest API base URL (https://dev.splunk.com/observability/docs/datamodel/ingest/)
ingest.<YOUR_REALM>.signalfx.com

# SignalFlow API base URL (https://dev.splunk.com/observability/reference/api/signalflow/latest)
stream.<YOUR_REALM>.signalfx.com

# RUM ingest endpoint
rum-ingest.<YOUR_REALM>.signalfx.com/v1/rum

# For td-agent/Fluentd on Linux and Windows
packages.treasuredata.com

# For DEB/RPM collector packages
splunk.jfrog.io

Note

For more information, see the Endpoint Summary topic in the Observability Cloud Developer Guide.