Private Connectivity using AWS PrivateLink 🔗

You can use Amazon Web Services (AWS) PrivateLink to secure your metric and traces traffic from your AWS environment to your Splunk Observability Cloud environment without exposing it to the Internet.

AWS PrivateLink connects your Virtual Private Cloud (VPC) to your AWS services, treating them as if they were in your VPC. You can create and use VPC endpoints to securely access AWS services and control the specific API endpoints and sites. To learn more, see the AWS PrivateLink documentation at What is AWS PrivateLink? .

Note

To send logs to Splunk Observability Cloud, use Splunk Log Observer Connect.

To send logs securely, use Private connectivity in Splunk Cloud Platform .

The following diagram shows an overview of how AWS PrivateLink for Splunk Observability Cloud works:

Prerequisites 🔗

To connect Splunk Observability Cloud to AWS using AWS PrivateLink, you need the following:

An active AWS account
A basic understanding of VPC concepts and networking principles

AWS PrivateLink types of endpoint 🔗

You can use any of these endpoints with AWS PrivateLink:

Ingest endpoint. Use the Ingest endpoint to send data points directly from your applications to Splunk Observability Cloud. Data sent using the Ingest API is handled in the same manner as data gathered by Splunk Observability Cloud through other methods, such as integrations with AWS cloud services.
API endpoint. Use the API endpoint to allow applications to communicate with each other by sending and receiving data. These endpoints serve as the points of interaction with different components like charts, dashboards, dashboard groups…
Stream endpoint. Use the Stream endpoint for continuous, real-time transmission of observability data such as logs, metrics, or traces. This endpoint is key for monitoring and analyzing system performance, identifying issues quickly, and maintaining overall system health.

AWS PrivateLink availability and service name 🔗

See the following tables for the AWS PrivateLink endpoint URLs and service names for each AWS region.

AWS PrivateLink endpoint URLs 🔗

AWS region	Ingest endpoint URL	API endpoint URL	Backfill endpoint URL	Stream endpoint URL
ap-northeast-1	private-ingest.jp0.signalfx.com	private-api.jp0.signalfx.com	Coming soon	private-stream.jp0.signalfx.com
ap-southeast-2	private-ingest.au0.signalfx.com	private-api.au0.signalfx.com	Coming soon	private-stream.au0.signalfx.com
eu-west-1	private-ingest.eu0.signalfx.com	private-api.eu0.signalfx.com	Coming soon	private-stream.eu0.signalfx.com
us-east-1	private-ingest.us0.signalfx.com	private-api.us0.signalfx.com	Coming soon	private-stream.us0.signalfx.com
us-west-2	private-ingest.us1.signalfx.com	private-api.us1.signalfx.com	Coming soon	private-stream.us1.signalfx.com

AWS PrivateLink service names 🔗

AWS region	Ingest endpoint service name	API endpoint service name	Backfill endpoint service name	Stream endpoint service name
ap-northeast-1	com.amazonaws.vpce.ap-northeast-1.vpce-svc-086c8167a74323e5a	com.amazonaws.vpce.ap-northeast-1.vpce-svc-06e1951072fcabaaa	Coming soon	com.amazonaws.vpce.ap-northeast-1.vpce-svc-0aebd0dfe769cc20b
ap-southeast-2	com.amazonaws.vpce.ap-southeast-2.vpce-svc-01e4e31c294754b6e	com.amazonaws.vpce.ap-southeast-2.vpce-svc-0d1d69a0b1bf003cd	Coming soon	com.amazonaws.vpce.ap-southeast-2.vpce-svc-006a9808c3bf97fc1
eu-west-1	com.amazonaws.vpce.eu-west-1.vpce-svc-01c194b2265ecb86e	com.amazonaws.vpce.eu-west-1.vpce-svc-07b08296ff84e17a0	Coming soon	com.amazonaws.vpce.eu-west-1.vpce-svc-0d036df6dbc6ddadb
us-east-1	com.amazonaws.vpce.us-east-1.vpce-svc-0336437d577075951	com.amazonaws.vpce.us-east-1.vpce-svc-089b68950f5be1c22	Coming soon	com.amazonaws.vpce.us-east-1.vpce-svc-0c7d803ea7ebe3157
us-west-2	com.amazonaws.vpce.us-west-2.vpce-svc-06376c4a9be288ee9	com.amazonaws.vpce.us-west-2.vpce-svc-0da2bbb45fa4c3a6b	Coming soon	com.amazonaws.vpce.us-west-2.vpce-svc-0d78b8dec1a837389

Configure your AWS PrivateLink VPC endpoints 🔗

Follow these steps to create, use, and manage your AWS PrivateLink VPC endpoint:

Step 1: Request to add your AWS Account ID to the allow list
Step 2: Verify AWS Account ID is added to allow list
Step 3: Create a VPC endpoint
Step 4: Modify the endpoint to enable a Private DNS Name

Step 1: Request to add your AWS Account ID to the allow list 🔗

Reach out to Splunk Customer Support with the following information to include your AWS Account ID to the allow list:

AWS Account ID
AWS region
Endpoint type
- Ingest
- API
- Stream

Review the ways you can contact Splunk Customer Support at Splunk Observability Cloud support.

Step 2: Verify AWS Account ID is added to allow list 🔗

Caution

Wait for Splunk Customer Support’s confirmation that your AWS Account ID was added to the allow list before performing these steps. Support might take up to 24 hours.

To verify your AWS Account ID has been allowed, follow these steps:

Log in to the AWS Management Console, and open the Amazon VPC service in the specific region where you intend to set up AWS PrivateLink.
On the left navigation pane, select Endpoints.
Select Endpoint, and then Other endpoint services.
Enter and verify the service name based on the AWS region where you’re configuring the VPC endpoint. Identify the appropriate service name using the AWS PrivateLink service names table.

If you see the “Service name verified” message, proceed with Step 3: Create a VPC endpoint.

If you see the “Service name could not be verified” error message, your account ID is not yet allowed for the given service name. Reach out to Splunk Customer Support to check the status of your request from Step 1: Request to add your AWS Account ID to the allow list.

Step 3: Create a VPC endpoint 🔗

To create a VPC endpoint, follow these steps:

Log in to the AWS Management Console, and open Amazon VPC service within the specific region where you intend to set up AWS PrivateLink. If you have a VPC peering configuration, keep in mind the destination region of VPC peering.
On the left navigation pane, select Endpoints.
Select Create Endpoint, and then Other endpoint services.
Enter and verify the service name based on the AWS region where you’re configuring the VPC endpoint. Identify the appropriate service name using the AWS PrivateLink service names table.
Select the VPC in which you want to create the endpoint.
Choose the subnet or subnets within the VPC where the endpoint will reside. Make sure to select the subnets from the appropriate availability zones.
Set the IP address type to IPv4.
Specify the security group or groups controlling inbound and outbound traffic for the endpoint, and set the outbound rule for the selected security groups open for port 443.

The following image shows the security options for AWS PrivateLink:

Review the configuration details and select Create Endpoint.
Before proceeding to Step 4: Modify the endpoint to enable a Private DNS Name, confirm with Splunk Customer Support that you created the endpoint, that the service name has been verified, and that Support has enabled the endpoint urls.

Step 4: Modify the endpoint to enable a Private DNS Name 🔗

To modify the endpoint to enable a Private DNS Name, follow these steps:

Log in to the AWS Management Console.
Navigate to the Amazon VPC service in the region where you have created the VPC endpoint.
On the left navigation pane, select Endpoints.
Select the VPC endpoint you want to modify.
Select Actions, and then Modify Endpoint.
Enable the private DNS names under the Modify private DNS name settings.
After the process is completed, select Save Changes.

You can now start using the AWS PrivateLink URL mentioned in the AWS PrivateLink endpoint URLs table.

Delete a VPC endpoint 🔗

You can list, modify, tag, or delete your VPC endpoints.

To delete an endpoint, follow these steps:

Log in to the AWS Management Console and open the Amazon VPC service.
On the left navigation pane, select Endpoints.
Select the VPC endpoint you want to delete.
Confirm the deletion when prompted.

Advanced configuration: AWS PrivateLink with VPC peering 🔗

Examine a scenario where the workloads that you’re monitoring with Splunk Observability Cloud are in the AWS ap-south-1 region, and your Splunk Observability Cloud account is in AWS us-east-1. You want to use PrivateLink to ingest observability data, but PrivateLink only works within one AWS region.

In this scenario, carry out the following steps:

Ensure that you have a VPC set up in the destination region, in this example us-east-1. If you don’t have a VPC in that region, create a new one.
Use AWS VPC peering to peer the ap-south-1 and the us-east-1 VPCs together.
Activate AWS PrivateLink in the us-east-1 VPC.

Learn more about VPC Peering in the AWS documentation at Two VPCs peered together .

Report an issue 🔗

Before you create an issue or open a Splunk Customer Support request, gather the following information:

What happened and the impact of the issue.
All the steps you followed until the issue appeared.
What you expected as the outcome.
Your attempts to solve the issue, including workarounds.
The operating system, runtime or compiler version, libraries, frameworks, and application servers of your environment, including your instrumentation settings.
Debug logs and other logs that might help troubleshoot the issue.

To get help, see Splunk Observability Cloud support.

This page was last updated on Jul 19, 2024.

Related Topics