Private Connectivity using AWS PrivateLink đź”—
You can use Amazon Web Services (AWS) PrivateLink to secure your metric and traces traffic from your AWS environment to your Splunk Observability Cloud environment without exposing it to the Internet.
AWS PrivateLink connects your Virtual Private Cloud (VPC) to your AWS services, treating them as if they were in your VPC. You can create and use VPC endpoints to securely access AWS services and control the specific API endpoints and sites. To learn more, see the AWS PrivateLink documentation at What is AWS PrivateLink? .
Note
To send logs to Splunk Observability Cloud, use Splunk Log Observer Connect.
To send logs securely, use Private connectivity in Splunk Cloud Platform .
The following diagram shows an overview of how AWS PrivateLink for Splunk Observability Cloud works:
Prerequisites đź”—
To connect Splunk Observability Cloud to AWS using AWS PrivateLink, you need the following:
An active AWS account
A basic understanding of VPC concepts and networking principles
AWS PrivateLink availability and service name đź”—
The following tables show the AWS PrivateLink endpoint URLs and service names for each AWS region:
AWS PrivateLink endpoint URLs đź”—
AWS region |
Ingest endpoint URL |
API endpoint URL |
Backfill endpoint URL |
Stream endpoint URL |
---|---|---|---|---|
ap-northeast-1 |
Coming soon |
|||
ap-southeast-2 |
Coming soon |
|||
eu-west-1 |
Coming soon |
|||
us-east-1 |
Coming soon |
|||
us-west-2 |
Coming soon |
AWS PrivateLink service names đź”—
AWS region |
Ingest endpoint service name |
API endpoint service name |
Backfill endpoint service name |
Stream endpoint service name |
---|---|---|---|---|
ap-northeast-1 |
com.amazonaws.vpce.ap-northeast-1.vpce-svc-086c8167a74323e5a |
com.amazonaws.vpce.ap-northeast-1.vpce-svc-06e1951072fcabaaa |
Coming soon |
com.amazonaws.vpce.ap-northeast-1.vpce-svc-0aebd0dfe769cc20b |
ap-southeast-2 |
com.amazonaws.vpce.ap-southeast-2.vpce-svc-01e4e31c294754b6e |
com.amazonaws.vpce.ap-southeast-2.vpce-svc-0d1d69a0b1bf003cd |
Coming soon |
com.amazonaws.vpce.ap-southeast-2.vpce-svc-006a9808c3bf97fc1 |
eu-west-1 |
com.amazonaws.vpce.eu-west-1.vpce-svc-01c194b2265ecb86e |
com.amazonaws.vpce.eu-west-1.vpce-svc-07b08296ff84e17a0 |
Coming soon |
com.amazonaws.vpce.eu-west-1.vpce-svc-0d036df6dbc6ddadb |
us-east-1 |
com.amazonaws.vpce.us-east-1.vpce-svc-0336437d577075951 |
com.amazonaws.vpce.us-east-1.vpce-svc-089b68950f5be1c22 |
Coming soon |
com.amazonaws.vpce.us-east-1.vpce-svc-0c7d803ea7ebe3157 |
us-west-2 |
com.amazonaws.vpce.us-west-2.vpce-svc-06376c4a9be288ee9 |
com.amazonaws.vpce.us-west-2.vpce-svc-0da2bbb45fa4c3a6b |
Coming soon |
com.amazonaws.vpce.us-west-2.vpce-svc-0d78b8dec1a837389 |
Configure your AWS PrivateLink VPC endpoints đź”—
Follow these steps to create, use, and manage your AWS PrivateLink VPC endpoint:
Step 1: Request to add your AWS Account ID to the allow list đź”—
Reach out to Splunk Customer Support with the following information to include your AWS Account ID to the allow list:
AWS Account ID
AWS region
Endpoint type
Ingest
API
Stream
Review the ways you can contact Splunk Customer Support at Splunk Observability Cloud support.
Step 2: Verify AWS Account ID is added to allow list đź”—
Caution
Wait for Splunk Customer Support’s confirmation that your AWS Account ID was added to the allow list before performing these steps. Support might take up to 24 hours.
To verify your AWS Account ID has been allowed, follow these steps:
Log in to the AWS Management Console, and open the Amazon VPC service in the specific region where you intend to set up AWS PrivateLink.
On the left navigation pane, select Endpoints.
Select Endpoint, and then Other endpoint services.
Enter and verify the service name based on the AWS region where you’re configuring the VPC endpoint. Identify the appropriate service name using the AWS PrivateLink service names table.
If you see the “Service name verified” message, proceed with Step 3: Create a VPC endpoint.
If you see the “Service name could not be verified” error message, your account ID is not yet allowed for the given service name. Reach out to Splunk Customer Support to check the status of your request from Step 1: Request to add your AWS Account ID to the allow list.
Step 3: Create a VPC endpoint đź”—
To create a VPC endpoint, follow these steps:
Log in to the AWS Management Console, and open Amazon VPC service within the specific region where you intend to set up AWS PrivateLink. If you have a VPC peering configuration, keep in mind the destination region of VPC peering.
On the left navigation pane, select Endpoints.
Select Create Endpoint, and then Other endpoint services.
Enter and verify the service name based on the AWS region where you’re configuring the VPC endpoint. Identify the appropriate service name using the AWS PrivateLink service names table.
Select the VPC in which you want to create the endpoint.
Choose the subnet or subnets within the VPC where the endpoint will reside. Make sure to select the subnets from the appropriate availability zones.
Set the IP address type to
IPv4
.Specify the security group or groups controlling inbound and outbound traffic for the endpoint, and set the outbound rule for the selected security groups open for port
443
.
Review the configuration details and select Create Endpoint.
Before proceeding to Step 4: Modify the endpoint to enable a Private DNS Name, confirm with Splunk Customer Support that you created the endpoint, that the service name has been verified, and that Support has enabled the endpoint urls.
Step 4: Modify the endpoint to enable a Private DNS Name đź”—
To modify the endpoint to enable a Private DNS Name, follow these steps:
Log in to the AWS Management Console.
Navigate to the Amazon VPC service in the region where you have created the VPC endpoint.
On the left navigation pane, select Endpoints.
Select the VPC endpoint you want to modify.
Select Actions, and then Modify Endpoint.
Enable the private DNS names under the Modify private DNS name settings.
After the process is completed, select Save Changes.
You can now start using the AWS PrivateLink URL mentioned in the AWS PrivateLink endpoint URLs table.
Delete a VPC endpoint đź”—
You can list, modify, tag, or delete your VPC endpoints.
To delete an endpoint, follow these steps:
Log in to the AWS Management Console and open the Amazon VPC service.
On the left navigation pane, select Endpoints.
Select the VPC endpoint you want to delete.
Confirm the deletion when prompted.
Advanced configuration: AWS PrivateLink with VPC peering đź”—
Examine a scenario where your source region, or region generating your data, is ap-south-1
and your destination region, or region where you have established your VPC connection and want to receive data at, is us-east-1
.
In this context, you need to establish a VPC endpoint within your destination region us-east-1
. By activating AWS PrivateLink in this region, you obtain a seamless, secure, and private channel to access AWS services available in the your source region, ap-south-1
. This arrangement ensures that communication between the two VPCs occurs through an internal network, removing the necessity of routing traffic over the public Internet.
This enhancement bolsters data integrity and security, aligning with the goal of optimizing inter-region communication while upholding stringent data protection standards.
Learn more in the AWS documentation at https://docs.aws.amazon.com/vpc/latest/peering/peering-configurations-full-access.html#two-vpcs-full-access .
Report an issue đź”—
Before you create an issue or open a Splunk Customer Support request, gather the following information:
What happened and the impact of the issue.
All the steps you followed until the issue appeared.
What you expected as the outcome.
Your attempts to solve the issue, including workarounds.
The operating system, runtime or compiler version, libraries, frameworks, and application servers of your environment, including your instrumentation settings.
Debug logs and other logs that might help troubleshoot the issue.
To get help, see Splunk Observability Cloud support.