Splunk over IPv6 runbook for Splunk Cloud Platform customers
This article provides step-by-step instructions on enabling the IPv6 traffic in a DualStack mode for Splunk Cloud Platform deployments.
Prerequisites
If you use Splunk ITSI or Splunk Enterprise Security, you might need to update your Splunk Cloud Platform version, which might require scheduling the maintenance window. In addition, you will need to upgrade the premium applications to the following versions.
- Splunk ITSI 4.17.0. For more information about IPv6 and ITSI, refer to "Support for IPv6” section of the New features in the Splunk IT Service Intelligence.
- Splunk Enterprise Security 8.0.0. For more information about IPv6 and ES, refer to "Support for IPv6” section of the Release notes for Splunk Enterprise Security.
IPv6 is not supported on any other Splunk premium apps.
Procedure
- Contact your Splunk Solution Engineer or Regional Sales Manager to let them know you want to enable the IPv6 traffic in a DualStack mode for Splunk Cloud Platform.
- Work with your Solution Engineer to assess readiness, considering third-party integrations, Splunkbase apps, and network customizations.
- Your Solution Engineer provides you with Splunk IPv6 addresses.
- Update the firewall rules to let IPv6 traffic flow from and to Splunk Cloud Platform.
You might need to go through a multi-step compliance process to update the firewall.
- Email your Splunk Solution Engineer or Regional Sales Manager to inform them that the firewall has been updated.
- The Splunk TechOps team determines the process for enabling IPv6.
- The Splunk TechOps team notifies you that the IPv6 traffic in a DualStack is successfully enabled, and the traffic to and from Splunk Cloud Platform flows over IPv6.
- Splunk recommends that you keep the IPv4 addresses and IPv4 firewall rules so that in case of any issues with IPv6, the traffic will fall back to IPv4, and thanks to the DualStack mode, no data will be lost. This will ensure a smooth transition period. You can later turn off IPv4 traffic to achieve an IPv6-only setup. While doing so, remember to allowlist IPv6 subnets in the Admin Config Service to make the connection to Search Head, Input Data Manager, HTTP Event Collector (HEC), and via the Splunk-to-Splunk (S2S) protocol possible. You must do this first from your IPv4 subnets before you cut over to avoid losing access.