Give Cloud Apps a Static Outbound IP for Splunk Cloud IP Allow Lists

Splunk Cloud Platform lets you restrict each feature, HEC ingestion, search head API access, indexer ingestion, to specific IP subnets. The moment you turn that restriction on, any cloud app sending data or running queries from a rotating outbound IP gets blocked. Route those apps through QuotaGuard and you get two static IPs that go on the Splunk allow list once and stay valid across every deploy.

This post is for developers and platform teams whose cloud apps send events to Splunk Cloud over HEC, or call the search head API for automated search, from infrastructure with dynamic egress IPs.

Splunk Cloud Allow Lists Are Open Until You Lock Them, Then They Block Everything Unlisted

Splunk documents the default behavior plainly: IP allow lists start open, set to 0.0.0.0/0. The moment you add an IP to an open allow list, the list restricts access to only the IPs on it, and anything not listed is blocked.

That's the trigger. As long as the list is open, your cloud app sends to Splunk fine. The day your security team locks down HEC ingestion or search head API access to known subnets, every app sending from a rotating cloud IP starts failing, because those IPs aren't on the list and change on every deploy.

Splunk's allow lists are per-feature. The ones that matter for app egress are HEC access for ingestion on port 443 (your app sending HTTP events to Splunk indexers) and search head API access on port 8089, which Splunk notes applies to automated interfaces. Both are customer-managed, in Splunk Web or through the Admin Config Service API, and both are satisfied by a fixed outbound IP.

Add Your Static IPs to the Right Feature Tab

Splunk's allow list management separates each feature into its own tab, and a subnet you add to one feature grants access to that whole tier. Add your QuotaGuard IPs to the specific feature your app uses, not all of them.

1. In Splunk Web, go to Settings, then Server settings, then IP allow list. You need a role with the edit_ip_allow_list capability (sc_admin has it by default) and token authentication enabled.
2. Select the tab for the feature your app uses. HEC access for ingestion if your app sends events. Search head API access if your app runs automated searches.
3. Click Add IP subnet and enter each of your two QuotaGuard static IPs in CIDR notation.
4. Click Save. Changes can take 15 minutes or more to propagate.

Splunk won't let you delete the final subnet on a feature's list, a safety measure against locking yourself out. Keep that in mind when you reconfigure: add your new IPs before removing old ones.

Route Your App's Splunk Traffic Through QuotaGuard

HEC ingestion is an HTTPS POST to your Splunk Cloud endpoint on port 443, so it routes through a standard HTTP proxy. Set your QuotaGuard proxy URL and send the HEC request through it. Here's the pattern in Python with requests:

import os
import requests
 
proxies = {
    "https": os.environ["QUOTAGUARDSTATIC_URL"]
}
 
response = requests.post(
    "https://http-inputs-yourstack.splunkcloud.com/services/collector/event",
    headers={"Authorization": f"Splunk {os.environ['SPLUNK_HEC_TOKEN']}"},
    json={"event": {"message": "test event"}, "sourcetype": "_json"},
    proxies=proxies
)
 
print(response.status_code)

Every request exits from one of your two static IPs. Those are the IPs you add to the HEC access allow list. The same proxy URL works across Dev, Staging, and Production, so you allowlist two IPs total, not one pair per environment.

QuotaGuard Tip: Add Both Static IPs Before You Lock the Allow List

QuotaGuard provides two static IPs per account behind a load balancer for redundancy. Add both to the Splunk feature's allow list before you remove the open 0.0.0.0/0 default. If you only add one, roughly half your HEC events will fail when the load balancer routes through the unregistered IP, and the gap looks like intermittent data loss in your Splunk index, which is painful to diagnose.

Non-HTTP Forwarder Traffic Uses a Different Path

The proxy above covers HEC (HTTPS) and search head API (HTTPS) traffic. Splunk's indexer ingestion allow list on port 9997 is for universal or heavy forwarders sending over the s2s protocol, which is raw TCP, not HTTP. An HTTP proxy won't carry that.

If you need a static IP for forwarder traffic on port 9997, QGTunnel handles non-HTTP TCP without changing your forwarder config. It routes the connection through QuotaGuard so your indexers see traffic from your two static IPs. For most cloud apps the HEC path is the relevant one, and HEC goes through the standard proxy.

Use QuotaGuard Shield for Regulated Log Data

Splunk Cloud often carries security logs, audit trails, and application data that includes regulated content. If your events contain PHI, payment data, or PII under HIPAA or PCI-DSS, use QuotaGuard Shield rather than Static. Shield uses SSL passthrough, so the TLS connection runs end-to-end between your app and Splunk and QuotaGuard never decrypts the data in transit. That keeps QuotaGuard out of the compliance scope for the data flowing through it. Splunk's own "Search head UI access" and "IDM UI access" allow lists are described for regulated customer environments, which is exactly the audience Shield fits. Shield starts at $29 per month on a direct plan. See QuotaGuard Shield for the passthrough details.

Verify Your Egress IP Before You Lock the Allow List

Confirm what IP your app actually exits from before you remove the open default and risk blocking your own ingestion. Run a check through the proxy:

curl -x "$QUOTAGUARDSTATIC_URL" http://ip.quotaguard.com

That returns your QuotaGuard static IP, not your cloud platform's rotating range. Both IPs are in your dashboard. Add both to the Splunk feature's allow list, confirm ingestion still works, and only then remove the 0.0.0.0/0 default.

Get a Static Outbound IP for Splunk Cloud

Splunk Cloud's IP allow lists are a strong control, and they break every cloud app sending from a rotating IP the moment you enable them. QuotaGuard gives your apps two stable IPs to register once against the HEC or search head API feature, valid across every deploy and scaling event.

QuotaGuard Static starts at $19 per month on a direct plan, with two static IPs, bandwidth bundled, and no per-GB fees. Production is $49 per month and Business is $89 per month. Dedicated IPs are available on the Enterprise plan at $219 per month, which suits regulated Splunk environments that need an egress IP no other customer shares.

See plans and start a trial at quotaguard.com/products/pricing. To talk through a specific Splunk Cloud ingestion setup, contact us and an engineer will respond directly.