Splunk Cloud Static IPs

QuotaGuard gives your forwarder or HEC client two fixed egress IPs, so you can add them to the Splunk Cloud IP allow list and keep every other source out.

Splunk Cloud allowlists inbound data by source IP, per feature. Your forwarder is the client connecting in, and Splunk checks the address it arrives from. When that app runs on rotating cloud IPs, the allow list goes stale and your data gets rejected.

Set one environment variable, route your Splunk traffic through QuotaGuard, and add the two IPs to the allow list once. They stay fixed through deploys, restarts, and plan changes.

A cloud-hosted forwarder and a HEC client sending data through two QuotaGuard static IPs into a Splunk Cloud stack while a random cloud IP is rejected at the IP allow list

Add Two Fixed IPs to the Splunk Cloud Ingest Allow Lists

You satisfy a Splunk Cloud IP allow list with two fixed egress IPs, because Splunk checks the source address your forwarder or HEC client arrives from. The allow list is per feature, so each ingest path has its own list that you manage through the Admin Config Service (ACS) API or the IP allow list management page in Splunk Web.

Splunk's own guidance is that you must add the IP subnet that contains the forwarder's IP address to the correct allow list. A rotating cloud IP makes that subnet a moving target. Two QuotaGuard IPs make it a one-time entry.

HEC, s2s, and search-api Each Have Their Own List

Splunk Cloud scopes allow lists by feature type. The hec list gates the HTTP Event Collector, s2s gates forwarder-to-indexer traffic, and search-api gates programmatic search. You add your two QuotaGuard IPs to whichever features your integration actually uses.

Set It Through the ACS API or Splunk Web

The ACS API and the IP allow list management page in Splunk Web are the two supported ways to edit a list. IPv6 subnets are supported alongside IPv4. Splunk enforces a limit of 200 subnets per feature and 230 shared across the group, so a tight two-IP entry leaves headroom.

Most Lists Default Open Until You Lock Them Down

Many feature allow lists ship open at 0.0.0.0/0, so ingest works until you restrict it. The moment you tighten a list to real subnets, an app on a rotating AWS or Heroku IP starts getting rejected. Two static IPs are what keep it passing after lockdown.

Three ingest paths (hec, s2s, search-api) each pointing at a Splunk Cloud feature allow list with the customer's two fixed IPs added via the ACS API and Splunk Web

Compliance Stacks Force Allowlisting, and Shield Keeps the Data Encrypted

On a Splunk Cloud compliance stack, allowlisting stops being optional and a stable egress IP becomes required infrastructure. QuotaGuard supplies that IP, and QuotaGuard Shield carries the regulated log data end to end without decrypting it.

PCI and HIPAA Stacks Close search-api and search-ui by Default

On PCI and HIPAA compliance stacks, the search-api and search-ui allow lists are closed by default, so nothing reaches them until you add an approved subnet. Your two QuotaGuard IPs are the entries that let your tools connect while everything else stays blocked.

FedRAMP High Removes Self-Service, So a Stable IP Matters More

On FedRAMP High, ACS self-service allow list changes are not supported, and you contact Splunk Support to change a list. An egress IP that rarely changes turns that into a one-time request instead of a support ticket after every deploy.

Shield SSL Passthrough for Regulated Log Data

Splunk logs can carry PHI, cardholder data, or other regulated PII. QuotaGuard Shield uses SSL passthrough and does not decrypt the payload in ordinary operation, which fits HIPAA, PCI-DSS, and SOC 2 review. Static satisfies the allow list for standard operational logs.

A PCI and HIPAA compliance-stack Splunk Cloud tenant with search-api and search-ui allow lists closed by default and two QuotaGuard IPs added as the only permitted subnets, with a Shield SSL-passthrough badge

A Load-Balanced Pair Keeps Ingest Flowing Across Regions

QuotaGuard runs your Splunk traffic through a load-balanced pair of static IPs, so a single-node issue never stops your data reaching the indexers. The IPs stay the same as your subscription changes, so the allow list you set once keeps working.

Two Load-Balanced IPs With Automatic Failover

Each subscription runs a load-balanced pair with health checks and automatic failover. Add both to the Splunk allow list once, and traffic routes through whichever IP responds, so forwarder connections and HEC posts keep landing during a node event.

Eleven AWS Regions Close to Your Stack

Proxies run in eleven AWS regions, selected at sign-up so your forwarder reaches your Splunk Cloud region with low latency. Pick the region nearest your stack to keep ingest round trips short.

IPs Stay Fixed Through Plan Changes

Your two IPs do not change when you upgrade or downgrade your subscription. A Splunk allow list entry you set once keeps passing, so a plan change never turns into a data-loss incident on the ingest path.

A load-balanced QuotaGuard pair with health checks routing a forwarder's s2s connection through whichever IP responds first

FAQs

Common questions about Splunk Cloud static IPs and QuotaGuard.

Does my Splunk Cloud integration need a static IP?

Only once you restrict a feature's IP allow list to real subnets, which most teams do to keep unknown sources out of ingest and search. Many Splunk Cloud allow lists default open at 0.0.0.0/0, so data flows until you lock a list down. The moment you do, a forwarder or HEC client on a rotating cloud IP starts getting rejected, because Splunk checks the source IP the connection arrives from. Two static IPs keep that entry valid after lockdown.

How fast can I set up QuotaGuard for Splunk Cloud?

About 2 minutes on the QuotaGuard side: add one environment variable and point your forwarder or HEC client at QuotaGuard as the proxy for outbound traffic to your Splunk Cloud stack. Then add your two static IPs to the correct feature allow list through the ACS API or the IP allow list management page in Splunk Web. The Splunk side is a config change, not a migration.

Which Splunk Cloud allow list do I add the IPs to?

The one that matches your ingest path. Splunk scopes allow lists by feature type: hec for the HTTP Event Collector, s2s for forwarder-to-indexer traffic, and search-api or search-ui for search, plus idm and hf. Add your two QuotaGuard IPs to each feature your integration uses. Splunk allows up to 200 subnets per feature and 230 shared across the group, so a two-IP entry stays well inside the limit.

Should I use QuotaGuard Static or Shield for Splunk Cloud?

Static satisfies the IP allow list and is right for standard operational logs. Use Shield when the data flowing to Splunk carries PHI, cardholder data, or other regulated PII, or when your stack is under SOC 2, PCI-DSS, or HIPAA review, because Shield uses SSL passthrough and does not decrypt the payload in ordinary operation. Some teams run Static for general logging and Shield for the flows that touch regulated data.

How does allowlisting work on a PCI or HIPAA compliance stack?

On PCI and HIPAA compliance stacks, the search-api and search-ui allow lists are closed by default, so nothing reaches them until you add an approved subnet. That makes a stable egress IP required, not optional. Your two QuotaGuard IPs are the subnets you add so approved tools connect while everything else stays blocked. Confirm the current defaults for your stack in Splunk's docs before you rely on them.

Does the Splunk Cloud allow list support CIDR ranges and IPv6?

Yes. You add subnets in CIDR notation, and ACS allow lists support IPv6 alongside IPv4. The format is never the problem. It is that PaaS hosts like Render, Railway, Heroku, and Fly.io do not publish narrow CIDR blocks, so allowlisting your platform's range would trust every other customer on it. Two specific QuotaGuard IPs keep the entry tight.

Can I get a dedicated IP for Splunk Cloud?

Yes. Dedicated IPs are included on QuotaGuard Enterprise plans, at $219/month for QuotaGuard Static and $269/month for QuotaGuard Shield on direct billing. A dedicated pair fits when your Splunk allow list must not share an origin with any other organization's traffic. Contact QuotaGuard support after signup with your username and preferred region.

What about traffic coming from Splunk Cloud, like search callbacks or alert webhooks?

Those flow in the opposite direction, from Splunk out to your endpoint, so the allow list you manage on the Splunk side does not apply to them. QuotaGuard handles the outbound path from your forwarder or app into Splunk Cloud. If you also need a fixed inbound endpoint for a receiver that Splunk alerts call, QuotaGuard Static includes inbound proxy capability on direct plans starting at $19/month.

🚀 Ready to Get Started? Choose Your QuotaGuard Path

QuotaGuard STATIC

Why: You need a rock-solid, fixed IP for general API access, AI workflows, or standard third-party integrations.
Best For: Developers, startups, and general application connectivity.
Key Feature: SOCKS5 support for secure database access.
Sign Up for QG Static

QuotaGuard SHIELD

Why: You handle HIPAA, PCI, or sensitive PII data and require End-to-End Encryption (E2EE) for full compliance.
Best For: Regulated industries, financial services, and healthcare.
Key Feature: SSL Passthrough and key isolation.
Sign Up for QG Shield

Trusted by Engineering Teams Everywhere

Reliability Engineered for the Modern Cloud

For over a decade, QuotaGuard has provided reliable, high-performance static IP and proxy solutions for cloud environments like Heroku, Kubernetes, and AWS.

Get the fixed identity and security your application needs today.