This answers:
"If your Splunk platform is in a VPC, it must be publicly accessible with a public IP address. Also, grant Kinesis Data Firehose access to your Splunk platform by unblocking the Kinesis Data Firehose IP addresses. Kinesis Data Firehose currently uses the following CIDR blocks."
https://docs.aws.amazon.com/firehose/latest/dev/controlling-access.html#using-iam-splunk-vpc
Given this limitation we are moving away from firehose-splunk integration. Potentially firehose-lambda-splunk could be a workaround for this, given lambda functions can access VPC. Like to hear from others if there are alternative better solution to this.
... View more