Cribl Validated Architectures (CVA) Matrix
The CVA Matrix serves as the primary selection tool, detailing all validated reference architectures for Cribl Stream and Cribl Edge.
Before using this matrix, you must first familiarize yourself with the available topology blueprints and overlays, and complete the topology decision tree.
CVA Archetypes
The following sections present the content of the CVA Matrix, organized by archetype. Use these details to confirm the required components and operational guardrails for the pattern you selected using the topology decision tree.
Vanilla Cloud
This architecture is the simplest, most operationally streamlined deployment for a cloud-native environment, ideal for smaller workloads managed entirely by Cribl.Cloud.
| Dimension | Specification |
|---|---|
| Typical Scale | <5 Sources, single Destination and S3/Lake |
| Leader Placement & High Availability (HA) | Cribl.Cloud (Leader HA via Cribl.Cloud service) |
| Worker Groups | 1 Cribl-managed Worker Group |
| Sources | Push (HTTP/HEC), Syslog (TCP/TLS), smaller Pull (SQS/Event Hub) |
| Destinations | SIEM/Observability and Lake |
| Networking/Load Balancer (LB) | Cloud load balancer in front of Worker Group HTTP/S, Syslog VIP |
| Notes & Guardrails | Prefer Cribl-managed Worker Groups for operational simplicity. Avoid Worker Group to Worker Group unless required. For details, see Vanilla Cloud Guardrails. |
Vanilla On-Prem
The Vanilla On-Prem architecture offers a straightforward, self-managed solution for smaller, stable deployments where all components are hosted within your own data center.
| Dimension | Specification |
|---|---|
| Typical Scale | <5 Sources, single Destination and S3/Lake |
| Leader Placement & HA | On-prem Leader; optional standby and NFS for HA |
| Worker Groups | 1 customer-managed Worker Group |
| Sources | Syslog (TCP/TLS), HEC/HTTP, file tail |
| Destinations | SIEM/Analytics and object store |
| Networking/LB | L4/7 load balancer for HTTP; Syslog VIP to Worker Group |
| Notes & Guardrails | Good for small, stable sites; plan backups of Leader configuration. For details, see Vanilla On-prem Guardrails. |
Vanilla Hybrid
The Vanilla Hybrid archetype addresses environments with minimal on-prem collection needs that feed into a central, cloud-managed Cribl.Cloud Leader.
| Dimension | Specification |
|---|---|
| Typical Scale | Small set on-prem and Cribl.Cloud |
| Leader Placement & HA | Cribl.Cloud Leader (hybrid) |
| Worker Groups | 1 on-prem Worker Group |
| Sources | On-prem Push, light Pull; optional Cribl Edge |
| Destinations | Cloud SIEM/Obs and Lake |
| Networking/LB | Private link/VPN; Worker Group egress to Cribl.Cloud |
| Notes & Guardrails | Keep routing simple; place Worker Group close to data. For details, see Vanilla Hybrid Guardrails. |
Small Push/Pull
This architecture introduces separation of concerns by dedicating different Worker Groups to handle a small to medium mix of actively received (Push) and actively retrieved (Pull) Sources, simplifying scaling and troubleshooting.
| Dimension | Specification |
|---|---|
| Typical Scale | 2-8 Sources, mix of Push and Pull |
| Leader Placement & HA | Cribl.Cloud or on-prem Leader; optional HA |
| Worker Groups | 2 Worker Groups: one for Pull, one for Push |
| Sources | Event Hub, SQS, Kafka, HTTP, Syslog |
| Destinations | SIEM and Lake |
| Networking/LB | Dedicated load balancer for HTTP/Syslog |
| Notes & Guardrails | Separate Push vs. Pull to simplify scaling/debugging. For details, see Small/Medium Push-Pull Mix Guardrails. |
Medium Push/Pull
Designed for increasing scale and complexity (10-30+ Sources), this architecture uses multiple Worker Groups, often separated by data function or geographic region, to manage a large mix of Push and Pull data feeds.
| Dimension | Specification |
|---|---|
| Typical Scale | 10-30+ Sources; greater than 1 Destination |
| Leader Placement & HA | Cribl.Cloud Leader HA recommended |
| Worker Groups | 2 Worker Groups, add per Destination family or region |
| Sources | Large EventHub/SQS/Kafka and many HTTP/Syslog |
| Destinations | SIEM(s), Lake, Archives |
| Networking/LB | Network load balancers per Worker Group; regional VIPs |
| Notes & Guardrails | Introduce Worker Group by function or by geo; enforce routing boundaries. For details, see Small/Medium Push-Pull Mix Guardrails. |
All Cribl.Cloud (Large Worker Group)
This architecture is optimized for high-volume, Cribl.Cloud environments, using one or two large, Cribl-managed Worker Groups to ingest substantial throughput from cloud-native sources.
| Dimension | Specification |
|---|---|
| Typical Scale | High volume in cloud |
| Leader Placement & HA | Cribl.Cloud Leader with HA |
| Worker Groups | 1-2 large Cribl-managed Worker Groups |
| Sources | High-throughput Pull (SQS/EH/Kafka), Push |
| Destinations | Multiple |
| Networking/LB | Cloud load balancers; autoscaling where allowed |
| Notes & Guardrails | Break up Worker Group before CPU/job limits; customer-managed Worker Group caps apply. For details, see All-Cribl.Cloud (Large Worker Group) Guardrails. |
Cribl.Cloud/Hybrid (not Vanilla)
Moving beyond the “Vanilla” simplicity, this robust hybrid architecture handles multiple, geographically distributed Worker Groups spanning both Cribl.Cloud and customer-managed data centers for significant scale and complexity.
| Dimension | Specification |
|---|---|
| Typical Scale | Multiple Worker Groups across Cribl.Cloud and on-prem |
| Leader Placement & HA | Cribl.Cloud Leader HA |
| Worker Groups | 2-4 or more Worker Groups: by region and/or function |
| Sources | Mix of Push/Pull at scale |
| Destinations | Multiple |
| Networking/LB | Per-region load balancers; Worker Group to Worker Group over TLS |
| Notes & Guardrails | Prefer Worker Group to Worker Group only for clear boundaries; avoid chains. For details, see Cribl.Cloud/Hybrid (not Vanilla) Guardrails. |
Hybrid Feed to Cribl.Cloud
This archteype is used when on-prem Sources need to be forwarded to a cloud-based analytics platform, relying on on-prem Worker Groups solely as forwarders into Cribl.Cloud Worker Groups for processing.
| Dimension | Specification |
|---|---|
| Typical Scale | On-prem Sources but Cribl.Cloud analytics |
| Leader Placement & HA | Cribl.Cloud Leader HA |
| Worker Groups | 1-2 on-prem Worker Groups feeding Cribl.Cloud Worker Groups |
| Sources | Syslog/HTTP on-prem; Pull where needed |
| Destinations | Cloud SIEM/Lake |
| Networking/LB | Private link/VPN; allow-lists |
| Notes & Guardrails | Do bifurcation in Cribl.Cloud Worker Group. Split the incoming data stream, so that a small, performance-critical subset goes to the hot path (real-time analytics), and the full-fidelity stream goes to the warm path (low-cost object storage). For details, see Hybrid Feed to Cribl.Cloud Guardrails |
Large Push/Pull (Multi-Push)
Catering to environments with many large Push Sources, this highly segmented architecture uses three or more dedicated Worker Groups to ensure optimal performance and isolation for high-volume data streams like Syslog and HTTP.
| Dimension | Specification |
|---|---|
| Typical Scale | Many large Push Sources |
| Leader Placement & HA | Leader HA |
| Worker Groups | 3 Worker Groups: Push, Pull, High-volume dedicated |
| Sources | Syslog/HTTP at scale |
| Destinations | Multiple |
| Networking/LB | Separate VIPs per Source family |
| Notes & Guardrails | Dedicated Syslog Worker Group mitigates TCP pinning. For details, see Large Push/Pull (Multi-Push) Guardrails. |
Pull-Heavy Sources
This architecture is explicitly designed for Pull-heavy environments dominated by Sources like SQS, Event Hub, or Kafka, requiring optimized Worker Groups with tuned processes to manage numerous concurrent jobs.
| Dimension | Specification |
|---|---|
| Typical Scale | Pull-heavy |
| Leader Placement & HA | Leader HA |
| Worker Groups | Pull-optimized Worker Group(s) with tuned Worker processes |
| Sources | SQS/Event Hub/Kinesis/Kafka |
| Destinations | Multiple |
| Networking/LB | Tune worker processes; job limits |
| Notes & Guardrails | Split by topic/namespace; avoid noisy neighbors. For details, see Pull-Heavy Sources Guardrails. |
Worker Group to Worker Group
This architecture introduces clear boundaries and isolation by chaining Worker Groups, typically to separate data processing by region, team, or function, and requires strict schema contracts and version control.
| Dimension | Specification |
|---|---|
| Typical Scale | Boundaries between teams/regions |
| Leader Placement & HA | Leader HA |
| Worker Groups | Source-facing Worker Group(s) to core Worker Group(s) |
| Sources | Any |
| Destinations | Any |
| Networking/LB | mTLS, version discipline |
| Notes & Guardrails | Keep chains 1 hop or less; schema contracts required. For details, see General Worker Group to Worker Group Guardrails. |
Edge Fleets to Worker Groups
This architecture is focused on distributed data collection and consolidation. It uses lightweight Cribl Edge Fleets deployed across numerous endpoints and remote sites to gather data. The Edge Fleets then efficiently feed all of that collective data into regional Worker Groups for centralized processing.
| Dimension | Specification |
|---|---|
| Typical Scale | Collect at Source/DMZ/branch |
| Leader Placement & HA | Leader HA |
| Worker Groups | Edge Fleets and regional Worker Groups |
| Sources | Edge Collectors to HTTP/Syslog |
| Destinations | Any |
| Networking/LB | Regional VIPs; short paths |
| Notes & Guardrails | Use Edge for fan-in, filtering, resiliency. For details, see Cribl Edge Fleet to Worker Group Guardrails. |