Cloud Enrichment
Cloud Enrichment adds cloud context to flow records, helping you understand which public cloud providers, services, and regions your traffic is reaching — and, for cloud-originated traffic, mapping cloud resource identifiers like EC2 instance names or Azure VM names to the flows they generate.
NFO provides two tiers of cloud enrichment:
- Service & Region — works out of the box for all deployments, including on-premises traffic destined for public clouds. No cloud account or credentials required.
- Cloud-specific — available when cloud flow log ingestion is configured. Adds resource-level fields such as instance names and VPC identifiers, using the same EDFN credentials configured for ingestion.
How It Works
Service & Region (Built-in)
NFO maintains a built-in IP range lookup table covering AWS, Azure, Google Cloud, and OCI. For every flow, NFO checks whether the source or destination IP falls within a known cloud provider range and appends up to four fields:
| Field | Example |
|---|---|
src_cloud_service | EC2, AzureAppService |
dest_cloud_service | S3, GoogleCloud |
src_cloud_region | us-east-1, eastus |
dest_cloud_region | eu-west-1, europe-west1 |
This enrichment is active automatically for all flows — no configuration required.
Cloud-Specific Enrichment
When cloud flow log ingestion is configured, the EDFN agent uses its existing cloud API access to resolve resource identifiers to human-readable names and tags. No additional credentials are required beyond what ingestion already uses.
| Cloud | Additional fields |
|---|---|
| AWS | src_inst_name, dest_inst_name, vpc_id, subnet_id |
| Azure | VM names, resource group context |
| Google Cloud | VM instance names, project labels |
| OCI | Instance names, compartment context |
Cloud-specific enrichment fields are only present in flows ingested via the corresponding cloud flow log input. For configuration, see the ingestion guide for your cloud provider under Cloud Flow Logs.
Enrichment Fields by Cloud
Select your cloud provider for a full list of enriched fields and notes on what requires cloud ingestion vs. what is available from the built-in lookup:
Cloud Service & Region
Built-in lookup covering all four clouds. No configuration required. Available for all traffic — on-premises, cloud-originated, or hybrid.
AWS
Fields added when AWS VPC Flow Log ingestion is configured, including EC2 instance names, VPC and subnet identifiers, and public IP mapping.
Azure
Fields added when Azure NSG / VNet Flow Log ingestion is configured, including VM names and virtual network context.
Google Cloud
Fields added when Google Cloud VPC Flow Log ingestion is configured, including Compute Engine instance names and project labels.
OCI
Fields added when Oracle Cloud VCN Flow Log ingestion is configured, including instance names and compartment context.
Next Steps
If you only need to identify which cloud provider, service, and region traffic is reaching, no setup is required — Cloud Service & Region enrichment is active automatically. For resource-level fields, configure cloud flow log ingestion for your provider first, then refer to the cloud-specific page above for the full list of enriched output fields.