Cloud Enrichment — Google Cloud
Enriched fields produced by this configuration are applied and available in the Network Conversations Module output.
When Google Cloud VPC Flow Log ingestion is configured, NFO enriches flows with Compute Engine instance names, VPC and subnetwork identifiers, and project context. The EDFN agent uses the same service account credentials configured for ingestion to retrieve this metadata. No additional access configuration is required.
Prerequisite: GCP VPC Flow Log ingestion must be configured first. See GCP VPC Flow Logs Configuration for setup instructions.
Enriched Fields
The table below lists the enrichment fields added by NFO to GCP flow records. Fields marked as Built-in are populated from the Cloud Service & Region lookup and require no ingestion setup.
| Field | Source | Description |
|---|---|---|
src_cloud_service | Built-in | Google Cloud service associated with the source IP |
dest_cloud_service | Built-in | Google Cloud service associated with the destination IP |
src_cloud_region | Built-in | GCP region of the source IP (e.g. us-central1, europe-west1) |
dest_cloud_region | Built-in | GCP region of the destination IP |
src_vm_name | Ingestion | Name of the source Compute Engine instance |
dest_vm_name | Ingestion | Name of the destination Compute Engine instance |
src_vpc_name | Ingestion | Source VPC network name |
dest_vpc_name | Ingestion | Destination VPC network name |
src_subnet_name | Ingestion | Source subnetwork name |
dest_subnet_name | Ingestion | Destination subnetwork name |
project_id | Ingestion | GCP project ID associated with the flow |
When Append Metadata is enabled in the EDFN agent settings, additional VM metadata fields are included in the output where available.
How Enrichment Is Updated
The EDFN agent periodically queries the GCP Compute Engine API to refresh its lookup of instance names, VPC names, and subnetwork identifiers. The refresh interval is controlled by the Cron Schedule setting in the EDFN Agent configuration for GCP VPC Flow Logs.
For multi-project environments, the agent automatically discovers project IDs from incoming flow log data and adds them to its monitored project list on each refresh cycle.
Credential Requirements
The GCP service account used for ingestion must have the following IAM roles, which cover both ingestion and enrichment:
- Compute Network Viewer: resolves VPC, subnetwork, and instance names
- Pub/Sub Subscriber: consumes VPC flow log messages from the configured subscription
No additional roles are required beyond what the standard ingestion service account grants.