Skip to main content
Version: Next

Cloud Service & Region Enrichment

NFO automatically identifies public cloud traffic by matching flow IP addresses against a built-in lookup table of known cloud provider IP ranges. No credentials, cloud account, or additional configuration is required — this enrichment is active for all flows from the moment NFO is running.

Enriched Fields

For every flow where the source or destination IP matches a known cloud provider range, NFO appends the following fields:

FieldDescriptionExample
src_cloud_serviceCloud service associated with the source IPEC2, AzureAppService, GoogleCloud
dest_cloud_serviceCloud service associated with the destination IPS3, AzureStorage, OCI
src_cloud_regionCloud region of the source IPus-east-1, eastus, europe-west1
dest_cloud_regionCloud region of the destination IPeu-west-1, ap-southeast-2, uk-south

Fields are only populated when a match is found. Traffic to non-cloud IPs will not have these fields set.

Coverage

The lookup table covers the following cloud providers:

ProviderSource
AWSPublished IP ranges covering services such as EC2, S3, CloudFront, Lambda, and many others
Microsoft AzurePublished IP ranges covering services such as AzureAppService, AzureStorage, AzureAD, and many others
Google CloudPublished IP ranges
Oracle Cloud (OCI)Published IP ranges

NFO updates the lookup table automatically as cloud providers publish new IP ranges.

How It Differs from Cloud-Specific Enrichment

Service & RegionCloud-Specific (AWS, Azure, GCP, OCI)
Requires cloud credentialsNoYes (via ingestion config)
Works for on-premises trafficYesNo — only for cloud-ingested flows
Fields providedProvider, service, regionInstance names, VPC/VNet IDs, tags
Configuration neededNoneCloud flow log ingestion

Use this enrichment as a baseline for all deployments. Add cloud-specific ingestion for resource-level visibility where needed.

Reference

The IP range lookup is based on the published IP range datasets from each cloud provider: