Cloud Tap

Cloud Tap

Netskope Cloud Tap allows you to tap traffic that traverse the Netskope infrastructure, sending a copy for inspection.


This feature is in Beta. Contact your Netskope Sales team to enable this feature in your tenant. Cloud Tap is unavailable for PRC, FedRAMP, and PBMM customers.

About Cloud Tap

Many organizations have on-premises intrusion detection devices integrated with the network using a “tap”. That is, a tap sends a copy of the network traffic to the intrusion detection devices for inspection. As organizations move their traffic to the Netskope cloud they are looking for similar functionality. Here are the key requirements:

  • Capture traffic before decryption, as if it was captured while leaving the user’s host
  • Capture whole flows – both forward and return traffic
  • Deal with security vendors that cannot decrypt TLS by presenting a clear-text variant of the traffic
  • Use both on-premises and cloud-hosted security products

With Cloud Tap, Netskope can tap your connections as they traverse our gateway processes, and save a copy to cloud storage. This copying is continuous and the data is stored in a proprietary format, split into many BLOBs. You must provision a bucket from your organization’s cloud storage provider as an object store to accept the copy of traffic and TLS session keys. We store session keys next to the data, in the same object store. You can also store session keys in a different object store.

When enabled, Cloud Tap allows you to save a selection of your traffic to cloud storage and use a set of credentials you provide. This feature is available for Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure.


Following are requirements for Cloud Tap:

  • For the Netskope tool (i.e., stitcher):
    • The machine must be Ubuntu 20.04.
    • You must install Docker Engine version 24.0.5 or newer on your machine.
    • The following cloud instance types are recommended:
      • AWS: c5n.2xlarge
      • GCP: c3-standard-22
      • Azure: Standard_F16s_v2
  • You must ensure that the stitcher, cloud storage, and NDR instance are in the same cloud region.
  • You must ensure the stitcher instance and NDR instance are in the same VPC/VNET.
  • You must ensure that the stitcher has reachability to cloud storage.
  • For stitcher access, you must set up roles with the necessary permission to allow the stitcher to download traffic data from your cloud storage bucket.
    • If the stitcher is running in a VM instance (i.e., outside a cloud provider environment), you must provide an export of the access credentials (a .json file).
    • If the stitcher is running on a GCP cloud instance, you can grant the stitcher permission and skip exporting the access credentials.
    • If the stitcher is running on an AWS or Azure cloud instance, you must provide an export of the access credentials (a .json file). The capability to use native cloud provider authentication with an AWS or Azure cloud instance is not supported.
  • For Netskope Cloud Tap, you must set up roles with the necessary permissions to send traffic to your cloud storage bucket. You must also provide export access credentials (a .json file).
  • For your cloud storage buckets, you must provide a bucket for your cloud storage provider with the appropriate permissions and retention policy configured.


    For Azure, an Azure Blob storage account is required. When the Cloud Tap feature is enabled in your Netskope tenant, a default container named ‘netskope‘ is automatically created within the specified storage account.

  • You must also consider your traffic selection criteria and steering method:
    • user id, identity
    • destination TCP port
    • source IP address subnet

For AWS, use the following credentials format:

"access_key_id": "YOUR_ACCESS_KEY_ID_HERE",
"secret_access_key": "YOUR_SECRET_ACCESS_KEY_HERE"

For GCP, refer to the Google documentation for instructions on exporting and downloading the .json file. The following is an example of the resulting file:

"type": "service_account",
"project_id": "your_project_id",
"private_key_id": "your_private_key_id",
"private_key": "---PRIVATE KEY-----\n",
"client_email": "your_service_account_email",
"client_id": "your_client_id",
"auth_uri": "",
"token_uri": "",
"auth_provider_x509_cert_url": "",
"client_x509_cert_url": ""

For Azure, use the following credentials format:

"access_key": "YOUR_ACCESS_KEY_HERE"

Configuring Cloud Tap

In order to use Cloud Tap, you must deploy and configure the Cloud Tap stitcher, and enable Cloud Tap in your Netskope tenant.

The following sections describe the various configuration steps.

Share this Doc

Cloud Tap

Or copy link

In this topic ...