Multi-cloud honesty

Service coverage

Every individual service across Azure, AWS, GCP, Kubernetes, identity systems, and hybrid connectivity — with a fully / partially / planned / not-supported grade per capability. We do not pretend coverage we haven't built. See the guide.

Executive Engineer Architect

Cloud:all azure aws gcp kubernetes saas onprem

Status:all Production-quality Common case covered Synthesised from adjacent data Planned Not in scope

Enhanced by:all wiz dynatrace datadog crowdstrike veracode

○
Active Directory Federation Services (ADFS)identity.adfs· identityPlanned
Supported: observability
Discovery: Read Entra federation settings (we infer ADFS presence from external federation config). Auth: n/a — read Entra side only. Reads: Federation trust metadata, claim mappings.
○
Active Directory (on-prem)identity.active_directory· identityPlanned
Supported: observability
Discovery: Azure AD Connect sync state via Entra; on-prem LDAP optional via agent. Auth: Read sync state from Entra; on-prem agent for direct read. Reads: Hybrid join state, sync errors, stale objects (via Entra sync metrics).
○
LDAP / OpenLDAPidentity.ldap· identityPlanned
Supported: observability
Discovery: LDAP bind (on-prem connector or jump host). Auth: Bind DN + service-account password. Reads: OU tree, user/group attributes.
✕
ExpressRoute (Azure)hybrid.azure.expressroute· hybridNot in scope
Supported: discovery · inventory · topology · network
Azure side discovered via Resource Graph; hybridConnectivity playbook validates the chain. On-prem peer + carrier device not visible.
✕
VPN Gateway (Azure)hybrid.azure.vpngateway· hybridNot in scope
Supported: discovery · inventory · topology · network
Azure side discovered. On-prem peer requires CMDB or agent.
✕
Direct Connect (AWS)hybrid.aws.directconnect· hybridNot in scope
Supported: discovery · inventory · topology · network
AWS side enumerable via aiobotocore. On-prem peer not visible.
✕
Site-to-Site VPN (AWS)hybrid.aws.sitevpn· hybridNot in scope
Supported: discovery · inventory · topology · network
Tunnel state visible AWS-side.
✕
Cloud Interconnect (GCP)hybrid.gcp.interconnect· hybridNot in scope
Supported: discovery · inventory · topology · network
GCP side enumerable via google-cloud-resource-manager.
✕
Cloud VPN (GCP)hybrid.gcp.cloudvpn· hybridNot in scope
Supported: discovery · inventory · topology · network
GCP side enumerable.
✕
Hybrid DNS resolutionhybrid.dns.resolver· hybridNot in scope
Supported: discovery · inventory · topology · network
Private DNS Zones (Azure/AWS/GCP) plus conditional forwarders. Resolution chain validated end-to-end by privateEndpointImpact playbook for Azure only.
✕
Identity federationhybrid.identity.federation· hybridNot in scope
Supported: discovery · inventory · topology · network
Entra ↔ ADFS / Entra ↔ Okta / Entra ↔ Ping. Discovery requires reading Entra federation settings + the peer IdP via its API.
✕
ServiceNow CMDBhybrid.cmdb.servicenow· hybridNot in scope
Supported: discovery · inventory · topology · network
Business services from cmdb_ci_service ingested. Reconciliation against live cloud inventory is roadmap.
✕
Webhook integration bridgehybrid.webhook.bridge· hybridNot in scope
Supported: discovery · inventory · topology · network
Outbound webhooks fire on recommendation status changes. Inbound webhooks (receiving from external systems) are roadmap.

Read-only and advisory by design — we never modify cloud resources. The grades describe what we can observe, not what we can change.