AWS

Cloud Infrastructure

Tutorials

How to Query ipinfo.io Data with CloudQuery

Q: What is the ipinfo.io rate limit on the free tier?

The free tier includes 50,000 requests per month. Use the [ipinfo.io batch endpoint](https://ipinfo.io/developers/batch) to look up to 1,000 IPs per request, which keeps you well within free tier limits for most cloud environments. Paid tiers support higher volumes and unlock the privacy detection API.

Joe Karlsson

•

8 min read

TL;DR: ipinfo.io provides geolocation, ASN, and privacy detection data for any IP address. Sync your cloud inventory with CloudQuery, query ipinfo.io for your public IPs, and join the results in SQL to identify resources in unexpected regions or routing through VPN exit nodes and hosting providers you don't recognize.

ipinfo.io is one of the most widely used IP intelligence APIs. It returns geolocation, ASN (Autonomous System Number), ISP, carrier, and threat intelligence data for any IP address. If you know an IP, ipinfo.io can tell you where it is, who owns the network, and whether it's associated with VPNs, proxies, or hosting infrastructure.

That's useful on its own. It becomes far more useful when you combine it with a complete, continuously updated inventory of your cloud infrastructure — because now you can answer questions like "which of my EC2 instances has a public IP routing through a VPN exit node?" without manual lookups.

Why Enrich Cloud Asset Data with IP Intelligence? #

When CloudQuery syncs your AWS, GCP, or Azure environment, it captures IP addresses for a wide range of resources: EC2 instances, NAT gateways, load balancers, RDS instances with public endpoints, CloudFront distributions, GKE nodes, Azure VMs. A non-trivial cloud environment has hundreds of these. Without context, they're just numbers.

The most immediate use is geographic sanity checking. An EC2 instance in us-east-1 should geolocate to Virginia or the eastern US. If it doesn't — or if the IP routes through a network org you don't recognize — that's worth a look. We've seen teams discover misconfigured Elastic IPs routing through unexpected network organizations this way, which turned out to be a routing issue that would have been invisible without the enrichment.

Network context matters too. ipinfo.io can tell you whether an IP is associated with a VPN exit node, a known proxy service, or a hosting provider other than your own cloud vendor. For public-facing resources, that's signal worth having. An EC2 instance whose public IP resolves to a different ASN than Amazon's is unusual enough to warrant investigation.

For regulated environments, geolocation data closes a gap that AWS region labels can't. Region tells you where a resource was provisioned. Geolocation tells you where that IP actually routes — and for data residency compliance, that's the number that matters.

The raw CloudQuery inventory gives you the "what." ipinfo.io gives you the "where and who."

Querying ipinfo.io Data with CloudQuery #

The pattern: sync your cloud infrastructure with CloudQuery to get a current inventory including all public IPs, query the ipinfo.io API for each public IP, and load the results into your data warehouse alongside your CloudQuery data.

You can query ipinfo.io from a script or pipeline that reads public IPs from your CloudQuery destination database, calls the API in batches, and writes enriched results into a separate table. A minimal schema for storing ipinfo.io responses:

CREATE TABLE ipinfo_data (
  ip          TEXT PRIMARY KEY,
  hostname    TEXT,
  city        TEXT,
  region      TEXT,
  country     TEXT,
  org         TEXT,   -- "AS15169 Google LLC"
  timezone    TEXT,
  -- privacy detection fields (paid tier)
  vpn         BOOLEAN,
  proxy       BOOLEAN,
  tor         BOOLEAN,
  hosting     BOOLEAN,
  enriched_at TIMESTAMPTZ DEFAULT NOW()
);

Once both tables are populated, you can join them in SQL:

-- Join EC2 instances with ipinfo geolocation data
SELECT
  i.instance_id,
  i.instance_type,
  i.region AS aws_region,
  i.public_ip_address,
  ip.country,
  ip.city,
  ip.org AS asn_org,
  ip.hostname
FROM aws_ec2_instances i
LEFT JOIN ipinfo_data ip
  ON i.public_ip_address = ip.ip
WHERE i.public_ip_address IS NOT NULL
ORDER BY ip.country, i.region;

This query gives you every public EC2 instance with its geolocation and ASN organization in a single result set.

Example: Find Public EC2 Instances with Unexpected Geolocations #

The most common use case is identifying instances where the geolocation doesn't match the expected AWS region. An us-east-1 resource should geolocate to Virginia or the eastern US. If it doesn't — or if the IP routes through an unexpected ASN — that's worth investigating.

-- Flag EC2 instances where geolocation country doesn't match expected region
SELECT
  i.instance_id,
  i.region AS aws_region,
  i.public_ip_address,
  ip.country AS geolocated_country,
  ip.city,
  ip.org AS network_org,
  i.tags->>'Environment' AS environment,
  i.tags->>'Owner' AS owner
FROM aws_ec2_instances i
JOIN ipinfo_data ip
  ON i.public_ip_address = ip.ip
WHERE
  i.public_ip_address IS NOT NULL
  AND (
    -- Flag non-US IPs for resources in US regions
    (i.region LIKE 'us-%' AND ip.country != 'US')
    -- Flag non-European IPs for resources in EU regions
    OR (i.region LIKE 'eu-%' AND ip.country NOT IN ('DE', 'IE', 'SE', 'FR', 'IT', 'ES', 'GB'))
  )
ORDER BY i.region, ip.country;

You can extend this pattern for any region-to-country mapping relevant to your environment. The output is a list of anomalous resources that warrant review.

For VPN and proxy detection, ipinfo.io's privacy detection API adds a boolean vpn, proxy, tor, and hosting field per IP. You can flag any public-facing resource IP that resolves to a known hosting network that isn't one of your approved cloud providers:

-- Find public IPs resolving to unexpected hosting providers
SELECT
  i.instance_id,
  i.public_ip_address,
  ip.org,
  ip.hosting AS is_hosting_ip,
  ip.country
FROM aws_ec2_instances i
JOIN ipinfo_data ip ON i.public_ip_address = ip.ip
WHERE
  ip.hosting = true
  AND ip.org NOT ILIKE '%amazon%'
  AND ip.org NOT ILIKE '%google%'
  AND ip.org NOT ILIKE '%microsoft%'
  AND i.public_ip_address IS NOT NULL;

Data Residency Compliance Checks #

For teams operating under GDPR, HIPAA, or other data residency requirements, the compliance question often comes down to: is data-processing infrastructure actually in the jurisdictions we approved? AWS region labels tell you which region a resource was provisioned in, but geolocation data tells you where that IP actually routes — which can differ for edge-hosted services, globally distributed endpoints, and certain CDN configurations.

-- Flag resources that should be EU-only but geolocate outside the EU
SELECT
  i.instance_id,
  i.region AS aws_region,
  i.public_ip_address,
  ip.country AS geolocated_country,
  ip.city,
  ip.org,
  i.tags->>'DataClassification' AS data_classification
FROM aws_ec2_instances i
JOIN ipinfo_data ip ON i.public_ip_address = ip.ip
WHERE
  i.public_ip_address IS NOT NULL
  AND i.tags->>'DataClassification' IN ('PII', 'PHI', 'Confidential')
  AND ip.country NOT IN ('DE', 'IE', 'SE', 'FR', 'NL', 'BE', 'AT', 'DK', 'FI')
ORDER BY ip.country, i.region;

This query targets resources tagged with sensitive data classifications and flags any that geolocate outside your approved EU countries. Adjust the country list and classification tags to match your environment and compliance framework.

Getting Started #

First, run a CloudQuery sync to populate your destination database with cloud resources including public IP fields. See the CloudQuery quickstart for setup.

Once your inventory is in the database, extract distinct public IPs and send them to ipinfo.io in batches. The ipinfo.io batch endpoint handles up to 1,000 IPs per request. Write the results into the ipinfo_data table using the schema above, then run the join queries.

The free tier covers 50,000 requests per month — enough for most cloud environments to run daily enrichment without hitting limits. Privacy detection (VPN, proxy, hosting flags) requires a paid tier; the base geolocation and ASN data is free.

One thing worth noting: geolocation data for cloud provider IP ranges is stable. You don't need to re-enrich every IP every day. A weekly refresh for existing IPs plus an immediate check on newly discovered IPs is a reasonable operational cadence.

Build Your Cloud Asset Inventory with CloudQuery

Get Started

FAQ #

What is ipinfo.io? #

ipinfo.io is an IP intelligence API that returns geolocation, ASN, ISP, hostname, and privacy/threat data for any IP address. It's widely used for fraud detection, security analysis, and infrastructure monitoring.

How do I use ipinfo.io with CloudQuery? #

Sync your cloud infrastructure with CloudQuery to capture all public IP addresses into your destination database. Then query the ipinfo.io API for those IPs, store the results in a separate table, and join the datasets in SQL to enrich your inventory with geolocation and network context.

Can CloudQuery query IP geolocation data? #

CloudQuery doesn't natively query geolocation APIs, but it captures all public IP addresses for cloud resources as part of its standard sync. You can then use ipinfo.io or similar services to enrich those IPs and store the results in the same destination database for SQL joining.

What IP intelligence data does ipinfo.io provide? #

ipinfo.io provides geolocation (country, region, city, coordinates), ASN and ISP data, hostname, organization, and - on paid tiers - privacy detection data including flags for VPN, proxy, Tor exit nodes, and hosting infrastructure.

How often should I refresh ipinfo.io data for my cloud IPs? #

Geolocation and ASN data for cloud provider IP ranges changes infrequently, so weekly refreshes are sufficient for most environments. The exception is privacy detection data (VPN/proxy flags), which changes more often. Trigger a refresh whenever CloudQuery syncs discover new public IPs in your environment.

What is the ipinfo.io rate limit on the free tier? #

The free tier includes 50,000 requests per month. Use the ipinfo.io batch endpoint to look up to 1,000 IPs per request, which keeps you well within free tier limits for most cloud environments. Paid tiers support higher volumes and unlock the privacy detection API.

Can I combine ipinfo.io with other threat intelligence sources? #

Yes. ipinfo.io excels at geolocation and network context; it doesn't score IPs for abuse history. Pair it with AbuseIPDB enrichment to get both network context and threat signals in the same destination database. The join pattern is identical for both - both datasets join to your CloudQuery asset inventory on IP address.

What ASN data does ipinfo.io return? #

ASN (Autonomous System Number) data identifies the organization that controls the network block your IP belongs to. For cloud resources, this should typically show your cloud provider (Amazon, Google, Microsoft). If an IP in your AWS environment resolves to a different ASN, that's worth investigating - it could indicate a misconfigured routing setup or a compromised resource routing traffic through unexpected infrastructure.

CloudOps