When using the add_cloud_metadata processor, it does run lookups against API endpoints, trying to identify if it's running in a cloud environment and if so, in which one.

If a firewall is responding to those requests, i.e. with a HTML, to let the user know the request was blocked, the HTML is stored as payload in the cloud meta data fields.

If it's not getting the expected response, it should not store anything.

Example where the request was blocked, but a HTML was returned and stored in meta.cloud.instance_id:

"meta": {
"cloud": {
"instance_id": "<!DOCTYPE html PUBLIC \"-//W3C//DTD HTML 4.01//EN\">\n<html><head><meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\"><style 
...
Firewall Notification</h1><h2>Your access has been blocked by firewall policy XXX.<br>If you have any further concerns, please contact your network administrator for more information.</h2></form></div></div></body></html>\r\n",
"provider": "ecs"
}
},