A Comprehensive Guide to Azure Instance Metadata Service

The Azure Instance Metadata Service (IMDS) is a game-changer for cloud computing. It allows you to retrieve metadata about your Azure instance, including its configuration, network settings, and more, without having to hardcode it into your application.

IMDS is a secure service that provides a way to access instance metadata without exposing sensitive information. This is crucial for maintaining the security and integrity of your Azure environment.

To access IMDS, you'll need to make a request to the following endpoint: http://169.254.169.254/metadata/instance?api-version=2020-06-01. This endpoint is reserved for instance metadata and is not routable from outside the instance.

IMDS supports several metadata formats, including JSON, XML, and plain text.

IMDS is a critical component in Microsoft Azure that provides metadata about virtual machines (VMs) running in the Azure environment.

It allows you to access information about VM instances, such as VM size and type, subscription ID, resource group and region, network configuration, and identity credentials when using managed identities.

You can retrieve this data by sending requests to the IMDS endpoint: http://169.254.169.254/metadata/ from within the VM.

This metadata is crucial for simplifying identity management in cloud instances, but it also presents a potential attack vector if not adequately secured.

Accessing the Azure Instance Metadata Service (IMDS) is a straightforward process. You can create a VM from Azure Resource Manager or the Azure portal to access IMDS.

To access IMDS, you must bypass proxies, as IMDS requests must be sent using the VM's primary NIC and primary IP, and DHCP must be enabled.

The response from IMDS is a JSON string, which can be retrieved using sample code provided in the Azure Instance Metadata Samples.

Here are the key requirements to access IMDS:

Keep in mind that IMDS requests must be sent using the VM's primary NIC and primary IP, and DHCP must be enabled.

The Azure Instance Metadata Service (IMDS) is a secure and authenticated way to access instance metadata, but it's not a channel for sensitive data. The API is unauthenticated and open to all processes on the VM, so information exposed through this service should be considered shared information to all applications running inside the VM.

To ensure requests are directly intended for IMDS and prevent unintended or unwanted redirection of requests, requests must contain the header Metadata: true and must not contain an X-Forwarded-For header. Any request that doesn't meet both of these requirements are rejected by the service.

If it isn't necessary for every process on the VM to access IMDS endpoint, you can set local firewall rules to limit the access. For example, if only a known system service needs to access instance metadata service, you can set a firewall rule on IMDS endpoint, only allowing the specific process(es) to access, or denying access for the rest of the processes.

To protect against SSRF attacks targeting IMDS, consider implementing the following strategies:

This will help prevent attackers from accessing sensitive data or services by exploiting the IMDS endpoint.

The Instance Metadata Service (IMDS) is only accessible from within a running virtual machine instance on a non-routable IP address. This means that VMs can only interact with their own metadata and functionality.

Requests to IMDS must contain the header Metadata: true to ensure they are intended for IMDS and not redirected elsewhere.

IMDS is not a channel for sensitive data and is unauthenticated, making it open to all processes on the VM. This means that information exposed through IMDS should be considered shared information to all applications running inside the VM.

To limit access to IMDS, you can set local firewall rules to restrict access to only the necessary processes or deny access for the rest of the processes.

Here are the requirements for requests to IMDS:

Any request that doesn't meet both of these requirements are rejected by the service.

IMDS helps to provide guarantees that the data provided is coming from Azure. Microsoft signs part of this information, so you can confirm that an image in Azure Marketplace is the one you're running on Azure.

The signature blob is a pkcs7-signed version of document, containing the certificate used for signing along with certain VM-specific details.

The document includes vmId, sku, nonce, subscriptionId, timestamp for creation and expiry of the document, and the plan information about the image. The plan information is only populated for Azure Marketplace images.

For VMs created by using Azure Resource Manager, the document includes a lot of information, but for Classic (non-Azure Resource Manager) VMs, only the vmId is guaranteed to be populated.

Here's a list of data that can be extracted from the response:

Network Security Groups (NSG) and firewalls play a crucial role in securing your network.

NSGs can be configured to restrict outbound traffic from your virtual machine (VM) to specific external addresses. This prevents unauthorized communication with the metadata service or other internal services.

Firewalls and NSGs work together to limit access to sensitive resources.

IMDSv2 is a more secure version of the Instance Metadata Service, requiring a session token for requests to the metadata service. This makes it harder for attackers to abuse SSRF vulnerabilities.

To get a token, clients must request one by sending a PUT request to the IMDS endpoint. This token is then used in subsequent GET requests to fetch metadata, such as managed identity tokens.

Here's a summary of the IMDSv2 workflow:

This additional layer ensures that metadata is only accessible from legitimate, authenticated sources within the VM.

To get the environment running, you need to identify the Azure Environment where your VM is running. This is crucial for making runtime decisions. The Azure Environment can vary depending on the cloud you're using.

Azure has multiple sovereign clouds, including Azure Government, Azure operated by 21Vianet, and Azure Germany. Each of these clouds has its own Azure environment. You can check the following table to see the different cloud and Azure environment combinations:

Knowing the Azure Environment is essential for configuring IMDS. By identifying the correct environment, you can ensure that your configuration is tailored to your specific cloud setup.

Using IMDSv2 offers additional security features to prevent unauthorized access to metadata. It's a must-have for anyone working with sensitive data.

IMDSv2 requires a session token for requests to the metadata service. This token is obtained by sending a PUT request to the IMDS endpoint.

This extra layer of security ensures that metadata is only accessible from legitimate, authenticated sources within the VM. It's a significant improvement over the original IMDS.

Here's how to obtain a session token:

By using IMDSv2, you can prevent SSRF vulnerabilities and keep your data safe. It's a simple but effective way to enhance security in your VM.

To configure the Cloud Failover Extension (CFE) in Microsoft Azure, you'll need to meet some basic prerequisites. These are the essential requirements for setting up CFE in Azure.

You'll need 2 BIG-IP systems in Active/Standby configuration. Any configuration tool can be used to provision the resources.

Virtual addresses created in a floating traffic group and matching addresses (secondary) on the IP configurations of the instance NICs serving application traffic are also required. It's recommended to use Static allocation for each IP configuration that will serve application traffic.

You'll also need access to Azure's Instance Metadata Service, which is a REST Endpoint accessible to all IaaS VMs created with the Azure Resource Manager. The endpoint is available at a well-known non-routable IP address (169.254.169.254) that can only be accessed from within the VM.

Additionally, you'll need to enable "enableIPForwarding" on the NICs if enabling routing or avoiding SNAT.