Cloud Metadata Endpoint
A special address cloud instances use to query their own configuration and credentials.
A cloud metadata endpoint is a special, link-local HTTP address, commonly 169.254.169.254, that cloud providers expose to virtual machines and containers so a running instance can query information about itself, such as its instance ID, region, network configuration, and, in many configurations, temporary security credentials for the cloud identity attached to that instance.
How it works
The metadata endpoint is reachable only from within the cloud provider's network, typically without any authentication, on the assumption that anything able to reach it is legitimately running on that instance. Major providers, including AWS, Google Cloud, and Azure, each expose a version of this service at a similar address. Applications and infrastructure tooling use it routinely, for example to fetch temporary IAM credentials for a role attached to an instance, without needing long-lived secrets baked into the application itself.
Why it matters for AI agents
Because the metadata endpoint typically requires no authentication beyond network reachability, any process that can make an HTTP request to that address, including an AI agent executing a tool call, can potentially retrieve the cloud credentials or configuration data attached to the instance it runs on. This makes it a well-known target in server-side request forgery attacks generally, and it applies just as directly to an agent that has been tricked, through a prompt injection or a poorly scoped tool, into fetching an internal URL on the agent's behalf. An agent that can browse the web or call arbitrary APIs needs an explicit block on this address, since without one, an instruction to fetch a URL is enough to reach infrastructure credentials.
Why blocking it is necessary, not optional
- The endpoint is reachable by default on most cloud instances, with no opt-in required
- Requests to it typically require no authentication, so reachability alone is sufficient to query it
- The data it can return, notably temporary cloud credentials, is high value if exposed to an untrusted process
Agenhood's implementation
Agenhood's egress proxy explicitly blocks requests to cloud metadata endpoints, alongside private IP ranges, as part of the egress filtering applied to all agent container traffic. This closes off one of the more direct paths an agent could otherwise be steered down if it is running on cloud infrastructure that exposes such an endpoint.
Related concepts
See also egress filtering and egress proxy, the mechanisms typically used to block access to metadata endpoints, and server-side request forgery, the general attack class this defends against.