You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The Azure Instance Metadata Service (IMDS) provides information about currently running virtual machine instances and can be used to manage and configure your virtual machines.
21
-
This includes the SKU, storage, network configurations, and upcoming maintenance events. For a complete list of the data that is available, see [metadata APIs](#-Metadata-APIs).
21
+
This includes the SKU, storage, network configurations, and upcoming maintenance events. For a complete list of the data that is available, see [metadata APIs](#metadata-apis).
22
22
Instance Metadata Service is available for both the VM and virtual machine scale set Instances. It is only available for running VMs created/managed using [Azure Resource Manager](https://docs.microsoft.com/rest/api/resources/).
23
23
24
24
Azure's Instance Metadata Service is a REST Endpoint that is available at a well-known non-routable IP address (`169.254.169.254`), it can be accessed only from within the VM.
25
25
26
-
> [!IMPORTANT]
27
-
> This service is **generally available** in all Azure Regions. It regularly receives updates to expose new information and features. This page reflects the up-to-date [metadata APIs](#-Metadata-APIs) available.
28
-
29
-
## Regional Availability
30
-
31
-
The service is available in generally available Azure regions. Not all API version may be available in all Azure Regions.
[All Generally Available Global Azure Regions](https://azure.microsoft.com/regions/) | Generally Available | 2017-04-02, 2017-08-01, 2017-12-01, 2018-02-01, 2018-04-02, 2018-10-01, 2019-02-01, 2019-03-11, 2019-04-30, 2019-06-01, 2019-06-04, 2019-08-01, 2019-08-15
36
-
[Azure Government](https://azure.microsoft.com/overview/clouds/government/) | Generally Available | 2017-04-02, 2017-08-01, 2017-12-01, 2018-02-01, 2018-04-02, 2018-10-01, 2019-02-01, 2019-03-11, 2019-04-30, 2019-06-01, 2019-06-04, 2019-08-01, 2019-08-15
37
-
[Azure China 21Vianet](https://www.azure.cn/) | Generally Available | 2017-04-02, 2017-08-01, 2017-12-01, 2018-02-01, 2018-04-02, 2018-10-01, 2019-02-01, 2019-03-11, 2019-04-30, 2019-06-01, 2019-06-04, 2019-08-01, 2019-08-15
38
-
[Azure Germany](https://azure.microsoft.com/overview/clouds/germany/) | Generally Available | 2017-04-02, 2017-08-01, 2017-12-01, 2018-02-01, 2018-04-02, 2018-10-01, 2019-02-01, 2019-03-11, 2019-04-30, 2019-06-01, 2019-06-04, 2019-08-01, 2019-08-15
39
-
40
-
This table is updated when there are service updates and or new supported versions are available.
41
-
42
26
## Security
43
27
44
28
The Instance Metadata Service endpoint is accessible only from within the running virtual machine instance on a non-routable IP address. In addition, any request with a `X-Forwarded-For` header is rejected by the service.
@@ -54,8 +38,7 @@ Requests must also contain a `Metadata: true` header to ensure that the actual r
54
38
To access Instance Metadata Service, create a VM from [Azure Resource Manager](https://docs.microsoft.com/rest/api/resources/) or the [Azure portal](https://portal.azure.com), and follow the samples below.
55
39
More examples of how to query IMDS can be found at [Azure Instance Metadata Samples](https://github.com/microsoft/azureimds).
56
40
57
-
58
-
Below is the sample code to retrieve all metadata for an instance, to access specific data source, see [Metadata API](#-metadata-apis) section.
41
+
Below is the sample code to retrieve all metadata for an instance, to access specific data source, see [Metadata API](#metadata-apis) section.
The Instance Metadata Service is versioned and specifying the API version in the HTTP request is mandatory.
205
188
206
-
You can see the newest versions listed in this [availability table](#-Regional-Availability).
189
+
Follow are the supported service versions: 2017-04-02, 2017-08-01, 2017-12-01, 2018-02-01, 2018-04-02, 2018-10-01, 2019-02-01, 2019-03-11, 2019-04-30, 2019-06-01, 2019-06-04, 2019-08-01, 2019-08-15.
190
+
191
+
Note when new version is released, it will take a while to roll out to all regions. Currently version 2019-11-01 is still getting deployed and may not be available in all regions.
207
192
208
193
As newer versions are added, older versions can still be accessed for compatibility if your scripts have dependencies on specific data formats.
209
194
@@ -236,8 +221,8 @@ IMDS contains multiple API interfaces representing different data sources.
236
221
237
222
Data | Description | Version Introduced
238
223
-----|-------------|-----------------------
239
-
instance | See [Instance API](#-Instance-API) | 2017-04-02
240
-
attested | See [Attested Data](#-Attested-Data) | 2018-10-01
224
+
instance | See [Instance API](#instance-api) | 2017-04-02
225
+
attested | See [Attested Data](#attested-data) | 2018-10-01
241
226
identity | See [Acquire an access token](../../active-directory/managed-identities-azure-resources/how-to-use-vm-token.md) | 2018-02-01
242
227
scheduledevents | See [Scheduled Events](scheduled-events.md) | 2017-08-01
zone | [Availability Zone](../../availability-zones/az-overview.md) of your virtual machine | 2017-12-01
276
261
277
-
278
262
### Sample 1: Tracking VM running on Azure
279
263
280
264
As a service provider, you may require to track the number of VMs running your software or have agents that need to track uniqueness of the VM. To be able to get a unique ID for a VM, use the `vmId` field from Instance Metadata Service.
@@ -434,6 +418,69 @@ The cloud and the values of the Azure Environment are listed below.
434
418
[Azure China 21Vianet](https://azure.microsoft.com/global-infrastructure/china/) | AzureChinaCloud
Part of the scenario served by Instance Metadata Service is to provide guarantees that the data provided is coming from Azure. We sign part of this information so that marketplace images can be sure that it's their image running on Azure.
Api-version is a mandatory field. Refer to the [service availability section](#service-availability) for supported API versions.
662
+
Api-version is a mandatory field. Refer to the [usage section](#Usage) for supported API versions.
681
663
Nonce is an optional 10-digit string. If not provided, IMDS returns the current UTC timestamp in its place. Due to IMDS's caching mechanism, a previously cached nonce value may be returned.
682
664
683
665
***Response***
@@ -693,7 +675,6 @@ Nonce is an optional 10-digit string. If not provided, IMDS returns the current
693
675
694
676
The signature blob is a [pkcs7](https://aka.ms/pkcs7) signed version of document. It contains the certificate used for signing along with the VM details like vmId, sku, nonce, subscriptionId, timeStamp for creation and expiry of the document and the plan information about the image. The plan information is only populated for Azure Market place images. The certificate can be extracted from the response and used to validate that the response is valid and is coming from Azure.
695
677
696
-
697
678
### Sample 2: Validating that the VM is running in Azure
698
679
699
680
Marketplace vendors want to ensure that their software is licensed to run only in Azure. If someone copies the VHD out to on-premise, then they should have the ability to detect that. By calling into Instance Metadata Service, Marketplace vendors can get signed data that guarantees response only from Azure.
subscriptionId | Azure subscription for the Virtual Machine, introduced in `2019-04-30`
752
733
sku | Specific SKU for the VM image, introduced in `2019-11-01`
753
734
754
-
755
735
#### Sample 3: Verifying the signature
756
736
757
737
Once you get the signature above, you can verify that the signature is from Microsoft. Also you can verify the intermediate certificate and the certificate chain. Lastly, you can verify the subscription ID is correct.
@@ -788,15 +768,20 @@ In cases where the intermediate certificate cannot be downloaded due to network
788
768
>The intermediate certificate for Azure China 21Vianet will be from DigiCert Global Root CA instead of Baltimore.
789
769
Also if you had pinned the intermediate certificates for Azure China as part of root chain authority change, the intermediate certificates will have to be updated.
790
770
791
-
792
771
## Managed Identity via Metadata Service
793
772
User can enable the managed identity on a VM, and then leverage Instance Metadata Service to pass the token for accessing Azure services. Applications running on a VM now can request a token from the Azure Instance Metadata service endpoint, and then use the token to authenticate to cloud services, including key vault.
794
773
For detailed steps to enable this feature, see [Acquire an access token](../../active-directory/managed-identities-azure-resources/how-to-use-vm-token.md).
795
774
796
-
797
775
## Scheduled Events via Metadata Service
798
776
You can obtain the status of the scheduled events via metadata service, then user can specify a set of action to execute upon these events. See [Scheduled Events](scheduled-events.md) for details.
799
777
778
+
## Regional Availability
779
+
780
+
The service is **generally available** in all Azure regions. This includes:
781
+
1.[All Generally Available Global Azure Regions](https://azure.microsoft.com/regions/)
0 commit comments