{
	"id": "76ab15ab-6f69-40eb-aa42-7c7bfed1c93c",
	"created_at": "2026-04-06T02:11:28.394207Z",
	"updated_at": "2026-04-10T03:21:07.406001Z",
	"deleted_at": null,
	"sha1_hash": "cf7f692711b7371a863f2b09212e94d980187a90",
	"title": "Azure Instance Metadata Service for virtual machines - Azure Virtual Machines",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 309027,
	"plain_text": "Azure Instance Metadata Service for virtual machines - Azure\r\nVirtual Machines\r\nBy KumariSupriya\r\nArchived: 2026-04-06 01:51:56 UTC\r\nApplies to: ✔️ Linux VMs ✔️ Windows VMs ✔️ Flexible scale sets\r\nThe Azure Instance Metadata Service (IMDS) provides information about currently running virtual machine\r\ninstances. You can use it to manage and configure your virtual machines. This information includes the SKU,\r\nstorage, network configurations, and upcoming maintenance events. For a complete list of the data available, see\r\nthe Endpoint Categories Summary.\r\nIMDS is available for running instances of virtual machines (VMs) and scale set instances. All endpoints support\r\nVMs created and managed by using Azure Resource Manager. Only the Attested category and Network portion of\r\nthe Instance category support VMs created by using the classic deployment model. The Attested endpoint does so\r\nonly to a limited extent.\r\nIMDS is a REST API that's available at a well-known, non-routable IP address ( 169.254.169.254 ). You can only\r\naccess it from within the VM. Communication between the VM and IMDS never leaves the host. Have your\r\nHTTP clients bypass web proxies within the VM when querying IMDS.\r\nTo access IMDS, create a VM from Azure Resource Manager or the Azure portal, and use the following samples.\r\nFor more examples, see Azure Instance Metadata Samples.\r\nHere's sample code to retrieve all metadata for an instance. To access a specific data source, see Endpoint\r\nCategories for an overview of all available features.\r\nRequest\r\nImportant\r\nThis example bypasses proxies. You must bypass proxies when querying IMDS. See Proxies for additional\r\ninformation.\r\nNote\r\nIMDS requests must be sent using the VM's primary NIC and primary IP, and DHCP must be enabled.\r\nWindows\r\nLinux\r\nInvoke-RestMethod -Headers @{\"Metadata\"=\"true\"} -Method GET -NoProxy -Uri \"http://169.254.169.254/metadata/inst\r\nhttps://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service?tabs=windows\r\nPage 1 of 35\n\n-NoProxy requires PowerShell V6 or greater. See our samples repository for examples with older PowerShell\r\nversions.\r\nResponse\r\nNote\r\nThe response is a JSON string. The following example response is formatted for readability.\r\nWindows\r\nLinux\r\n{\r\n \"compute\": {\r\n \"azEnvironment\": \"AZUREPUBLICCLOUD\",\r\n \"additionalCapabilities\": {\r\n \"hibernationEnabled\": \"true\"\r\n },\r\n \"hostGroup\": {\r\n \"id\": \"testHostGroupId\"\r\n },\r\n \"extendedLocation\": {\r\n \"type\": \"edgeZone\",\r\n \"name\": \"microsoftlosangeles\"\r\n },\r\n \"evictionPolicy\": \"\",\r\n \"isHostCompatibilityLayerVm\": \"true\",\r\n \"licenseType\": \"Windows_Client\",\r\n \"location\": \"westus\",\r\n \"name\": \"examplevmname\",\r\n \"offer\": \"WindowsServer\",\r\n \"osProfile\": {\r\n \"adminUsername\": \"admin\",\r\n \"computerName\": \"examplevmname\",\r\n \"disablePasswordAuthentication\": \"true\"\r\n },\r\n \"osType\": \"Windows\",\r\n \"placementGroupId\": \"f67c14ab-e92c-408c-ae2d-da15866ec79a\",\r\n \"plan\": {\r\n \"name\": \"planName\",\r\n \"product\": \"planProduct\",\r\n \"publisher\": \"planPublisher\"\r\n },\r\n \"platformFaultDomain\": \"36\",\r\n \"platformSubFaultDomain\": \"\",\r\n \"platformUpdateDomain\": \"42\",\r\n \"priority\": \"Regular\",\r\nhttps://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service?tabs=windows\r\nPage 2 of 35\n\n\"publicKeys\": [{\r\n \"keyData\": \"ssh-rsa 0\",\r\n \"path\": \"/home/user/.ssh/authorized_keys0\"\r\n },\r\n {\r\n \"keyData\": \"ssh-rsa 1\",\r\n \"path\": \"/home/user/.ssh/authorized_keys1\"\r\n }\r\n ],\r\n \"publisher\": \"RDFE-Test-Microsoft-Windows-Server-Group\",\r\n \"resourceGroupName\": \"macikgo-test-may-23\",\r\n \"resourceId\": \"/subscriptions/xxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx/resourceGroups/macikgo-test-may-23/provid\r\n \"securityProfile\": {\r\n \"secureBootEnabled\": \"true\",\r\n \"virtualTpmEnabled\": \"false\",\r\n \"encryptionAtHost\": \"true\",\r\n \"securityType\": \"TrustedLaunch\"\r\n },\r\n \"sku\": \"2019-Datacenter\",\r\n \"storageProfile\": {\r\n \"dataDisks\": [{\r\n \"bytesPerSecondThrottle\": \"979202048\",\r\n \"caching\": \"None\",\r\n \"createOption\": \"Empty\",\r\n \"diskCapacityBytes\": \"274877906944\",\r\n \"diskSizeGB\": \"1024\",\r\n \"image\": {\r\n \"uri\": \"\"\r\n },\r\n \"isSharedDisk\": \"false\",\r\n \"isUltraDisk\": \"true\",\r\n \"lun\": \"0\",\r\n \"managedDisk\": {\r\n \"id\": \"/subscriptions/xxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx/resourceGroups/macikgo-test-may-23/prov\r\n \"storageAccountType\": \"StandardSSD_LRS\"\r\n },\r\n \"name\": \"exampledatadiskname\",\r\n \"opsPerSecondThrottle\": \"65280\",\r\n \"vhd\": {\r\n \"uri\": \"\"\r\n },\r\n \"writeAcceleratorEnabled\": \"false\"\r\n }],\r\n \"imageReference\": {\r\n \"id\": \"\",\r\n \"offer\": \"WindowsServer\",\r\n \"publisher\": \"MicrosoftWindowsServer\",\r\nhttps://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service?tabs=windows\r\nPage 3 of 35\n\n\"sku\": \"2019-Datacenter\",\r\n \"version\": \"latest\",\r\n \"communityGalleryImageId\": \"/CommunityGalleries/testgallery/Images/1804Gen2/Versions/latest\",\r\n \"sharedGalleryImageId\": \"/SharedGalleries/1P/Images/gen2/Versions/latest\",\r\n \"exactVersion\": \"1.1686127202.30113\"\r\n },\r\n \"osDisk\": {\r\n \"caching\": \"ReadWrite\",\r\n \"createOption\": \"FromImage\",\r\n \"diskSizeGB\": \"30\",\r\n \"diffDiskSettings\": {\r\n \"option\": \"Local\"\r\n },\r\n \"encryptionSettings\": {\r\n \"enabled\": \"false\",\r\n \"diskEncryptionKey\": {\r\n \"sourceVault\": {\r\n \"id\": \"/subscriptions/test-source-guid/resourceGroups/testrg/providers/Microsoft.KeyVault/\r\n },\r\n \"secretUrl\": \"https://test-disk.vault.azure.net/secrets/xxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx/xxx\r\n },\r\n \"keyEncryptionKey\": {\r\n \"sourceVault\": {\r\n \"id\": \"/subscriptions/test-key-guid/resourceGroups/testrg/providers/Microsoft.KeyVault/vau\r\n },\r\n \"keyUrl\": \"https://test-key.vault.azure.net/secrets/xxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx/xxxxx-x\r\n }\r\n },\r\n \"image\": {\r\n \"uri\": \"\"\r\n },\r\n \"managedDisk\": {\r\n \"id\": \"/subscriptions/xxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx/resourceGroups/macikgo-test-may-23/pr\r\n \"storageAccountType\": \"StandardSSD_LRS\"\r\n },\r\n \"name\": \"exampleosdiskname\",\r\n \"osType\": \"Windows\",\r\n \"vhd\": {\r\n \"uri\": \"\"\r\n },\r\n \"writeAcceleratorEnabled\": \"false\"\r\n },\r\n \"resourceDisk\": {\r\n \"size\": \"4096\"\r\n }\r\n },\r\n \"subscriptionId\": \"xxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx\",\r\nhttps://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service?tabs=windows\r\nPage 4 of 35\n\n\"tags\": \"baz:bash;foo:bar\",\r\n \"userData\": \"Zm9vYmFy\",\r\n \"version\": \"15.05.22\",\r\n \"virtualMachineScaleSet\": {\r\n \"id\": \"/subscriptions/xxxxxxxx-xxxxx-xxx-xxx-xxxx/resourceGroups/resource-group-name/providers/Micro\r\n },\r\n \"vmId\": \"02aab8a4-74ef-476e-8182-f6d2ba4166a6\",\r\n \"vmScaleSetName\": \"crpteste9vflji9\",\r\n \"vmSize\": \"Standard_A3\",\r\n \"zone\": \"\"\r\n },\r\n \"network\": {\r\n \"interface\": [{\r\n \"ipv4\": {\r\n \"ipAddress\": [{\r\n \"privateIpAddress\": \"10.144.133.132\",\r\n \"publicIpAddress\": \"\"\r\n }],\r\n \"subnet\": [{\r\n \"address\": \"10.144.133.128\",\r\n \"prefix\": \"26\"\r\n }]\r\n },\r\n \"ipv6\": {\r\n \"ipAddress\": [\r\n ]\r\n },\r\n \"macAddress\": \"0011AAFFBB22\"\r\n }]\r\n }\r\n}\r\nThe Instance Metadata Service is only accessible from within a running virtual machine instance on a non-routable IP address. VMs can only interact with their own metadata/functionality. The API is HTTP only and\r\nnever leaves the host.\r\nIn order to ensure that requests are directly intended for IMDS and prevent unintended or unwanted redirection of\r\nrequests, requests:\r\nMust contain the header Metadata: true\r\nMust not contain an X-Forwarded-For header\r\nAny request that doesn't meet both of these requirements are rejected by the service.\r\nImportant\r\nhttps://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service?tabs=windows\r\nPage 5 of 35\n\nIMDS is not a channel for sensitive data. The API is unauthenticated and open to all processes on the VM.\r\nInformation exposed through this service should be considered as shared information to all applications running\r\ninside the VM.\r\nIf it isn't necessary for every process on the VM to access IMDS endpoint, you can set local firewall rules to limit\r\nthe access. For example, if only a known system service needs to access instance metadata service, you can set a\r\nfirewall rule on IMDS endpoint, only allowing the specific process(es) to access, or denying access for the rest of\r\nthe processes.\r\nIMDS is not intended to be used behind a proxy and doing so is unsupported. Most HTTP clients provide an\r\noption for you to disable proxies on your requests, and this functionality must be utilized when communicating\r\nwith IMDS. Consult your client's documentation for details.\r\nImportant\r\nEven if you don't know of any proxy configuration in your environment, you still must override any default\r\nclient proxy settings. Proxy configurations can be automatically discovered, and failing to bypass such\r\nconfigurations exposes you to outage risks should the machine's configuration be changed in the future.\r\nIn general, requests to IMDS are limited to 5 requests per second (on a per VM basis). Requests exceeding this\r\nthreshold will be rejected with 429 responses. Requests to the Managed Identity category are limited to 20\r\nrequests per second and 5 concurrent requests (on a per VM basis).\r\nThe following HTTP verbs are currently supported:\r\nVerb Description\r\nGET Retrieve the requested resource\r\nEndpoints may support required and/or optional parameters. See Schema and the documentation for the specific\r\nendpoint in question for details.\r\nIMDS endpoints support HTTP query string parameters. For example:\r\nhttp://169.254.169.254/metadata/instance/compute?api-version=2025-04-07\u0026format=json\r\nSpecifies the parameters:\r\nName Value\r\napi-version 2025-04-07\r\nformat json\r\nRequests with duplicate query parameter names will be rejected.\r\nhttps://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service?tabs=windows\r\nPage 6 of 35\n\nFor some endpoints that return larger json blobs, we support appending route parameters to the request endpoint to\r\nfilter down to a subset of the response:\r\nhttp://169.254.169.254/metadata/\u003cendpoint\u003e/[\u003cfilter parameter\u003e/...]?\u003cquery parameters\u003e\r\nThe parameters correspond to the indexes/keys that would be used to walk down the json object were you\r\ninteracting with a parsed representation.\r\nFor example, /metadata/instance returns the json object:\r\n{\r\n \"compute\": { ... },\r\n \"network\": {\r\n \"interface\": [\r\n {\r\n \"ipv4\": {\r\n \"ipAddress\": [{\r\n \"privateIpAddress\": \"10.144.133.132\",\r\n \"publicIpAddress\": \"\"\r\n }],\r\n \"subnet\": [{\r\n \"address\": \"10.144.133.128\",\r\n \"prefix\": \"26\"\r\n }]\r\n },\r\n \"ipv6\": {\r\n \"ipAddress\": [{\r\n \"privateIpAddress\": \"b4bc:8fce:f33b:4990:cced:d94e:ab4f:6ea0\"\r\n }]\r\n },\r\n \"macAddress\": \"0011AAFFBB22\"\r\n },\r\n ...\r\n ]\r\n }\r\n}\r\nIf we want to filter the response down to just the compute property, we would send the request:\r\nhttp://169.254.169.254/metadata/instance/compute?api-version=\u003cversion\u003e\r\nSimilarly, if we want to filter to a nested property or specific array element we keep appending keys:\r\nhttp://169.254.169.254/metadata/instance/network/interface/0?api-version=\u003cversion\u003e\r\nhttps://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service?tabs=windows\r\nPage 7 of 35\n\nwould filter to the first element from the Network.interface property and return:\r\n{\r\n \"ipv4\": {\r\n \"ipAddress\": [{\r\n \"privateIpAddress\": \"10.144.133.132\",\r\n \"publicIpAddress\": \"\"\r\n }],\r\n \"subnet\": [{\r\n \"address\": \"10.144.133.128\",\r\n \"prefix\": \"26\"\r\n }]\r\n },\r\n \"ipv6\": {\r\n \"ipAddress\": [{\r\n \"privateIpAddress\": \"b4bc:8fce:f33b:4990:cced:d94e:ab4f:6ea0\"\r\n }]\r\n },\r\n \"macAddress\": \"0011AAFFBB22\"\r\n}\r\nNote\r\nWhen filtering to a leaf node, format=json doesn't work. For these queries format=text needs to be explicitly\r\nspecified since the default format is json.\r\nBy default, IMDS returns data in JSON format ( Content-Type: application/json ). However, endpoints that\r\nsupport response filtering (see Route Parameters) also support the format text .\r\nTo access a non-default response format, specify the requested format as a query string parameter in the request.\r\nFor example:\r\nWindows\r\nLinux\r\nInvoke-RestMethod -Headers @{\"Metadata\"=\"true\"} -Method GET -NoProxy -Uri \"http://169.254.169.254/metadata/inst\r\nIn json responses, all primitives will be of type string , and missing or inapplicable values are always included\r\nbut will be set to an empty string.\r\nIMDS is versioned and specifying the API version in the HTTP request is mandatory. The only exception to this\r\nrequirement is the versions endpoint, which can be used to dynamically retrieve the available API versions.\r\nAs newer versions are added, older versions can still be accessed for compatibility if your scripts have\r\ndependencies on specific data formats.\r\nhttps://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service?tabs=windows\r\nPage 8 of 35\n\nWhen you don't specify a version, you get an error with a list of the newest supported versions:\r\n{\r\n \"error\": \"Bad request. api-version is invalid or was not specified in the request. For more information refe\r\n \"newest-versions\": [\r\n \"2025-04-07\",\r\n \"2024-07-17\",\r\n \"2024-03-15\"\r\n ]\r\n}\r\n2025-04-07\r\n2024-07-17\r\n2024-03-15\r\n2023-11-15\r\n2023-07-01\r\n2021-12-13\r\n2021-11-15\r\n2021-11-01\r\n2021-10-01\r\n2021-08-01\r\n2021-05-01\r\n2021-03-01\r\n2021-02-01\r\n2021-01-01\r\n2020-12-01\r\n2020-10-01\r\n2020-09-01\r\n2020-07-15\r\n2020-06-01\r\n2019-11-01\r\n2019-08-15\r\n2019-08-01\r\n2019-06-04\r\n2019-06-01\r\n2019-04-30\r\n2019-03-11\r\n2019-02-01\r\n2018-10-01\r\n2018-04-02\r\n2018-02-01\r\n2017-12-01\r\n2017-10-01\r\nhttps://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service?tabs=windows\r\nPage 9 of 35\n\n2017-08-01\r\n2017-04-02\r\n2017-03-01\r\nA full Swagger definition for IMDS is available at: https://github.com/Azure/azure-rest-api-specs/blob/main/specification/imds/data-plane/InstanceMetadataService/readme.md\r\nThe service is generally available in all Azure clouds.\r\nThe root endpoint is http://169.254.169.254/metadata .\r\nThe IMDS API contains multiple endpoint categories representing different data sources, each of which contains\r\none or more endpoints. See each category for details.\r\nCategory root Description Version introduced\r\n/metadata/attested See Attested Data 2018-10-01\r\n/metadata/identity See Managed Identity via IMDS 2018-02-01\r\n/metadata/instance See Instance Metadata 2017-04-02\r\n/metadata/loadbalancer See Retrieve Load Balancer metadata via IMDS 2020-10-01\r\n/metadata/scheduledevents See Scheduled Events via IMDS 2017-08-01\r\n/metadata/versions See Versions N/A\r\nReturns the set of supported API versions.\r\nGET /metadata/versions\r\nNone (this endpoint is unversioned).\r\n{\r\n \"apiVersions\": [\r\n \"2017-03-01\",\r\n \"2017-04-02\",\r\n ...\r\n ]\r\n}\r\nExposes the important metadata for the VM instance, including compute, network, and storage.\r\nGET /metadata/instance\r\nhttps://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service?tabs=windows\r\nPage 10 of 35\n\nName Required/Optional Description\r\napi-version\r\nRequired The version used to service the request.\r\nformat Optional*\r\nThe format ( json or text ) of the response. *Note: May be\r\nrequired when using request parameters\r\nThis endpoint supports response filtering via route parameters.\r\nWindows\r\nLinux\r\n{\r\n \"compute\": {\r\n \"azEnvironment\": \"AZUREPUBLICCLOUD\",\r\n \"additionalCapabilities\": {\r\n \"hibernationEnabled\": \"true\"\r\n },\r\n \"hostGroup\": {\r\n \"id\": \"testHostGroupId\"\r\n },\r\n \"extendedLocation\": {\r\n \"type\": \"edgeZone\",\r\n \"name\": \"microsoftlosangeles\"\r\n },\r\n \"evictionPolicy\": \"\",\r\n \"isHostCompatibilityLayerVm\": \"true\",\r\n \"licenseType\": \"Windows_Client\",\r\n \"location\": \"westus\",\r\n \"name\": \"examplevmname\",\r\n \"offer\": \"WindowsServer\",\r\n \"osProfile\": {\r\n \"adminUsername\": \"admin\",\r\n \"computerName\": \"examplevmname\",\r\n \"disablePasswordAuthentication\": \"true\"\r\n },\r\n \"osType\": \"Windows\",\r\n \"placementGroupId\": \"f67c14ab-e92c-408c-ae2d-da15866ec79a\",\r\n \"plan\": {\r\n \"name\": \"planName\",\r\n \"product\": \"planProduct\",\r\n \"publisher\": \"planPublisher\"\r\n },\r\n \"platformFaultDomain\": \"36\",\r\n \"platformSubFaultDomain\": \"\",\r\nhttps://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service?tabs=windows\r\nPage 11 of 35\n\n\"platformUpdateDomain\": \"42\",\r\n \"priority\": \"Regular\",\r\n \"publicKeys\": [{\r\n \"keyData\": \"ssh-rsa 0\",\r\n \"path\": \"/home/user/.ssh/authorized_keys0\"\r\n },\r\n {\r\n \"keyData\": \"ssh-rsa 1\",\r\n \"path\": \"/home/user/.ssh/authorized_keys1\"\r\n }\r\n ],\r\n \"publisher\": \"RDFE-Test-Microsoft-Windows-Server-Group\",\r\n \"resourceGroupName\": \"macikgo-test-may-23\",\r\n \"resourceId\": \"/subscriptions/xxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx/resourceGroups/macikgo-test-may-23/provid\r\n \"securityProfile\": {\r\n \"secureBootEnabled\": \"true\",\r\n \"virtualTpmEnabled\": \"false\",\r\n \"encryptionAtHost\": \"true\",\r\n \"securityType\": \"TrustedLaunch\"\r\n },\r\n \"sku\": \"2019-Datacenter\",\r\n \"storageProfile\": {\r\n \"dataDisks\": [{\r\n \"bytesPerSecondThrottle\": \"979202048\",\r\n \"caching\": \"None\",\r\n \"createOption\": \"Empty\",\r\n \"diskCapacityBytes\": \"274877906944\",\r\n \"diskSizeGB\": \"1024\",\r\n \"image\": {\r\n \"uri\": \"\"\r\n },\r\n \"isSharedDisk\": \"false\",\r\n \"isUltraDisk\": \"true\",\r\n \"lun\": \"0\",\r\n \"managedDisk\": {\r\n \"id\": \"/subscriptions/xxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx/resourceGroups/macikgo-test-may-23/prov\r\n \"storageAccountType\": \"StandardSSD_LRS\"\r\n },\r\n \"name\": \"exampledatadiskname\",\r\n \"opsPerSecondThrottle\": \"65280\",\r\n \"vhd\": {\r\n \"uri\": \"\"\r\n },\r\n \"writeAcceleratorEnabled\": \"false\"\r\n }],\r\n \"imageReference\": {\r\n \"id\": \"\",\r\nhttps://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service?tabs=windows\r\nPage 12 of 35\n\n\"offer\": \"WindowsServer\",\r\n \"publisher\": \"MicrosoftWindowsServer\",\r\n \"sku\": \"2019-Datacenter\",\r\n \"version\": \"latest\",\r\n \"communityGalleryImageId\": \"/CommunityGalleries/testgallery/Images/1804Gen2/Versions/latest\",\r\n \"sharedGalleryImageId\": \"/SharedGalleries/1P/Images/gen2/Versions/latest\",\r\n \"exactVersion\": \"1.1686127202.30113\"\r\n },\r\n \"osDisk\": {\r\n \"caching\": \"ReadWrite\",\r\n \"createOption\": \"FromImage\",\r\n \"diskSizeGB\": \"30\",\r\n \"diffDiskSettings\": {\r\n \"option\": \"Local\"\r\n },\r\n \"encryptionSettings\": {\r\n \"enabled\": \"false\",\r\n \"diskEncryptionKey\": {\r\n \"sourceVault\": {\r\n \"id\": \"/subscriptions/test-source-guid/resourceGroups/testrg/providers/Microsoft.KeyVault/\r\n },\r\n \"secretUrl\": \"https://test-disk.vault.azure.net/secrets/xxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx/xxx\r\n },\r\n \"keyEncryptionKey\": {\r\n \"sourceVault\": {\r\n \"id\": \"/subscriptions/test-key-guid/resourceGroups/testrg/providers/Microsoft.KeyVault/vau\r\n },\r\n \"keyUrl\": \"https://test-key.vault.azure.net/secrets/xxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx/xxxxx-x\r\n }\r\n },\r\n \"image\": {\r\n \"uri\": \"\"\r\n },\r\n \"managedDisk\": {\r\n \"id\": \"/subscriptions/xxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx/resourceGroups/macikgo-test-may-23/pr\r\n \"storageAccountType\": \"StandardSSD_LRS\"\r\n },\r\n \"name\": \"exampleosdiskname\",\r\n \"osType\": \"Windows\",\r\n \"vhd\": {\r\n \"uri\": \"\"\r\n },\r\n \"writeAcceleratorEnabled\": \"false\"\r\n },\r\n \"resourceDisk\": {\r\n \"size\": \"4096\"\r\n }\r\nhttps://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service?tabs=windows\r\nPage 13 of 35\n\n},\r\n \"subscriptionId\": \"xxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx\",\r\n \"tags\": \"baz:bash;foo:bar\",\r\n \"userData\": \"Zm9vYmFy\",\r\n \"version\": \"15.05.22\",\r\n \"virtualMachineScaleSet\": {\r\n \"id\": \"/subscriptions/xxxxxxxx-xxxxx-xxx-xxx-xxxx/resourceGroups/resource-group-name/providers/Micro\r\n },\r\n \"vmId\": \"02aab8a4-74ef-476e-8182-f6d2ba4166a6\",\r\n \"vmScaleSetName\": \"crpteste9vflji9\",\r\n \"vmSize\": \"Standard_A3\",\r\n \"zone\": \"\"\r\n },\r\n \"network\": {\r\n \"interface\": [{\r\n \"ipv4\": {\r\n \"ipAddress\": [{\r\n \"privateIpAddress\": \"10.144.133.132\",\r\n \"publicIpAddress\": \"\"\r\n }],\r\n \"subnet\": [{\r\n \"address\": \"10.144.133.128\",\r\n \"prefix\": \"26\"\r\n }]\r\n },\r\n \"ipv6\": {\r\n \"ipAddress\": [\r\n ]\r\n },\r\n \"macAddress\": \"0011AAFFBB22\"\r\n }]\r\n }\r\n}\r\nSchema breakdown:\r\nCompute\r\nData Description\r\nVersion\r\nintroduced\r\nazEnvironment\r\nAzure Environment where the VM is\r\nrunning in\r\n2018-10-01\r\nadditionalCapabilities.hibernationEnabled\r\nIdentifies if hibernation is enabled on the\r\nVM\r\n2021-11-01\r\nhttps://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service?tabs=windows\r\nPage 14 of 35\n\nData Description\r\nVersion\r\nintroduced\r\ncustomData\r\nThis feature is deprecated and disabled in\r\nIMDS. It has been superseded by\r\nuserData\r\n2019-02-01\r\nevictionPolicy Sets how a Spot VM will be evicted. 2020-12-01\r\nextendedLocation.type Type of the extended location of the VM. 2021-03-01\r\nextendedLocation.name Name of the extended location of the VM 2021-03-01\r\nhost.id\r\nName of the host of the VM. Note that a\r\nVM will either have a host or a hostGroup\r\nbut not both.\r\n2021-11-15\r\nhostGroup.id\r\nName of the hostGroup of the VM. Note\r\nthat a VM will either have a host or a\r\nhostGroup but not both.\r\n2021-11-15\r\nisHostCompatibilityLayerVm\r\nIdentifies if the VM runs on the Host\r\nCompatibility Layer\r\n2020-06-01\r\nlicenseType\r\nType of license for Azure Hybrid Benefit.\r\nThis is only present for AHB-enabled\r\nVMs\r\n2020-09-01\r\nlocation Azure Region the VM is running in 2017-04-02\r\nname Name of the VM 2017-04-02\r\noffer\r\nOffer information for the VM image and\r\nis only present for images deployed from\r\nAzure image gallery\r\n2017-04-02\r\nosProfile.adminUsername Specifies the name of the admin account 2020-07-15\r\nosProfile.computerName Specifies the name of the computer 2020-07-15\r\nosProfile.disablePasswordAuthentication\r\nSpecifies if password authentication is\r\ndisabled. This is only present for Linux\r\nVMs\r\n2020-10-01\r\nosType Linux or Windows 2017-04-02\r\nphysicalZone Physical zone of the VM 2023-11-15\r\nplacementGroupId Placement Group of your scale set 2017-08-01\r\nhttps://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service?tabs=windows\r\nPage 15 of 35\n\nData Description\r\nVersion\r\nintroduced\r\nplan\r\nPlan containing name, product, and\r\npublisher for a VM if it's an Azure\r\nMarketplace Image\r\n2018-04-02\r\nplatformUpdateDomain Update domain the VM is running in 2017-04-02\r\nplatformFaultDomain Fault domain the VM is running in 2017-04-02\r\nplatformSubFaultDomain\r\nSub fault domain the VM is running in, if\r\napplicable.\r\n2021-10-01\r\npriority\r\nPriority of the VM. Refer to Spot VMs for\r\nmore information\r\n2020-12-01\r\nprovider Provider of the VM 2018-10-01\r\npublicKeys\r\nCollection of Public Keys assigned to the\r\nVM and paths\r\n2018-04-02\r\npublisher Publisher of the VM image 2017-04-02\r\nresourceGroupName Resource group for your Virtual Machine 2017-08-01\r\nresourceId The fully qualified ID of the resource 2019-03-11\r\nsku Specific SKU for the VM image 2017-04-02\r\nsecurityProfile.secureBootEnabled\r\nIdentifies if UEFI secure boot is enabled\r\non the VM\r\n2020-06-01\r\nsecurityProfile.virtualTpmEnabled\r\nIdentifies if the virtual Trusted Platform\r\nModule (TPM) is enabled on the VM\r\n2020-06-01\r\nsecurityProfile.encryptionAtHost\r\nIdentifies if Encryption at Host is enabled\r\non the VM\r\n2021-11-01\r\nsecurityProfile.securityType\r\nIdentifies if the VM is a Trusted VM or a\r\nConfidential VM\r\n2021-12-13\r\nstorageProfile See Storage Profile below 2019-06-01\r\nsubscriptionId\r\nAzure subscription for the Virtual\r\nMachine\r\n2017-08-01\r\ntags Tags for your Virtual Machine 2017-08-01\r\nhttps://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service?tabs=windows\r\nPage 16 of 35\n\nData Description\r\nVersion\r\nintroduced\r\ntagsList\r\nTags formatted as a JSON array for easier\r\nprogrammatic parsing\r\n2019-06-04\r\nuserData\r\nThe set of data specified when the VM\r\nwas created for use during or after\r\nprovisioning (Base64 encoded)\r\n2021-01-01\r\nversion Version of the VM image 2017-04-02\r\nvirtualMachineScaleSet.id\r\nID of the Virtual Machine Scale Set\r\ncreated with flexible orchestration the\r\nVirtual Machine is part of. This field isn't\r\navailable for Virtual Machine Scale Sets\r\ncreated with uniform orchestration.\r\n2021-03-01\r\nvmId\r\nUnique identifier for the VM. The blog\r\nreferenced only suits for VMs that have\r\nSMBIOS \u003c 2.6. For VMs that have\r\nSMBIOS \u003e= 2.6, the UUID from DMI is\r\ndisplayed in little-endian format, thus,\r\nthere's no requirement to switch bytes.\r\n2017-04-02\r\nvmScaleSetName\r\nVirtual Machine Scale Set Name of your\r\nscale set\r\n2017-12-01\r\nvmSize VM size 2017-04-02\r\nzone Availability Zone of your virtual machine 2017-12-01\r\n† This version isn't fully available yet and may not be supported in all regions.\r\nStorage profile\r\nThe storage profile of a VM is divided into three categories: image reference, OS disk, and data disks, plus an\r\nadditional object for the local temporary disk.\r\nThe image reference object contains the following information about the OS image, please note that an image\r\ncould come either from the platform, marketplace, community gallery, or direct shared gallery but not both:\r\nData Description\r\nVersion\r\nintroduced\r\nid Resource ID 2019-06-01\r\nhttps://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service?tabs=windows\r\nPage 17 of 35\n\nData Description\r\nVersion\r\nintroduced\r\noffer Offer of the platform or marketplace image 2019-06-01\r\npublisher Publisher of the platform or marketplace image 2019-06-01\r\nsku Sku of the platform or marketplace image 2019-06-01\r\nversion Version of the image 2019-06-01\r\ncommunityGalleryImageId\r\nResource ID of the community image, empty\r\notherwise\r\n2023-07-01\r\nsharedGalleryImageId Resource ID o direct shared image, empty otherwise 2023-07-01\r\nexactVersion Version of the community or direct shared image 2023-07-01\r\nThe OS disk object contains the following information about the OS disk used by the VM:\r\nData Description\r\ncaching Caching requirements\r\ncreateOption Information about how the VM was created\r\ndiffDiskSettings Ephemeral disk settings\r\ndiskSizeGB Size of the disk in GB\r\nimage Source user image virtual hard disk\r\nmanagedDisk Managed disk parameters\r\nname Disk name\r\nvhd Virtual hard disk\r\nwriteAcceleratorEnabled Whether or not writeAccelerator is enabled on the disk\r\nThe data disks array contains a list of data disks attached to the VM. Each data disk object contains the following\r\ninformation:\r\nData Description Version introduced\r\nbytesPerSecondThrottle * Disk read/write quota in bytes 2021-05-01\r\ncaching Caching requirements 2019-06-01\r\ncreateOption Information about how the VM was created 2019-06-01\r\nhttps://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service?tabs=windows\r\nPage 18 of 35\n\nData Description Version introduced\r\ndiffDiskSettings Ephemeral disk settings 2019-06-01\r\ndiskCapacityBytes * Size of disk in bytes 2021-05-01\r\ndiskSizeGB Size of the disk in GB 2019-06-01\r\nencryptionSettings Encryption settings for the disk 2019-06-01\r\nimage Source user image virtual hard disk 2019-06-01\r\nisSharedDisk * Identifies if the disk is shared between resources 2021-05-01\r\nisUltraDisk Identifies if the data disk is an Ultra Disk 2021-05-01\r\nlun Logical unit number of the disk 2019-06-01\r\nmanagedDisk Managed disk parameters 2019-06-01\r\nname Disk name 2019-06-01\r\nopsPerSecondThrottle * Disk read/write quota in IOPS 2021-05-01\r\nosType Type of OS included in the disk 2019-06-01\r\nvhd Virtual hard disk 2019-06-01\r\nwriteAcceleratorEnabled Whether or not writeAccelerator is enabled on the disk 2019-06-01\r\n*These fields are only populated for Ultra Disks; they are empty strings from non-Ultra Disks.\r\nThe encryption settings blob contains data about how the disk is encrypted (if it's encrypted):\r\nData Description Version introduced\r\ndiskEncryptionKey.sourceVault.id The location of the disk encryption key 2021-11-01\r\ndiskEncryptionKey.secretUrl The location of the secret 2021-11-01\r\nkeyEncryptionKey.sourceVault.id The location of the key encryption key 2021-11-01\r\nkeyEncryptionKey.keyUrl The location of the key 2021-11-01\r\nThe resource disk object contains the size of the Local Temp Disk attached to the VM, if it has one, in kilobytes. If\r\nthere's no local temp disk for the VM, this value is 0.\r\nData Description Version introduced\r\nresourceDisk.size Size of the local temp disk for the VM (in kB) 2021-02-01\r\nhttps://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service?tabs=windows\r\nPage 19 of 35\n\nNetwork\r\nData Description Version introduced\r\nipv4.ipAddress.privateIpAddress Local IPv4 address of the VM 2017-04-02\r\nipv4.ipAddress.publicIpAddress Public IPv4 address of the VM 2017-04-02\r\nipv4.subnet.address Subnet address of the VM 2017-04-02\r\nipv4.subnet.prefix Subnet prefix, example 24 2017-04-02\r\nipv6.ipAddress.privateIpAddress Local IPv6 address of the VM 2017-04-02\r\nmacAddress VM mac address 2017-04-02\r\nNote\r\nThe nics returned by the network call are not guaranteed to be in order.\r\nWhen creating a new VM, you can specify a set of data to be used during or after the VM provision, and retrieve it\r\nthrough IMDS. Check the end to end user data experience here.\r\nTo set up user data, utilize the quickstart template here. The sample below shows how to retrieve this data through\r\nIMDS. This feature is released with version 2021-01-01 and above.\r\nNote\r\nSecurity notice: IMDS is open to all applications on the VM, sensitive data should not be placed in the user data.\r\nWindows\r\nLinux\r\n$userData = Invoke-RestMethod -Headers @{\"Metadata\"=\"true\"} -Method GET -NoProxy -Uri \"http://169.254.169.254/m\r\n[System.Text.Encoding]::UTF8.GetString([Convert]::FromBase64String($userData))\r\nAs a service provider, you may require to track the number of VMs running your software or have agents that\r\nneed to track uniqueness of the VM. To be able to get a unique ID for a VM, use the vmId field from Instance\r\nMetadata Service.\r\nRequest\r\nWindows\r\nLinux\r\nInvoke-RestMethod -Headers @{\"Metadata\"=\"true\"} -Method GET -NoProxy -Uri \"http://169.254.169.254/metadata/inst\r\nResponse\r\nhttps://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service?tabs=windows\r\nPage 20 of 35\n\n5c08b38e-4d57-4c23-ac45-aca61037f084\r\nFor certain scenarios, placement of different data replicas is of prime importance. For example, HDFS replica\r\nplacement or container placement via an orchestrator might require you to know the platformFaultDomain and\r\nplatformUpdateDomain the VM is running on. You can also use Availability Zones for the instances to make\r\nthese decisions. You can query this data directly via IMDS.\r\nRequest\r\nWindows\r\nLinux\r\nInvoke-RestMethod -Headers @{\"Metadata\"=\"true\"} -Method GET -NoProxy -Uri \"http://169.254.169.254/metadata/inst\r\nResponse\r\n0\r\nVM tags are included the instance API under instance/compute/tags endpoint. Tags may have been applied to your\r\nAzure VM to logically organize them into a taxonomy. The tags assigned to a VM can be retrieved by using the\r\nrequest below.\r\nRequest\r\nWindows\r\nLinux\r\nInvoke-RestMethod -Headers @{\"Metadata\"=\"true\"} -Method GET -NoProxy -Uri \"http://169.254.169.254/metadata/inst\r\nResponse\r\nDepartment:IT;ReferenceNumber:123456;TestStatus:Pending\r\nThe tags field is a string with the tags delimited by semicolons. This output can be a problem if semicolons are\r\nused in the tags themselves. If a parser is written to programmatically extract the tags, you should rely on the\r\ntagsList field. The tagsList field is a JSON array with no delimiters, and consequently, easier to parse. The\r\ntagsList assigned to a VM can be retrieved by using the request below.\r\nRequest\r\nWindows\r\nLinux\r\nhttps://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service?tabs=windows\r\nPage 21 of 35\n\nInvoke-RestMethod -Headers @{\"Metadata\"=\"true\"} -Method GET -NoProxy -Uri \"http://169.254.169.254/metadata/inst\r\nResponse\r\nWindows\r\nLinux\r\n{\r\n \"value\": [\r\n {\r\n \"name\": \"Department\",\r\n \"value\": \"IT\"\r\n },\r\n {\r\n \"name\": \"ReferenceNumber\",\r\n \"value\": \"123456\"\r\n },\r\n {\r\n \"name\": \"TestStatus\",\r\n \"value\": \"Pending\"\r\n }\r\n ],\r\n \"Count\": 3\r\n}\r\nAs a service provider, you may get a support call where you would like to know more information about the VM.\r\nAsking the customer to share the compute metadata can provide basic information for the support professional to\r\nknow about the kind of VM on Azure.\r\nRequest\r\nWindows\r\nLinux\r\nInvoke-RestMethod -Headers @{\"Metadata\"=\"true\"} -Method GET -NoProxy -Uri \"http://169.254.169.254/metadata/inst\r\nResponse\r\nNote\r\nThe response is a JSON string. The following example response is pretty-printed for readability.\r\nWindows\r\nLinux\r\nhttps://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service?tabs=windows\r\nPage 22 of 35\n\n{\r\n \"azEnvironment\": \"AZUREPUBLICCLOUD\",\r\n \"extendedLocation\": {\r\n \"type\": \"edgeZone\",\r\n \"name\": \"microsoftlosangeles\"\r\n },\r\n \"evictionPolicy\": \"\",\r\n \"additionalCapabilities\": {\r\n \"hibernationEnabled\": \"false\"\r\n },\r\n \"hostGroup\": {\r\n \"id\": \"testHostGroupId\"\r\n },\r\n \"isHostCompatibilityLayerVm\": \"true\",\r\n \"licenseType\": \"Windows_Client\",\r\n \"location\": \"westus\",\r\n \"name\": \"examplevmname\",\r\n \"offer\": \"WindowsServer\",\r\n \"osProfile\": {\r\n \"adminUsername\": \"admin\",\r\n \"computerName\": \"examplevmname\",\r\n \"disablePasswordAuthentication\": \"true\"\r\n },\r\n \"osType\": \"Windows\",\r\n \"placementGroupId\": \"f67c14ab-e92c-408c-ae2d-da15866ec79a\",\r\n \"plan\": {\r\n \"name\": \"planName\",\r\n \"product\": \"planProduct\",\r\n \"publisher\": \"planPublisher\"\r\n },\r\n \"platformFaultDomain\": \"36\",\r\n \"platformUpdateDomain\": \"42\",\r\n \"priority\": \"Regular\",\r\n \"publicKeys\": [{\r\n \"keyData\": \"ssh-rsa 0\",\r\n \"path\": \"/home/user/.ssh/authorized_keys0\"\r\n },\r\n {\r\n \"keyData\": \"ssh-rsa 1\",\r\n \"path\": \"/home/user/.ssh/authorized_keys1\"\r\n }\r\n ],\r\n \"publisher\": \"RDFE-Test-Microsoft-Windows-Server-Group\",\r\n \"physicalZone\": \"useast-AZ01\",\r\n \"resourceGroupName\": \"macikgo-test-may-23\",\r\n \"resourceId\": \"/subscriptions/xxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx/resourceGroups/macikgo-test-may-23/providers/\r\nhttps://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service?tabs=windows\r\nPage 23 of 35\n\n\"securityProfile\": {\r\n \"secureBootEnabled\": \"true\",\r\n \"virtualTpmEnabled\": \"false\",\r\n \"encryptionAtHost\": \"true\",\r\n \"securityType\": \"TrustedLaunch\"\r\n },\r\n \"sku\": \"2019-Datacenter\",\r\n \"storageProfile\": {\r\n \"dataDisks\": [{\r\n \"bytesPerSecondThrottle\": \"979202048\",\r\n \"caching\": \"None\",\r\n \"createOption\": \"Empty\",\r\n \"diskCapacityBytes\": \"274877906944\",\r\n \"diskSizeGB\": \"1024\",\r\n \"image\": {\r\n \"uri\": \"\"\r\n },\r\n \"isSharedDisk\": \"false\",\r\n \"isUltraDisk\": \"true\",\r\n \"lun\": \"0\",\r\n \"managedDisk\": {\r\n \"id\": \"/subscriptions/xxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx/resourceGroups/macikgo-test-may-23/provider\r\n \"storageAccountType\": \"StandardSSD_LRS\"\r\n },\r\n \"name\": \"exampledatadiskname\",\r\n \"opsPerSecondThrottle\": \"65280\",\r\n \"vhd\": {\r\n \"uri\": \"\"\r\n },\r\n \"writeAcceleratorEnabled\": \"false\"\r\n }],\r\n \"imageReference\": {\r\n \"id\": \"\",\r\n \"offer\": \"WindowsServer\",\r\n \"publisher\": \"MicrosoftWindowsServer\",\r\n \"sku\": \"2019-Datacenter\",\r\n \"version\": \"latest\",\r\n \"communityGalleryImageId\": \"/CommunityGalleries/testgallery/Images/1804Gen2/Versions/latest\",\r\n \"sharedGalleryImageId\": \"/SharedGalleries/1P/Images/gen2/Versions/latest\",\r\n \"exactVersion\": \"1.1686127202.30113\"\r\n },\r\n \"osDisk\": {\r\n \"caching\": \"ReadWrite\",\r\n \"createOption\": \"FromImage\",\r\n \"diskSizeGB\": \"30\",\r\n \"diffDiskSettings\": {\r\n \"option\": \"Local\"\r\nhttps://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service?tabs=windows\r\nPage 24 of 35\n\n},\r\n \"encryptionSettings\": {\r\n \"enabled\": \"false\",\r\n \"diskEncryptionKey\": {\r\n \"sourceVault\": {\r\n \"id\": \"/subscriptions/test-source-guid/resourceGroups/testrg/providers/Microsoft.KeyVault/vaul\r\n },\r\n \"secretUrl\": \"https://test-disk.vault.azure.net/secrets/xxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx/xxxxx-x\r\n },\r\n \"keyEncryptionKey\": {\r\n \"sourceVault\": {\r\n \"id\": \"/subscriptions/test-key-guid/resourceGroups/testrg/providers/Microsoft.KeyVault/vaults/\r\n },\r\n \"keyUrl\": \"https://test-key.vault.azure.net/secrets/xxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx/xxxxx-xxxx-\r\n }\r\n },\r\n \"image\": {\r\n \"uri\": \"\"\r\n },\r\n \"managedDisk\": {\r\n \"id\": \"/subscriptions/xxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx/resourceGroups/macikgo-test-may-23/provid\r\n \"storageAccountType\": \"StandardSSD_LRS\"\r\n },\r\n \"name\": \"exampleosdiskname\",\r\n \"osType\": \"Windows\",\r\n \"vhd\": {\r\n \"uri\": \"\"\r\n },\r\n \"writeAcceleratorEnabled\": \"false\"\r\n },\r\n \"resourceDisk\": {\r\n \"size\": \"4096\"\r\n }\r\n },\r\n \"subscriptionId\": \"xxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx\",\r\n \"tags\": \"baz:bash;foo:bar\",\r\n \"version\": \"15.05.22\",\r\n \"virtualMachineScaleSet\": {\r\n \"id\": \"/subscriptions/xxxxxxxx-xxxxx-xxx-xxx-xxxx/resourceGroups/resource-group-name/providers/Microsoft.C\r\n },\r\n \"vmId\": \"02aab8a4-74ef-476e-8182-f6d2ba4166a6\",\r\n \"vmScaleSetName\": \"crpteste9vflji9\",\r\n \"vmSize\": \"Standard_A3\",\r\n \"zone\": \"3\"\r\n}\r\nhttps://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service?tabs=windows\r\nPage 25 of 35\n\nAzure has various sovereign clouds like Azure Government. Sometimes you need the Azure Environment to make\r\nsome runtime decisions. The following sample shows you how you can achieve this behavior.\r\nRequest\r\nWindows\r\nLinux\r\nInvoke-RestMethod -Headers @{\"Metadata\"=\"true\"} -Method GET -NoProxy -Uri \"http://169.254.169.254/metadata/inst\r\nResponse\r\nAzurePublicCloud\r\nThe cloud and the values of the Azure environment are listed here.\r\nCloud Azure environment\r\nAll generally available global Azure regions AzurePublicCloud\r\nAzure Government AzureUSGovernmentCloud\r\nMicrosoft Azure operated by 21Vianet AzureChinaCloud\r\nAzure Germany AzureGermanCloud\r\nRequest\r\nWindows\r\nLinux\r\nInvoke-RestMethod -Headers @{\"Metadata\"=\"true\"} -Method GET -NoProxy -Uri \"http://169.254.169.254/metadata/inst\r\nResponse\r\n{\r\n \"interface\": [\r\n {\r\n \"ipv4\": {\r\n \"ipAddress\": [\r\n {\r\n \"privateIpAddress\": \"10.1.0.4\",\r\n \"publicIpAddress\": \"X.X.X.X\"\r\n }\r\n ],\r\nhttps://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service?tabs=windows\r\nPage 26 of 35\n\n\"subnet\": [\r\n {\r\n \"address\": \"10.1.0.0\",\r\n \"prefix\": \"24\"\r\n }\r\n ]\r\n },\r\n \"ipv6\": {\r\n \"ipAddress\": [{\r\n \"privateIpAddress\": \"b4bc:8fce:f33b:4990:cced:d94e:ab4f:6ea0\"\r\n }]\r\n },\r\n \"macAddress\": \"000D3AF806EC\"\r\n }\r\n ]\r\n}\r\nWindows\r\nLinux\r\nInvoke-RestMethod -Headers @{\"Metadata\"=\"true\"} -Method GET -NoProxy -Uri \"http://169.254.169.254/metadata/inst\r\nNote\r\nIf you're looking to retrieve IMDS information for Standard SKU Public IP address, review Load\r\nBalancer Metadata API for more infomration.\r\nIMDS helps to provide guarantees that the data provided is coming from Azure. Microsoft signs part of this\r\ninformation, so you can confirm that an image in Azure Marketplace is the one you're running on Azure.\r\nGET /metadata/attested/document\r\nName Required/Optional Description\r\napi-version\r\nRequired The version used to service the request.\r\nnonce Optional\r\nA 10-digit string that serves as a cryptographic nonce. If no value is\r\nprovided, IMDS uses the current UTC timestamp.\r\n{\r\n \"encoding\":\"pkcs7\",\r\n \"signature\":\"MIIEEgYJKoZIhvcNAQcCoIIEAzCCA/8CAQExDzANBgkqhkiG9w0BAQsFADCBugYJKoZIhvcNAQcBoIGsBIGpeyJub25jZSI\r\n}\r\nhttps://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service?tabs=windows\r\nPage 27 of 35\n\nThe signature blob is a pkcs7-signed version of document. It contains the certificate used for signing along with\r\ncertain VM-specific details.\r\nFor VMs created by using Azure Resource Manager, the document includes vmId , sku , nonce ,\r\nsubscriptionId , timeStamp for creation and expiry of the document, and the plan information about the\r\nimage. The plan information is only populated for Azure Marketplace images.\r\nFor VMs created by using the classic deployment model, only the vmId and subscriptionId are guaranteed to\r\nbe populated. You can extract the certificate from the response, and use it to confirm that the response is valid and\r\nis coming from Azure.\r\nThe decoded document contains the following fields:\r\nData Description\r\nVersion\r\nintroduced\r\nlicenseType\r\nType of license for Azure Hybrid Benefit. This is only present\r\nfor AHB-enabled VMs.\r\n2020-09-01\r\nnonce\r\nA string that can be optionally provided with the request. If no\r\nnonce was supplied, the current Coordinated Universal Time\r\ntimestamp is used.\r\n2018-10-01\r\nplan\r\nThe Azure Marketplace Image plan. Contains the plan ID\r\n(name), product image or offer (product), and publisher ID\r\n(publisher).\r\n2018-10-01\r\ntimestamp.createdOn The UTC timestamp for when the signed document was created 2018-20-01\r\ntimestamp.expiresOn The UTC timestamp for when the signed document expires 2018-10-01\r\nvmId Unique identifier for the VM 2018-10-01\r\nsubscriptionId Azure subscription for the Virtual Machine 2019-04-30\r\nsku\r\nSpecific SKU for the VM image (correlates to compute/sku\r\nproperty from the Instance Metadata endpoint\r\n[ /metadata/instance ])\r\n2019-11-01\r\nNote\r\nFor Classic (non-Azure Resource Manager) VMs, only the vmId is guaranteed to be populated.\r\nExample document:\r\n{\r\n \"nonce\":\"20201130-211924\",\r\n \"plan\":{\r\nhttps://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service?tabs=windows\r\nPage 28 of 35\n\n\"name\":\"planName\",\r\n \"product\":\"planProduct\",\r\n \"publisher\":\"planPublisher\"\r\n },\r\n \"sku\":\"Windows-Server-2012-R2-Datacenter\",\r\n \"subscriptionId\":\"aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e\",\r\n \"timeStamp\":{\r\n \"createdOn\":\"11/30/20 21:19:19 -0000\",\r\n \"expiresOn\":\"11/30/20 21:19:24 -0000\"\r\n },\r\n \"vmId\":\"02aab8a4-74ef-476e-8182-f6d2ba4166a6\"\r\n}\r\nWhen validating the signature, you should confirm that the signature was created with a certificate from Azure.\r\nThis is done by validating the certificate Subject Alternative Name (SAN).\r\nExample SAN DNS Name=eastus.metadata.azure.com, DNS Name=metadata.azure.com\r\nNote\r\nThe domain for the public cloud and each sovereign cloud will be different.\r\nCloud Domain in SAN\r\nAll generally available global Azure regions *.metadata.azure.com\r\nAzure Government *.metadata.azure.us\r\nAzure operated by 21Vianet *.metadata.azure.cn\r\nAzure Germany *.metadata.microsoftazure.de\r\nNote\r\nThe certificates might not have an exact match for the domain. For this reason, the certification validation should\r\naccept any subdomain (for example, in public cloud general availability regions accept *.metadata.azure.com ).\r\nWe don't recommend certificate pinning for intermediate certs. For further guidance, see Certificate pinning -\r\nCertificate pinning and Azure services. Please note that the Azure Instance Metadata Service will NOT offer\r\nnotifications for future Certificate Authority changes. Instead, you must follow the centralized Azure Certificate\r\nAuthority details article for all future updates.\r\nVendors in Azure Marketplace want to ensure that their software is licensed to run only in Azure. If someone\r\ncopies the VHD to an on-premises environment, the vendor needs to be able to detect that. Through IMDS, these\r\nvendors can get signed data that guarantees response only from Azure.\r\nNote\r\nhttps://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service?tabs=windows\r\nPage 29 of 35\n\nThis sample requires the jq utility to be installed.\r\nValidation\r\nWindows\r\nLinux\r\n# Get the signature\r\n$attestedDoc = Invoke-RestMethod -Headers @{\"Metadata\"=\"true\"} -Method GET -NoProxy -Uri http://169.254.169.254/\r\n# Decode the signature\r\n$signature = [System.Convert]::FromBase64String($attestedDoc.signature)\r\nVerify that the signature is from Microsoft Azure and checks the certificate chain for errors.\r\n# Get certificate chain\r\n$cert = [System.Security.Cryptography.X509Certificates.X509Certificate2]($signature)\r\n$chain = New-Object -TypeName System.Security.Cryptography.X509Certificates.X509Chain\r\n$chain.Build($cert)\r\n# Print the Subject of each certificate in the chain\r\nforeach($element in $chain.ChainElements)\r\n{\r\n Write-Host $element.Certificate.Subject\r\n}\r\n# Get the content of the signed document\r\nAdd-Type -AssemblyName System.Security\r\n$signedCms = New-Object -TypeName System.Security.Cryptography.Pkcs.SignedCms\r\n$signedCms.Decode($signature);\r\n$content = [System.Text.Encoding]::UTF8.GetString($signedCms.ContentInfo.Content)\r\nWrite-Host \"Attested data: \" $content\r\n$json = $content | ConvertFrom-Json\r\n# Do additional validation here\r\nThe nonce in the signed document can be compared if you provided a nonce parameter in the initial request.\r\nA managed identity, assigned by the system, can be enabled on the VM. You can also assign one or more user-assigned managed identities to the VM. You can then request tokens for managed identities from IMDS. Use these\r\ntokens to authenticate with other Azure services, such as Azure Key Vault.\r\nFor detailed steps to enable this feature, see Acquire an access token.\r\nWhen you place virtual machine or virtual machine set instances behind an Azure Standard Load Balancer, you\r\ncan use IMDS to retrieve metadata related to the load balancer and the instances. For more information, see\r\nRetrieve load balancer information.\r\nhttps://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service?tabs=windows\r\nPage 30 of 35\n\nYou can obtain the status of the scheduled events by using IMDS. Then the user can specify a set of actions to run\r\nupon these events. For more information, see Scheduled events for Linux or Scheduled events for Windows.\r\nThe following table lists samples of calling IMDS by using different languages inside the VM:\r\nLanguage Example\r\nBash https://github.com/Microsoft/azureimds/blob/master/IMDSSample.sh\r\nC# https://github.com/Microsoft/azureimds/blob/master/IMDSSample.cs\r\nGo https://github.com/Microsoft/azureimds/blob/master/imdssample.go\r\nJava https://github.com/Microsoft/azureimds/blob/master/imdssample.java\r\nNodeJS https://github.com/Microsoft/azureimds/blob/master/IMDSSample.js\r\nPerl https://github.com/Microsoft/azureimds/blob/master/IMDSSample.pl\r\nPowerShell https://github.com/Microsoft/azureimds/blob/master/IMDSSample.ps1\r\nPuppet https://github.com/keirans/azuremetadata\r\nPython https://github.com/Microsoft/azureimds/blob/master/IMDSSample.py\r\nRuby https://github.com/Microsoft/azureimds/blob/master/IMDSSample.rb\r\nIf there's a data element not found or a malformed request, the Instance Metadata Service returns standard HTTP\r\nerrors. For example:\r\nHTTP status code Reason\r\n200 OK The request was successful.\r\n400 Bad Request\r\nMissing Metadata: true header or missing parameter format=json when\r\nquerying a leaf node\r\n404 Not Found The requested element doesn't exist\r\n405 Method Not\r\nAllowed\r\nThe HTTP method (verb) isn't supported on the endpoint.\r\n410 Gone Retry after some time for a max of 70 seconds\r\n429 Too Many\r\nRequests\r\nAPI Rate Limits have been exceeded\r\n500 Service Error Retry after some time\r\nhttps://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service?tabs=windows\r\nPage 31 of 35\n\nI'm getting the error 400 Bad Request, Required metadata header not specified . What does this\r\nmean?\r\nIMDS requires the header Metadata: true to be passed in the request. Passing this header in the\r\nREST call allows access to IMDS.\r\nWhy am I not getting compute information for my VM?\r\nCurrently, IMDS only supports instances created with Azure Resource Manager.\r\nI created my VM through Azure Resource Manager some time ago. Why am I not seeing compute\r\nmetadata information?\r\nIf you created your VM after September 2016, add a tag to start seeing compute metadata. If you\r\ncreated your VM before September 2016, add or remove extensions or data disks to the VM\r\ninstance to refresh metadata.\r\nIs user data the same as custom data?\r\nUser data offers the similar functionality to custom data, allowing you to pass your own metadata to\r\nthe VM instance. The difference is, user data is retrieved through IMDS, and is persistent\r\nthroughout the lifetime of the VM instance. Existing custom data feature will continue to work as\r\ndescribed in this article. However you can only get custom data through local system folder, not\r\nthrough IMDS.\r\nWhy am I not seeing all data populated for a new version?\r\nIf you created your VM after September 2016, add a tag to start seeing compute metadata. If you\r\ncreated your VM before September 2016, add or remove extensions or data disks to the VM\r\ninstance to refresh metadata.\r\nWhy am I getting the error 500 Internal Server Error or 410 Resource Gone ?\r\nRetry your request. For more information, see Transient fault handling. If the problem persists,\r\ncreate a support issue in the Azure portal for the VM.\r\nWould this work for scale set instances?\r\nYes, IMDS is available for scale set instances.\r\nI updated my tags in my scale sets, but they don't appear in the instances (unlike single instance\r\nVMs). Am I doing something wrong?\r\nCurrently tags for scale sets only show to the VM on a reboot, reimage, or disk change to the\r\ninstance.\r\nWhy am I'm not seeing the SKU information for my VM in instance/compute details?\r\nhttps://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service?tabs=windows\r\nPage 32 of 35\n\nFor custom images created from Azure Marketplace, Azure platform doesn't retain the SKU\r\ninformation for the custom image and the details for any VMs created from the custom image. This\r\nis by design and hence not surfaced in the VM instance/compute details.\r\nWhy is my request timed out (or failed to connect) for my call to the service?\r\nMetadata calls must be made from the primary IP address assigned to the primary network card of\r\nthe VM. Additionally, if you've changed your routes, there must be a route for the\r\n169.254.169.254/32 address in your VM's local routing table.\r\nWindows\r\nLinux\r\n1. Dump your local routing table and look for the IMDS entry. For example:\r\nroute print\r\nIPv4 Route Table\r\n===========================================================================\r\nActive Routes:\r\nNetwork Destination Netmask Gateway Interface Metric\r\n 0.0.0.0 0.0.0.0 172.16.69.1 172.16.69.7 10\r\n 127.0.0.0 255.0.0.0 On-link 127.0.0.1 331\r\n 127.0.0.1 255.255.255.255 On-link 127.0.0.1 331\r\n127.255.255.255 255.255.255.255 On-link 127.0.0.1 331\r\n 168.63.129.16 255.255.255.255 172.16.69.1 172.16.69.7 11\r\n169.254.169.254 255.255.255.255 172.16.69.1 172.16.69.7 11\r\n... (continues) ...\r\n2. Verify that a route exists for 169.254.169.254 , and note the corresponding network\r\ninterface (for example, 172.16.69.7 ).\r\n3. Dump the interface configuration and find the interface that corresponds to the one\r\nreferenced in the routing table, noting the MAC (physical) address.\r\nipconfig /all\r\n... (continues) ...\r\nEthernet adapter Ethernet:\r\nConnection-specific DNS Suffix . : xic3mnxjiefupcwr1mcs1rjiqa.cx.internal.cloudapp.net\r\nDescription . . . . . . . . . . . : Microsoft Hyper-V Network Adapter\r\nPhysical Address. . . . . . . . . : 00-0D-3A-E5-1C-C0\r\nDHCP Enabled. . . . . . . . . . . : Yes\r\nhttps://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service?tabs=windows\r\nPage 33 of 35\n\nAutoconfiguration Enabled . . . . : Yes\r\nLink-local IPv6 Address . . . . . : fe80::3166:ce5a:2bd5:a6d1%3(Preferred)\r\nIPv4 Address. . . . . . . . . . . : 172.16.69.7(Preferred)\r\nSubnet Mask . . . . . . . . . . . : 255.255.255.0\r\n... (continues) ...\r\n4. Confirm that the interface corresponds to the VM's primary NIC and primary IP. You can\r\nfind the primary NIC and IP by looking at the network configuration in the Azure portal, or\r\nby looking it up with the Azure CLI. Note the private IPs (and the MAC address if you're\r\nusing the CLI). Here's a PowerShell CLI example:\r\n$ResourceGroup = '\u003cResource_Group\u003e'\r\n$VmName = '\u003cVM_Name\u003e'\r\n$NicNames = az vm nic list --resource-group $ResourceGroup --vm-name $VmName | ConvertFrom-foreach($NicName in $NicNames)\r\n{\r\n $Nic = az vm nic show --resource-group $ResourceGroup --vm-name $VmName --nic $NicName\r\n Write-Host $NicName, $Nic.primary, $Nic.macAddress\r\n}\r\nwintest767 True 00-0D-3A-E5-1C-C0\r\n5. If they don't match, update the routing table so that the primary NIC and IP are targeted.\r\nFail over clustering in Windows Server\r\nWhen you're querying IMDS with failover clustering, it's sometimes necessary to add a route to the\r\nrouting table. Here's how:\r\n1. Open a command prompt with administrator privileges.\r\n2. Run the following command, and note the address of the Interface for Network Destination\r\n( 0.0.0.0 ) in the IPv4 Route Table.\r\nroute print\r\nNote\r\nThe following example output is from a Windows Server VM with failover cluster enabled. For\r\nsimplicity, the output contains only the IPv4 Route Table.\r\nIPv4 Route Table\r\n===========================================================================\r\nActive Routes:\r\nhttps://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service?tabs=windows\r\nPage 34 of 35\n\nNetwork Destination Netmask Gateway Interface Metric\r\n 0.0.0.0 0.0.0.0 10.0.1.1 10.0.1.10 266\r\n 10.0.1.0 255.255.255.192 On-link 10.0.1.10 266\r\n 10.0.1.10 255.255.255.255 On-link 10.0.1.10 266\r\n 10.0.1.15 255.255.255.255 On-link 10.0.1.10 266\r\n 10.0.1.63 255.255.255.255 On-link 10.0.1.10 266\r\n 127.0.0.0 255.0.0.0 On-link 127.0.0.1 331\r\n 127.0.0.1 255.255.255.255 On-link 127.0.0.1 331\r\n127.255.255.255 255.255.255.255 On-link 127.0.0.1 331\r\n 169.254.0.0 255.255.0.0 On-link 169.254.1.156 271\r\n 169.254.1.156 255.255.255.255 On-link 169.254.1.156 271\r\n169.254.255.255 255.255.255.255 On-link 169.254.1.156 271\r\n 224.0.0.0 240.0.0.0 On-link 127.0.0.1 331\r\n 224.0.0.0 240.0.0.0 On-link 169.254.1.156 271\r\n255.255.255.255 255.255.255.255 On-link 127.0.0.1 331\r\n255.255.255.255 255.255.255.255 On-link 169.254.1.156 271\r\n255.255.255.255 255.255.255.255 On-link 10.0.1.10 266\r\nRun the following command and use the address of the Interface for Network Destination\r\n( 0.0.0.0 ), which is ( 10.0.1.10 ) in this example.\r\nroute add 169.254.169.254/32 10.0.1.10 metric 1 -p\r\nIf you aren't able to get a metadata response after multiple attempts, you can create a support issue in the Azure\r\nportal.\r\nYou can provide product feedback and ideas to our user feedback channel under Virtual Machines \u003e Instance\r\nMetadata Service here\r\nAcquire an access token for the VM\r\nScheduled events for Linux\r\nScheduled events for Windows\r\nSource: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service?tabs=windows\r\nhttps://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service?tabs=windows\r\nPage 35 of 35",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service?tabs=windows"
	],
	"report_names": [
		"instance-metadata-service?tabs=windows"
	],
	"threat_actors": [],
	"ts_created_at": 1775441488,
	"ts_updated_at": 1775791267,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/cf7f692711b7371a863f2b09212e94d980187a90.pdf",
		"text": "https://archive.orkl.eu/cf7f692711b7371a863f2b09212e94d980187a90.txt",
		"img": "https://archive.orkl.eu/cf7f692711b7371a863f2b09212e94d980187a90.jpg"
	}
}