Introducing Metadata Security Protocol (MSP): Elevating Platform Security for Azure VMs

We are excited to announce the General Availability (GA) of Metadata Security Protocol (MSP), an industry-first innovation designed to mitigate vulnerabilities at the platform layer. Azure becomes the first major cloud provider to integrate strong authentication and authorization (AuthN and AuthZ) for metadata service endpoints inside virtual machines. MSP introduces a default-closed security model for the Instance Metadata Service (IMDS) and WireServer, ensuring only trusted processes can access sensitive data over it, eliminating a subset of attack classes, reducing another subset of attack surfaces and aligning with zero-trust security principles. 

What is MSP and Why Does It Matter? 

The Instance Metadata Service (IMDS) provides critical information to virtual machines, including instance details, managed identity tokens, and platform configuration data. Historically, IMDS endpoints across the industry cloud providers including Azure, were accessible security boundary of protection being the Guest Virtual machine. With the advent of containerization and nested virtualization, the new MSP protocol invests in a strong authentication layer, which enables sub-VM security boundary protection for hosted cloud services infrastructure.  And this additionally, helps eliminate several security anti-patterns and attack subclasses related to:

1. Server-Side Request Forgery (SSRF) over IMDS endpoints – curtailing exploitation of unauthenticated metadata APIs to gain access to sensitive tokens or configuration data. 
2. Hosted-on-Behalf-of (HoBo) nested tenancy bypasses – eliminating attack scenarios bypasses for nested virtualization setup for multi-tenancy or misconfigured trust boundaries allowed indirect access to metadata.
3. Implicit trust within the VM – adding strong application layer defense in depth beyond network isolation for sub-VM boundaries.  

 MSP addresses this by introducing industry-first protections: 

• Authentication for IMDS calls – uses a trusted delegate and HMAC to ensure only verified processes can access metadata. Every IMDS and WireServer request is authenticated and validated using trusted delegates and HMAC signatures, ensuring only verified processes can access metadata. 

• Improved isolation – MSP offers enhanced protection against risks from container network misconfiguration. 

• Default-Closed Model – IMDS access is locked down by default, requiring strict allowlisting of approved in-guest software and users, aligning with zero-trust principles. 

• Guest Proxy Agent (GPA) – GPA leverages eBPF to verify the source of every metadata request and enforce Role-Based Access Control (RBAC) at the process level. 

• Fine-grained access control – allowing you to restrict IMDS access to specific users or processes with advanced configuration, reducing the attack surface significantly. 

With MSP, you can limit IMDS access to approved applications, reducing your attack surface and improving your security posture. 

Benefits of MSP 

By adopting MSP, you gain: 

• Defense-in-depth against metadata-related attacks: MSP adds an extra security layer to protect sensitive metadata and identity tokens, reducing exposure from misconfigurations or compromised processes. 

• Granular control over IMDS access within your VMs: With fine-grained RBAC and allowlisting, you decide which applications and users can access metadata, ensuring only trusted components interact with critical services. 

• Peace of mind with industry-leading protections: MSP introduces a default-closed model and per-request authentication, aligning with zero-trust principles and making Azure the first major cloud to deliver this level of in-guest security. 

How to Get Started?

The goal of onboarding is to configure your VMs so that only approved applications can access the WireServer/IMDS endpoints. Here’s the recommended approach: 

1. Enable MSP in Audit Mode: Start by enabling MSP in audit mode to monitor which processes are accessing IMDS. 
2. Create an Allowlist: Use audit logs to identify legitimate applications and build an allowlist. 
3. Enable MSP Enforcement: Once the allowlist is finalized, switch MSP to enforcement mode to restrict access. 

Start today by enabling MSP in audit mode and take the first step toward securing your Azure environment against evolving threats. For detailed instructions, visit the MSP Microsoft Learn page.