Metadata Security Protocol (MSP) General Availability Secures Azure VM Metadata

Amjad_Shaik introduces Azure’s Metadata Security Protocol (MSP) for Virtual Machines, describing its security enhancements, attack mitigation strategies, and step-by-step guidance for platform deployment.

Metadata Security Protocol (MSP): General Availability for Azure Virtual Machines

Overview

Azure has announced the General Availability of Metadata Security Protocol (MSP), an industry-first protocol designed to secure the platform layer in Azure Virtual Machines. MSP adds robust authentication and authorization (AuthN/AuthZ) controls to metadata service endpoints, including the Instance Metadata Service (IMDS) and WireServer, providing defense beyond traditional boundaries.

Key Features and Protections

• Strong Authentication: Every IMDS and WireServer request is authenticated using trusted delegates and HMAC signatures, ensuring only verified processes can access sensitive metadata inside VMs.
• Default-Closed Security Model: Metadata endpoints are locked down by default. Only approved applications and users can interact with IMDS, enforcing strict allowlisting.
• Guest Proxy Agent (GPA): GPA leverages eBPF to verify sources of metadata requests and applies Role-Based Access Control (RBAC) at the process level for granular security.
• Attack Mitigation:
  • SSRF: MSP helps curb server-side request forgery by authenticating IMDS calls and denying unauthorized access to tokens/configuration.
  • Nested Virtualization Bypasses: Protects against multi-tenancy and trust boundary attacks in virtualized/cloud setups.
  • Implicit VM Trust Reduction: Adds deep defense mechanisms within applications, beyond just network isolation.
• Fine-Grained Controls: Advanced configuration enables restriction of IMDS access to specific processes/users, reducing attack surface.

Benefits to Azure Customers

• Defense-In-Depth: Additional layer protecting against metadata and identity token attacks, even from misconfigured or compromised processes.
• Granular Access: Define applications and users allowed access to metadata—no implicit trust, supporting zero-trust strategies.
• Auditability and Easy Onboarding: Start MSP in audit mode to monitor usage, create allowlists with legitimate app data, then enforce controls to lock down access.

Getting Started with MSP

Follow these steps to onboard MSP on your Azure VMs:

1. Enable MSP in Audit Mode: Monitor which processes attempt to access IMDS.
2. Create an Allowlist: Use logs to determine legitimate applications and users, then build your allowlist.
3. Switch to Enforcement: Move to enforcement mode to restrict access strictly to the allowlist and block unauthorized attempts.

For full instructions, see the MSP documentation on Microsoft Learn.

References

• Metadata Security Protocol Overview
• Instance Metadata Service (IMDS)
• WireServer
• Guest Proxy Agent (GPA) on GitHub

Author: Amjad_Shaik

This post appeared first on “Microsoft Tech Community”. Read the entire article here