AWS IMDS - What is Link-Local IP address 169.254.169.254

Updated on:

In the world of networking, IP addresses are crucial for devices to communicate with each other over the Internet. However, not all IP addresses are created equal, and some serve unique purposes. One such IP address is 169.254.169.254, which is commonly referred to as a link-local address.

In this article, we'll delve into the concept of link-local IP addresses, explore what 169.254.169.254 means, and discuss its practical uses.

aws imds

Link-Local IP Addresses:

Link-local IP addresses are a special class of addresses designed for communication within a single network segment or link. They are not globally routable, meaning they can only be used for local communication on the same network. One of the most well-known link-local IP addresses is 169.254.169.254.

169.254.169.254: What Does It Signify?

The IP address 169.254.169.254 holds a unique significance in the context of cloud computing and virtualization. It is often associated with cloud service providers and is used for various purposes, primarily for obtaining metadata and configuration information about virtual instances or servers.

Uses of 169.254.169.254:

  1. Metadata Service:
    • Cloud service providers, such as Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure, use 169.254.169.254 to provide metadata services to virtual instances.
    • Virtual instances can send HTTP requests to this IP address to retrieve essential information about themselves and their environment. This metadata includes instance ID, public IP address, security group details, and more.
    • For example, in AWS, you can make a request to http://169.254.169.254/latest/meta-data/ to access this information.
  2. Instance Configuration:
    • Virtual instances can also use this address to retrieve configuration data. For instance, they can obtain user data scripts, which are often used for customizing an instance during launch.
    • This allows for dynamic configuration based on user requirements, making it a valuable tool for system administrators and DevOps teams.
  3. Bootstrapping and Service Discovery:
    • Cloud instances can use 169.254.169.254 during their startup process to discover and connect to other services in the same network. It simplifies the configuration process and promotes self-discovery among components.
  4. Network Troubleshooting:
    • When working with virtual instances in the cloud, debugging network issues can be challenging. Accessing the metadata and diagnostic information through 169.254.169.254 can aid in identifying and resolving connectivity problems.
  5. Security and Authentication:
    • Link-local addresses like 169.254.169.254 are often used in the context of security groups and firewalls to control and secure access to metadata and configuration services.
  6. Hybrid Cloud Environments:
    • In hybrid cloud environments where on-premises servers connect to cloud resources, link-local addresses can be utilized to obtain cloud-specific information and integrate seamlessly with cloud services.

 

What other Link-Local IP Addresses are there

Besides 169.254.169.254, several other link-local IP addresses are defined within the IPv4 address space. These addresses are part of the Automatic Private IP Addressing (APIPA) range and are reserved for use on local networks when no DHCP server is available. Here are some common link-local IP addresses:

  1. 169.254.0.1 to 169.254.255.254:
    • This is the entire APIPA address range. It is used when a device is unable to obtain an IP address via DHCP and needs to assign itself an address to function on the local network.
  2. 169.254.0.0:
    • This address is the network identifier for the APIPA range.
  3. 169.254.255.255:
    • This address is the broadcast address for the APIPA range.
  4. 169.254.0.2:
    • Sometimes used as the default gateway address within a network that relies on APIPA addressing.

 

Link-Local IP address 169.254.169.254 in AWS

In AWS, the link-local IP address 169.254.169.254 is used for the EC2 Instance Metadata Service. You can make HTTP requests to this address to retrieve metadata about your EC2 instances. Here's an example of a simple payload you might receive from the EC2 Instance Metadata Service:

Request

You can make HTTP requests to http://169.254.169.254/latest/meta-data/ to access various types of metadata.

For example:

curl http://169.254.169.254/latest/meta-data/

Sample Payload:

The payload you receive depends on the specific metadata you request. Here's an example of metadata for a hypothetical EC2 instance:

ami-id: ami-12345678
instance-id: i-0123456789abcdef0
instance-type: t2.micro
local-ipv4: 10.0.0.123
public-ipv4: 203.0.113.45
public-hostname: ec2-203-0-113-45.compute-1.amazonaws.com
security-groups: my-security-group

 

This metadata includes information about the instance's ID, type, IP address, and security groups. The exact details and structure of the metadata can vary depending on the cloud provider and the specific instance.

You can use this metadata for various purposes, such as dynamically configuring instances, fetching instance-specific information, and enhancing automation in your AWS environment

The service hosted on this IP address and returning metadata in AWS is called  as Instance Metadata Service or IMDS

 

AWS - Instance Metadata Service ( IMDS)

In AWS, the EC2 Instance Metadata Service (IMDS) provides metadata about your EC2 instances. There are two major versions of IMDS: IMDSv1 and IMDSv2. Here's a summary of each version, along with an example of how to use them with the AWS Metadata IP address, which is 169.254.169.254.

IMDSv1 (Instance Metadata Service Version 1):

 

IMDSv1 is the older version of the Instance Metadata Service.

It uses a simple HTTP endpoint at http://169.254.169.254/latest/meta-data/ to retrieve metadata.

Authentication is based on an "X-aws-ec2-metadata-token" header, which can be spoofed if you have access to the instance.

Example:

To retrieve instance metadata using IMDSv1, you can make a simple HTTP request. For example, to get the instance ID:

 

IMDSv2 (Instance Metadata Service Version 2):

IMDSv2 is the improved version of the Instance Metadata Service, introduced for enhanced security.

It has a more secure authentication mechanism, using signed HTTP requests with temporary session credentials from the instance's EC2 instance profile.

The endpoint is http://169.254.169.254/latest/api/token, which provides a session token, and you use this token to make subsequent requests for metadata.

Example:

To use IMDSv2, you first request a session token, and then you use that token to fetch metadata. Here's an example using the AWS CLI:

Step1: Request a session token: 

TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 300")

 

Step2: Use the token to get instance ID (or any other metadata):

curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/instance-id

 

IMDSv2 provides enhanced security and access control, making it the recommended choice for accessing instance metadata in AWS. It mitigates some of the security risks associated with IMDSv1, such as token spoofing.

 

Conclusion

Hope this article helped you understand What is Link-Local IP address and how to use it for AWS Automation and what other similar IP addresses are available etc

this local-link IP can be used to fetch the EC2 instance metadata such as IAM roles and security group configuration of the EC2 and much more.

We have also seen examples of IMDS v1 and v2 and how to fetch Metadata in EC2

Let me know your feedback or questions in the comments section.

Cheers
Sarav AK

Follow me on Linkedin My Profile
Follow DevopsJunction onFacebook orTwitter
For more practical videos and tutorials. Subscribe to our channel

Buy Me a Coffee at ko-fi.com

Signup for Exclusive "Subscriber-only" Content

More from Middleware Inventory

  • Find Who owns the Private IP in AWS | DevOps Junction

    At times of troubleshooting an issue or doing a forensic on a security incident in your AWS account.  Finding who owns Private IP plays a major role. Do you know Almost all the AWS resources like Load Balancers, RDS, EFS has their own private IP address. So how to find…

  • How to Block IP in AWS VPC - by IP or CIDR Range | Devops Junction

    Let's suppose your AWS infrastructure is under DDOS attack and your Load balancers and Applications are flooded with requests. The Immediate action you can take is to block the IP you have identified. If you have monitoring tools and Log management tools like Datadog, EFK, Splunk etc. they can be…

  • Ansible get ip address of current host or target

    How to get the IP address of the current or remote host in Ansible. That's the question, this article is going to address. While running a Playbook you might have had a requirement where you need to get the IP address of the connected and current remote host.  There are…

  • nginx dynamic ip upstream
    NGINX Dynamic IP address upstream - DNS Cache issue | How to solve

    NGINX has become a standard for reverse proxy implementation, At least 20% of the internet is powered by NGINX webserver as the stats suggest I presume you all know what is a reverse proxy and forward proxy and how it works. Let us move on to the objective of this…

  • AWS change instance type - From Console or AWS CLI

    How to Change AWS Instance Type or EC2 instance type is more interesting and frequently asked question by many AWS Professionals. We create EC2 instances as t2, t3.micro but soon we realize that our requirements just got bigger for good and we need more CPU and RAM on our instance.…