NAME

       azure-proxy-agent - Secure Azure Instance Metadata Service (IMDS) endpoints on guest VMs

SYNOPSIS

       azure-proxy-agent [ -c | --config file ] [ -h | --help ]

DESCRIPTION

       The  azure-proxy-agent  enhances  the  security  of  the Azure Instance Metadata Service (IMDS) and Azure
       Wireserver endpoints (e.g., 169.254.169.254  and  168.63.129.16)  on  Azure  IaaS  virtual  machines.  It
       introduces  strong  authentication and authorization measures to mitigate common attacks such as confused
       deputy (e.g., SSRF) and sandbox escapes targeting metadata services.

       The agent intercepts HTTP requests to these endpoints  using  eBPF,  enabling  verification  of  in-guest
       process  identities.  By  shifting  from a default-open to a default-closed access model, the guest proxy
       agent ensures  that  only  authorized  processes  (as  defined  by  a  trusted  delegate  established  at
       provisioning)  can access sensitive metadata. All requests must include an HMAC-based signature generated
       with  a  long-lived  secret  negotiated  during  setup,  reinforcing  a  secure,   point-to-point   trust
       relationship.

OPTIONS

       -c, --config file
              Specify  an  alternate  configuration  file.  By  default,  the  agent  reads  its  settings  from
              /etc/azure/proxy-agent.json.

       -h, --help
              Display a brief help message and exit.

AUTHOR

       Microsoft Azure

COPYRIGHT

       © Microsoft Corporation. Licensed under the MIT License.

Microsoft Azure                                   January 2025                              AZURE PROXY AGENT(8)