Fortifying security for Ubuntu on Azure with Metadata Security Protocol (MSP)

We’re pleased to share a security enhancement for Ubuntu workloads on Microsoft Azure. In collaboration with Microsoft, Ubuntu now supports Azure’s Metadata Security Protocol (MSP)—a feature that hardens access to the Instance Metadata Service (IMDS) and WireServer. On Ubuntu, MSP is enabled by the azure-proxy-agent package, Canonical’s integration of Microsoft’s Guest Proxy Agent (GPA).

Why MSP raises the baseline

Traditional metadata endpoints are default-open within a VM. That leaves room for confused-deputy/SSRF paths and sandbox escapes. MSP flips this to default-closed with strong controls at the metadata boundary:

• Strong authentication. IMDS/WireServer accept only requests endorsed (HMAC-signed) by a trusted in-guest delegate (GPA/azure-proxy-agent). Unsigned traffic is rejected.
• Identity-aware authorization. The agent uses eBPF to intercept IMDS and WireServer requests and identify the originating process and user. It then checks an allowlist before endorsing the request (granular, per-endpoint RBAC).
• Safe by default. Even if guest firewall rules are misconfigured or bypassed, unauthenticated traffic still cannot reach the metadata services.

For architecture and Azure-side configuration, see Microsoft’s MSP documentation.

MSP must be enabled in Azure. Installing the Ubuntu package alone does not turn on MSP. Enable MSP for the VM/VMSS from the Azure side (Portal/CLI/template) so requests are validated and unsigned traffic is rejected.

Availability and roadmap

The azure-proxy-agent package is available now for testing and is in the development series for Ubuntu 25.10 “Questing Quokka.”

After we incorporate feedback and verify stability, we plan to deliver azure-proxy-agent to Ubuntu 25.04 (Plucky Puffin), Ubuntu 24.04 LTS (Noble Numbat) and Ubuntu 22.04 LTS (Jammy Jellyfish) through the Stable Release Updates (SRU) process.

Early testing on LTS

For Ubuntu 24.04 LTS and 22.04 LTS, azure-proxy-agent is currently available in -proposed. If you’re comfortable testing SRU candidates, enable -proposed temporarily and pin only this package so you don’t upgrade unrelated components. Background on -proposed and SRUs: Stable Release Updates

Generic, codename-aware snippet (works for Jammy/Noble/Plucky):

# Resolve codename (prefers /etc/os-release; falls back to lsb_release)
CODENAME="$(. /etc/os-release 2>/dev/null; echo ${VERSION_CODENAME:-$(lsb_release -cs)})"

# Pin only azure-proxy-agent from <codename>-proposed
sudo tee /etc/apt/preferences.d/azure-proxy-agent <<EOF
Package: azure-proxy-agent
Pin: release n=${CODENAME}-proposed
Pin-Priority: 501
EOF

# Add -proposed for this codename, install, then remove it
sudo add-apt-repository "deb http://archive.ubuntu.com/ubuntu ${CODENAME}-proposed main universe"
sudo apt update
sudo apt install azure-proxy-agent
sudo add-apt-repository -r "deb http://archive.ubuntu.com/ubuntu ${CODENAME}-proposed main universe"

Install on Ubuntu 25.10 (development series)

sudo apt update
sudo apt install azure-proxy-agent

After installation, enable MSP on the VM/VMSS from Azure (Portal/CLI/template). Without enabling MSP, requests won’t be validated and protection won’t apply.

Evaluation best practices

Every environment is different. If you decide to try MSP, start in Audit to observe behavior, and move to Enforce when you’re satisfied. Many teams simply sanity-check normal workloads and—if relevant—try a basic allowlist. Beyond that, test whatever reflects your risk model.

Share your feedback

Please share results (Ubuntu release, kernel, VM size, architecture; any observations) in our Discourse thread. Your input will help us complete SRU validation and promote azure-proxy-agent to -updates for LTS users.