Sign instance metadata services
Current instance metadata services respond to an unauthenticated API call with an unsigned JSON reply.
As an ISV I need to be sure that my software is running againsta known customer - and I can correlate their subscription ID available from instance metadata against our customer list.
Currently it is possible to spoof the JSON response to an instance metadata query quite easily, and there is no way I can ensure that the response is genuine.
AWS provides a signed metadat document which contains the full metadata for the instance in a signed JSON document - this can be checked against publicly accessable certificates to ensure authenticity of metadata.
Azure should provide a similar level of protection for Azure instance metadata.
AdminAzure IaaS Engineering Team (Azure IaaS Engineering Team, Microsoft, Microsoft Azure) commented
Thanks for the feedback , we are working on providing this functionality in our future releases