2

Cannot figure out why my docker container running on Windows Server 2016 is not able to hit AWS instance metadata endpoint for its host. On Linux I do not encounter these issues with pulling the metadata for the host of the container, however I am a Windows Noob not sure why this isn't working. I've searched for answers, but could not find an answer.

Container is able to ping the internet (8.8.8.8)

PS C:\> invoke-webrequest -uri "http://169.254.169.254/latest/meta-data/iam/security-credentials/"
invoke-webrequest : Unable to connect to the remote server
At line:1 char:1
+ invoke-webrequest -uri "http://169.254.169.254/latest/meta-data/iam/s ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebRequest], WebException
    + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand
gespi
  • 21
  • 2
  • 1
    Remember that packets using addresses in the `169.254.0.0/16` Link-Local range are not able to be routed. Those packets are restricted to the local link. That is clearly explaind in _[RFC 3927](https://tools.ietf.org/html/rfc3927)_: "_A router MUST NOT forward a packet with an IPv4 Link-Local source or destination address, irrespective of the router's default route configuration or routes obtained from dynamic routing protocols."_ Linux often lets you violate RFCs and other standards. – Ron Maupin Apr 09 '20 at 13:35
  • Although your RFC is right, this is the subnet used by most clouds for the meta data about the instance - You should be able to connect to it (as long as on an instance, often people think they can connect it from laptop which isn't correct). – Steve Radich-BitShop.com Sep 24 '20 at 14:46

1 Answers1

3

Even if a router should not route a local-link address windows can if you give it the good statics routes. It's just some network rules... not RFC violations.

Solution from : https://docs.aws.amazon.com/AmazonECS/latest/developerguide/windows_task_IAM_roles.html

# Fetch the default gateway IP of container (bridge to host)
$gateway = (Get-NetRoute | Where { $_.DestinationPrefix -eq '0.0.0.0/0' } | Sort-Object RouteMetric | Select NextHop).NextHop
# Fetch the container internal IP interface index
$ifIndex = (Get-NetAdapter -InterfaceDescription "Hyper-V Virtual Ethernet*" | Sort-Object | Select ifIndex).ifIndex
# Create a new route similar to "169.254.169.254  255.255.255.255      172.30.42.1     172.30.42.82   5256"
New-NetRoute -DestinationPrefix 169.254.169.254/32 -InterfaceIndex $ifIndex -NextHop $gateway
gillg02
  • 31
  • 2