Add IMDS note

dominicbetts · dominicbetts · commit 50e4aa8313aa · 2026-03-04T09:57:51.000Z
diff --git a/articles/iot-operations/deploy-iot-ops/concept-production-guidelines.md b/articles/iot-operations/deploy-iot-ops/concept-production-guidelines.md
@@ -45,6 +45,8 @@ Consider the following measures to ensure your cluster setup is secure before de
 * Use [user-assigned managed identities](./howto-enable-secure-settings.md#set-up-a-user-assigned-managed-identity-for-cloud-connections) for cloud connections.
 * Keep your cluster and Azure IoT Operations deployment up to date with the latest patches and minor releases to get all available security and bug fixes.
 
+[!INCLUDE [aks-imds-restriction](../includes/aks-imds-restriction.md)]
+
 ### Networking
 
 If you use enterprise firewalls or proxies, add the [Azure IoT Operations endpoints](./overview-deploy.md#azure-iot-operations-endpoints) to your allow list.
diff --git a/articles/iot-operations/deploy-iot-ops/howto-enable-secure-settings.md b/articles/iot-operations/deploy-iot-ops/howto-enable-secure-settings.md
@@ -201,3 +201,7 @@ Some Azure IoT Operations components, like data flow endpoints, use a user-assig
    ```
 
 Now you can use this managed identity in data flow endpoints for cloud connections.
+
+## Block pod access to the Azure Instance Metadata Service
+
+[!INCLUDE [aks-imds-restriction](../includes/aks-imds-restriction.md)]
diff --git a/articles/iot-operations/deploy-iot-ops/overview-deploy.md b/articles/iot-operations/deploy-iot-ops/overview-deploy.md
@@ -65,6 +65,8 @@ To deploy Azure IoT Operations with secure settings, follow these articles:
 1. Start with [Prepare your Azure Arc-enabled Kubernetes cluster](./howto-prepare-cluster.md) to configure and Arc-enable your cluster.
 1. Then, follow the steps in [Deploy Azure IoT Operations to a production cluster](./howto-deploy-iot-operations.md).
 
+[!INCLUDE [aks-imds-restriction](../includes/aks-imds-restriction.md)]
+
 ## Required permissions
 
 The following table describes Azure IoT Operations deployment and management tasks that require elevated permissions. For information about assigning roles to users, see [Steps to assign an Azure role](../../role-based-access-control/role-assignments-steps.md).
diff --git a/articles/iot-operations/includes/aks-imds-restriction.md b/articles/iot-operations/includes/aks-imds-restriction.md
@@ -0,0 +1,10 @@
+---
+ms.topic: include
+ms.custom: include file
+author: dominicbetts
+ms.topic: include
+ms.date: 01/06/2026
+ms.author: dobett
+---
+
+When you deploy Azure IoT Operations with secure settings on AKS, Microsoft recommends blocking pod access to the Azure Instance Metadata Service endpoint. To learn how to enable this feature, see [Block pod access to the Azure Instance Metadata Service (IMDS) endpoint](/azure/aks/imds-restriction).
