This IP seems to be running a service that provides a lot of useful metadata for my instance, but I'm wondering why 169.254.169.254? What's special about that IP address? And also wondering if the fact of having that IP occupied by that service I'm missing the chance to connect to a server with that IP on the internet?
The Internet Assigned Numbers Authority (IANA) has reserved 169.254. 0.0-169.254. 255.255 for Automatic Private IP Addressing.
The Internet Engineering Task Force (IETF) has reserved the IPv4 address block 169.254. 0.0/16 (169.254. 0.0 – 169.254. 255.255) for link-local addressing.
Well, the question is also somewhat confusing, since having an APIPA IP address does not mean you can not access anything. " 169.254. x.x: This is what's called an Automatic Private IP address. An IP in this range means that the computer cannot see the network". flagReport.
Anyone who knows anything about IP addresses, knows that the address of 169.254. 169.0/24 is a link-local address and only available to a local host. Within AWS and Azure, we use the address to gain access to the metadata associated with a VM (using an Instance Metadata Service).
169.254.169.254 is an IP address from the reserved IPv4 Link Local Address space 169.254.0.0/16 (169.254.0.0 through 169.254.255.255). Similar to the private address ranges in RFC-1918 (10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16) in the sense that this block also can't be used on the Internet, Link Local is further restricted to being unreachable via any router¹ -- by design, they only exist on the directly-connected network.
AWS needed to create a service endpoint accessible from any system and the selection of an address in this block allows it to avoid conflict with the commonly used IP address space. Clever choice.
Presumably this specific address within the block was chosen for its aesthetic appeal or being easy to remember.
Fun fact! The adjacent address 169.254.169.253 is a DNS resolver in VPC in addition to the one you're probably familiar with at offset 2 from the base of your VPC supernet. This comes in very handy for configuring software that does its own DNS lookups independent from the OS (like HAProxy), so that the DNS resolver configuration in the software doesn't need to be modified when deployed in different VPCs. There's no documented reason to believe this address represents a "different" resolver than the one within your address block, just a different way of accessing the same thing.
But wait, there's more! 169.254.169.123 provides a stratum-3 NTP time source, allowing instances to maintain their system clock time with ntpd or chrony without requiring Internet access, from the Amazon Time Sync Service. This service also uses Amazon's leap second logic to distribute any leap seconds throughout the day they occur, rather than the clock advancing from 23:59:59 to 23:59:60 to 00:00:00, which can be problematic.
¹unreachable via any router is not a hard constraint in most IP stacks, as link local addresses can be the subject of a static route, but these addresses are not generally considered routable.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With