Defender not included in the collection based on Account ID with Error log "Failed to fetch cloud metadata: fetch from IMDSv1 failed"

• Collection defined based on Account ID as below:

• However, cannot find the Defender tagged with the expected Collection Label:

• Prisma Cloud Compute Self-hosted version 22.06 and below

• Defender uses IMDSv1 API provided by AWS to determine AWS Account ID of the current running host.
• This API requires the connection from defender to 169.254.169.254.
• If the Defender cannot reach this IP, it will fail to retrieve the account ID, with the following Error in Defender Logs: 

ERRO 2022-09-07T11:04:27.872 defender.go:239 Failed to fetch cloud metadata: fetch from IMDSv1 failed: Get "http://169.254.169.254/latest/dynamic/instance-identity/document": dial tcp 169.254.169.254:80: connect: network is unreachable

• Ensure Defender connectivity to IP 169.254.169.254 on port 80
• If the Defender is configured with Proxy at Manage > System > Proxy
  • Ensure the Proxy can access IP 169.254.169.254 with port 80 , or
  • Add IP 169.254.169.254 into "No proxy" list to make defender connect directly when making IMDSv1 API

• If the Defender is not configured with Proxy, then review the settings on your Firewall, Security Group and Routing Table to troubleshoot network problem between the host and 169.254.169.254 on port 80.

• To test IMDSv1 API, you can use below command:

curl -vvv --noproxy '*'  http://169.254.169.254/latest/dynamic/instance-identity/document

• After fixing the network issue between the Defender and 169.254.169.254, restart the Defender so that it will call IMDSv1 API to fetch the cloud metadata again.

• By design, Defender will only fetch cloud metadata once every time it starts.
• It will not retry when it fails to fetch cloud metadata.