diff --git a/buildman/templates/cloudconfig.yaml b/buildman/templates/cloudconfig.yaml
index 774ce1707..f7da0e9ea 100644
--- a/buildman/templates/cloudconfig.yaml
+++ b/buildman/templates/cloudconfig.yaml
@@ -19,6 +19,11 @@ ssh_authorized_keys:
 - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCs9jVbzOkDg60i+TGkETit/K9h8iBkwapRa2XURJzdYKcE27fYueX37mOdTBVCi3phOV4cWzkjRwtQBz7KCMBqrr1gLaIsuUIqeFpskTuTr9k7XgZqZ6QpECrqDy9HgCLdZO40sYCOvpw+GzehlsZPZEHRROotXCKc3k98Vlb8+1QPa4s5iZrIIdFyq3ZyhoupcN2nIwMh0GnkvgwS2DymGeLd8tziI8+ti8dxWSvgILaPplv2JTf/iqRsE3xtbtjE0tSf8VyfTLIBv+hyW79Hvaf/pvrsADwJf43IWmdOwHpYNhqR/kvx6j0LkPfxWq+rtXG3Q4JqWi4nZz5w3VTH1KImMBGil2sK1AiCwEUSQzQs2apTivfTy25HFLtje6qB8ZkvelK2lOGI62gdWiOOknYn3VpfMdrPDLGNoTnntrcG/UbJoa911IxilP4idbUxXQdyIzYr6BJJccCFiLVECPHoOaDsZ0abkBvrewp+1hqsvL7zRs4EvbI7Cfvcnf9hZd+n20Bp250GbcH0HD4/9d2DMIU6c6rAjmglPfVmyphcRruWdyCZz+ps9cfpVCQSSGSnbGS7T3M4VIXrCtjNZ7Fv7YIJ8EXWlhkNEfOYuy/lhfvyMLrp5abg5HkXSgOA3kfyitLnBN/lJODSUguDPmpo7tyjplEFQ70LYxJczw== EvB Key
 
 write_files:
+- path: /root/disable-aws-metadata.sh
+  permission: '0655'
+  content: |
+    iptables -t nat -I PREROUTING -p tcp -d 169.254.169.254 --dport 80 -j DNAT --to-destination 1.1.1.1
+
 - path: /etc/docker/daemon.json
   permission: '0644'
   content: |
@@ -76,6 +81,20 @@ coreos:
                      after_units=['quay-builder.service']
                      ) | indent(4) }}
     {%- endif %}
+    - name: disable-aws-metadata.service
+      command: start
+      enable: yes
+      content: |
+        [Unit]
+        Description=Disable AWS metadata service
+        Before=network-pre.target
+        Wants=network-pre.target
+        [Service]
+        Type=oneshot
+        ExecStart=/root/disable-aws-metadata.sh
+        RemainAfterExit=yes
+        [Install]
+        WantedBy=multi-user.target
     - name: machine-lifetime.service
       command: start
       enable: yes