diff --git a/site/profile/manifests/firewall.pp b/site/profile/manifests/firewall.pp
index e381d67bc..b91b9275e 100644
--- a/site/profile/manifests/firewall.pp
+++ b/site/profile/manifests/firewall.pp
@@ -4,4 +4,11 @@
     out_all        => true,
     noflush_tables => ['inet-f2b-table'],
   }
+
+  # Do not let user get access to cloud-init metadata server as it could
+  # include sensitive information.
+  nftables::rule { 'default_out-drop_metadata':
+    content => 'ip daddr 169.254.169.254 skuid != 0 drop comment "Drop metadata server"',
+    order   => '89',
+  }
 }