diff --git a/cni/network/invoker_cns.go b/cni/network/invoker_cns.go
index c95fbe7a58..61df2e9679 100644
--- a/cni/network/invoker_cns.go
+++ b/cni/network/invoker_cns.go
@@ -161,16 +161,18 @@ func setHostOptions(nwCfg *cni.NetworkConfig, hostSubnetPrefix *net.IPNet, ncSub
 	}
 
 	azureDNSMatch := fmt.Sprintf(" -m addrtype ! --dst-type local -s %s -d %s -p %s --dport %d", ncSubnetPrefix.String(), iptables.AzureDNS, iptables.UDP, iptables.DNSPort)
+	azureIMDSMatch := fmt.Sprintf(" -m addrtype ! --dst-type local -s %s -d %s -p %s --dport %d", ncSubnetPrefix.String(), iptables.AzureIMDS, iptables.TCP, iptables.HTTPPort)
 
-	// TODO remove this rule once we remove adding MASQUEARDE from AgentBaker, check below PR
-	// https://github.com/Azure/AgentBaker/pull/367/files
-	podTrafficAccept := fmt.Sprintf(" -m iprange  ! --dst-range 168.63.129.16-168.63.129.16  -s %s ", ncSubnetPrefix.String())
 	snatPrimaryIPJump := fmt.Sprintf("%s --to %s", iptables.Snat, info.ncPrimaryIP)
+	// we need to snat IMDS traffic to node IP, this sets up snat '--to'
+	snatHostIPJump := fmt.Sprintf("%s --to %s", iptables.Snat, info.hostPrimaryIP)
 	options[network.IPTablesKey] = []iptables.IPTableEntry{
 		iptables.GetCreateChainCmd(iptables.V4, iptables.Nat, iptables.Swift),
-		iptables.GetInsertIptableRuleCmd(iptables.V4, iptables.Nat, iptables.Postrouting, podTrafficAccept, iptables.Accept),
 		iptables.GetAppendIptableRuleCmd(iptables.V4, iptables.Nat, iptables.Postrouting, "", iptables.Swift),
+		// add a snat rule to primary NC IP for DNS
 		iptables.GetInsertIptableRuleCmd(iptables.V4, iptables.Nat, iptables.Swift, azureDNSMatch, snatPrimaryIPJump),
+		// add a snat rule to node IP for IMDS http traffic
+		iptables.GetInsertIptableRuleCmd(iptables.V4, iptables.Nat, iptables.Swift, azureIMDSMatch, snatHostIPJump),
 	}
 
 	return nil
diff --git a/iptables/iptables.go b/iptables/iptables.go
index 2f3abf9eb0..4aac7389e7 100644
--- a/iptables/iptables.go
+++ b/iptables/iptables.go
@@ -67,7 +67,8 @@ const (
 
 // known ports
 const (
-	DNSPort = 53
+	DNSPort  = 53
+	HTTPPort = 80
 )
 
 // known protocols
@@ -78,7 +79,8 @@ const (
 
 // known IP's
 const (
-	AzureDNS = "168.63.129.16"
+	AzureDNS  = "168.63.129.16"
+	AzureIMDS = "169.254.169.254"
 )
 
 var (