diff --git a/agent/config/config_unix.go b/agent/config/config_unix.go
index fa35d366f4b..27139f9870b 100644
--- a/agent/config/config_unix.go
+++ b/agent/config/config_unix.go
@@ -21,6 +21,8 @@ import (
 )
 
 const (
+	// AgentCredentialsAddress is used to serve the credentials for tasks.
+	AgentCredentialsAddress = "" // this is left blank right now for net=bridge
 	// defaultAuditLogFile specifies the default audit log filename
 	defaultCredentialsAuditLogFile = "/log/audit.log"
 	// Default cgroup prefix for ECS tasks
diff --git a/agent/config/config_windows.go b/agent/config/config_windows.go
index db4bb7d9637..03c37bf6faf 100644
--- a/agent/config/config_windows.go
+++ b/agent/config/config_windows.go
@@ -23,6 +23,9 @@ import (
 )
 
 const (
+	// AgentCredentialsAddress is used to serve the credentials for tasks.
+	AgentCredentialsAddress = "127.0.0.1"
+	// defaultAuditLogFile specifies the default audit log filename
 	defaultCredentialsAuditLogFile = `log\audit.log`
 	// When using IAM roles for tasks on Windows, the credential proxy consumes port 80
 	httpPort = 80
diff --git a/agent/handlers/credentials/handler.go b/agent/handlers/credentials/handler.go
index dc5d27b1867..26a5b08f020 100644
--- a/agent/handlers/credentials/handler.go
+++ b/agent/handlers/credentials/handler.go
@@ -106,7 +106,7 @@ func setupServer(credentialsManager credentials.Manager, auditLogger audit.Audit
 	loggingServeMux.Handle("/", handlers.NewLoggingHandler(serverMux))
 
 	server := http.Server{
-		Addr:         ":" + strconv.Itoa(config.AgentCredentialsPort),
+		Addr:         config.AgentCredentialsAddress + ":" + strconv.Itoa(config.AgentCredentialsPort),
 		Handler:      loggingServeMux,
 		ReadTimeout:  readTimeout,
 		WriteTimeout: writeTimeout,
diff --git a/misc/windows-deploy/hostsetup.ps1 b/misc/windows-deploy/hostsetup.ps1
index 9fddd3eb8c1..8960dad3e12 100644
--- a/misc/windows-deploy/hostsetup.ps1
+++ b/misc/windows-deploy/hostsetup.ps1
@@ -19,6 +19,7 @@ $ErrorActionPreference = 'Continue'
 # 169.254.170.2:51679 is the IP address used for task IAM roles.
 $credentialAddress = "169.254.170.2"
 $credentialPort = "51679"
+$loopbackAddress = "127.0.0.1"
 
 $adapter = (Get-NetAdapter -Name "*APIPA*")
 if(!($adapter)) {
@@ -45,7 +46,7 @@ if(!($ip)) {
 
 	# This forwards traffic from port 80 and listens on the IAM role IP address.
 	# 'portproxy' doesn't have a powershell module equivalent, but we could move if it becomes available.
-	netsh interface portproxy add v4tov4 listenaddress=$credentialAddress listenport=80 connectaddress=$credentialAddress connectport=$credentialPort
+	netsh interface portproxy add v4tov4 listenaddress=$credentialAddress listenport=80 connectaddress=$loopbackAddress connectport=$credentialPort
 }
 
 $ErrorActionPreference=$oldActionPref