diff --git a/packages/by-name/cloud-api-adaptor/package.nix b/packages/by-name/cloud-api-adaptor/package.nix
index 1e1e91520..c48731724 100644
--- a/packages/by-name/cloud-api-adaptor/package.nix
+++ b/packages/by-name/cloud-api-adaptor/package.nix
@@ -10,6 +10,9 @@
   writeShellApplication,
   gnugrep,
   iptables,
+  iproute2,
+  sysctl,
+  gawk,
   runCommand,
   applyPatches,
   makeWrapper,
@@ -102,6 +105,22 @@ buildGoModule rec {
         "SC2153"
       ];
     };
+
+    setup-nat-for-imds = writeShellApplication {
+      name = "setup-nat-for-imds";
+      runtimeInputs = [
+        iproute2
+        iptables
+        sysctl
+        gawk
+      ];
+      # TODO(burgerdev): generalize for all link-local IPs and investigate routing simplification
+      text = builtins.readFile "${cloud-api-adaptor.src}/src/cloud-api-adaptor/podvm/files/usr/local/bin/setup-nat-for-imds.sh";
+      meta = {
+        mainProgram = "setup-nat-for-imds";
+        homepage = "https://github.com/confidential-containers/cloud-api-adaptor/blob/main/src/cloud-api-adaptor/podvm/files/usr/local/bin/setup-nat-for-imds.sh";
+      };
+    };
   };
 
   meta = {
diff --git a/packages/nixos/azure.nix b/packages/nixos/azure.nix
index 612b48e76..4f2a70a94 100644
--- a/packages/nixos/azure.nix
+++ b/packages/nixos/azure.nix
@@ -85,5 +85,25 @@ in
         ExecStart = "${lib.getExe pkgs.azure-no-agent}";
       };
     };
+
+    systemd.services.setup-nat-for-imds = {
+      wantedBy = [ "multi-user.target" ];
+      requires = [ "netns@podns.service" ];
+      wants = [ "network-online.target" ];
+      after = [
+        "network-online.target"
+        "netns@podns.service"
+      ];
+      description = "Setup NAT for IMDS";
+      serviceConfig = {
+        Type = "oneshot";
+        RemainAfterExit = "yes";
+        # TODO(msanft): Find out why just ordering this after network-online.target
+        # isn't sufficient. (Errors with saying that the network is unreachable)
+        Restart = "on-failure";
+        RestartSec = "5s";
+        ExecStart = "${lib.getExe pkgs.cloud-api-adaptor.setup-nat-for-imds}";
+      };
+    };
   };
 }
diff --git a/packages/test-peerpods.sh b/packages/test-peerpods.sh
index c2e3dc15b..d28f6f8f8 100644
--- a/packages/test-peerpods.sh
+++ b/packages/test-peerpods.sh
@@ -39,9 +39,17 @@ if [[ $found != true ]]; then
   exit 1
 fi
 
+run_tests() {
+  pod="$(kubectl get pod -l app=alpine -o jsonpath='{.items[0].metadata.name}')"
+
+  # Check IMDS functionality.
+  # -f makes this fail on a 500 status code.
+  kubectl exec "$pod" -- curl -f -i -H "Metadata: true" http://169.254.169.254/metadata/THIM/amd/certification
+}
+
 cleanup() {
-  kubectl delete deploy nginx
-  kubectl wait --for=delete pod --selector=app=nginx --timeout=5m
+  kubectl delete deploy alpine
+  kubectl wait --for=delete pod --selector=app=alpine --timeout=5m
 }
 
 trap cleanup EXIT
@@ -52,26 +60,29 @@ kubectl apply -f - <<EOF
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: nginx
+  name: alpine
 spec:
   selector:
     matchLabels:
-      app: nginx
+      app: alpine
   replicas: 1
   template:
     metadata:
       labels:
-        app: nginx
+        app: alpine
     spec:
       runtimeClassName: kata-remote
       containers:
-      - name: nginx
-        image: nginx
+      - name: alpine
+        image: alpine/curl
         imagePullPolicy: Always
+        command: ["sleep", "3600"]
 EOF
 
-if ! kubectl wait --for=condition=available --timeout=5m deployment/nginx; then
+if ! kubectl wait --for=condition=available --timeout=5m deployment/alpine; then
   kubectl describe pods
   kubectl logs -n confidential-containers-system -l app=cloud-api-adaptor --tail=-1 --all-containers
   exit 1
 fi
+
+run_tests