If trying to get instance metadata from TAS application instances on AWS, you may be refused to establish a connection to the instance metadata endpoint as below:

$ cf ssh my-app
vcap@9**8529f-**3d-4f**-**7f-d28a:~$ curl http://169.254.169.254/latest/meta-data/
curl: (7) Failed to connect to 169.254.169.254 port 80: Connection refused 

This is because outbound access from application instances in each SPACE to 169.254.169.254 is blocked with the following default allow rule based on App Security Groups (aka, ASG) mechanism:

[
  {
    "protocol": "all",
    "destination": "0.0.0.0-169.253.255.255"
  },
  {
    "protocol": "all",
    "destination": "169.255.0.0-255.255.255.255"
  }
] 

The resolution is to create the following rule to allow the outbound access to 169.254.169.254, bind the rule to the specific SPACE of the target application of yours additionally and restart the application.

[
  {
    "protocol": "all",
    "destination": "169.254.169.254"
  }
] 

Regarding how to create an ASG rule and bind to the specifc SPACE, please refer the following docs:

• App Security Groups - Managing ASGs with the cf CLI