You own a backend service that fetches user-supplied URLs to generate previews and import remote content. The service runs on cloud VMs and containers, can reach internal services over the production network, and uses instance-attached credentials to call cloud APIs. A recent review found that the fetcher follows redirects and does not restrict destination IP ranges, raising concern that an attacker could use it to reach the instance metadata service or other internal-only endpoints.
Explain how an SSRF attack would work in this environment and how you would redesign the service and surrounding infrastructure to prevent it. Be explicit about the trust boundaries, the cloud credential exposure risk, and how you would detect both attempted exploitation and control failures.