While investigating T336854 it was noticed that cloudmetrics hosts try talking to cloudservices100[56]:8081 and fail. It looks like pdns auth listens only on the cloud vps address and not the production address:
cloudservices1005:~# lsof -i tcp:8081 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME pdns_serv 796099 pdns 7u IPv4 157511252 0t0 TCP cloudservices1005.private.eqiad.wikimedia.cloud:tproxy (LISTEN) root@cloudservices1005:~# curl cloudservices1005.private.eqiad.wikimedia.cloud:8081/metrics -s | wc -l 255 root@cloudservices1005:~# curl cloudservices1005.eqiad.wmnet:8081/metrics -s | wc -l 0
There's of course a bunch of solutions here, what do you think @taavi ?