diff --git a/docs/docs.json b/docs/docs.json
index 1113e4de795..c9df5c4f0cc 100644
--- a/docs/docs.json
+++ b/docs/docs.json
@@ -800,10 +800,6 @@
"source": "/azure",
"destination": "/install/azure"
},
- {
- "source": "/install/azure/azure",
- "destination": "/install/azure"
- },
{
"source": "/platforms/fly",
"destination": "/install/fly"
diff --git a/docs/install/azure.md b/docs/install/azure.md
index 615049ef937..7c6abae64fe 100644
--- a/docs/install/azure.md
+++ b/docs/install/azure.md
@@ -4,35 +4,39 @@ read_when:
- You want OpenClaw running 24/7 on Azure with Network Security Group hardening
- You want a production-grade, always-on OpenClaw Gateway on your own Azure Linux VM
- You want secure administration with Azure Bastion SSH
- - You want repeatable deployments with Azure Resource Manager templates
title: "Azure"
---
# OpenClaw on Azure Linux VM
-This guide sets up an Azure Linux VM, applies Network Security Group (NSG) hardening, configures Azure Bastion (managed Azure SSH entry point), and installs OpenClaw.
+This guide sets up an Azure Linux VM with the Azure CLI, applies Network Security Group (NSG) hardening, configures Azure Bastion for SSH access, and installs OpenClaw.
-## What you’ll do
+## What you'll do
-- Deploy Azure compute and network resources with Azure Resource Manager (ARM) templates
-- Apply Azure Network Security Group (NSG) rules so VM SSH is allowed only from Azure Bastion
-- Use Azure Bastion for SSH access
+- Create Azure networking (VNet, subnets, NSG) and compute resources with the Azure CLI
+- Apply Network Security Group rules so VM SSH is allowed only from Azure Bastion
+- Use Azure Bastion for SSH access (no public IP on the VM)
- Install OpenClaw with the installer script
- Verify the Gateway
-## Before you start
-
-You’ll need:
+## What you need
- An Azure subscription with permission to create compute and network resources
- Azure CLI installed (see [Azure CLI install steps](https://learn.microsoft.com/cli/azure/install-azure-cli) if needed)
+- An SSH key pair (the guide covers generating one if needed)
+- ~20-30 minutes
+
+## Configure deployment
```bash
- az login # Sign in and select your Azure subscription
- az extension add -n ssh # Extension required for Azure Bastion SSH management
+ az login
+ az extension add -n ssh
```
+
+ The `ssh` extension is required for Azure Bastion native SSH tunneling.
+
@@ -41,7 +45,7 @@ You’ll need:
az provider register --namespace Microsoft.Network
```
- Verify Azure resource provider registration. Wait until both show `Registered`.
+ Verify registration. Wait until both show `Registered`.
```bash
az provider show --namespace Microsoft.Compute --query registrationState -o tsv
@@ -54,9 +58,20 @@ You’ll need:
```bash
RG="rg-openclaw"
LOCATION="westus2"
- TEMPLATE_URI="https://raw.githubusercontent.com/openclaw/openclaw/main/infra/azure/templates/azuredeploy.json"
- PARAMS_URI="https://raw.githubusercontent.com/openclaw/openclaw/main/infra/azure/templates/azuredeploy.parameters.json"
+ VNET_NAME="vnet-openclaw"
+ VNET_PREFIX="10.40.0.0/16"
+ VM_SUBNET_NAME="snet-openclaw-vm"
+ VM_SUBNET_PREFIX="10.40.2.0/24"
+ BASTION_SUBNET_PREFIX="10.40.1.0/26"
+ NSG_NAME="nsg-openclaw-vm"
+ VM_NAME="vm-openclaw"
+ ADMIN_USERNAME="openclaw"
+ BASTION_NAME="bas-openclaw"
+ BASTION_PIP_NAME="pip-openclaw-bastion"
```
+
+ Adjust names and CIDR ranges to fit your environment. The Bastion subnet must be at least `/26`.
+
@@ -66,7 +81,7 @@ You’ll need:
SSH_PUB_KEY="$(cat ~/.ssh/id_ed25519.pub)"
```
- If you don’t have an SSH key yet, run the following:
+ If you don't have an SSH key yet, generate one:
```bash
ssh-keygen -t ed25519 -a 100 -f ~/.ssh/id_ed25519 -C "you@example.com"
@@ -76,17 +91,15 @@ You’ll need:
- Set VM and disk sizing variables:
-
```bash
VM_SIZE="Standard_B2as_v2"
OS_DISK_SIZE_GB=64
```
- Choose a VM size and OS disk size that are available in your Azure subscription/region and matches your workload:
+ Choose a VM size and OS disk size available in your subscription and region:
- Start smaller for light usage and scale up later
- - Use more vCPU/RAM/OS disk size for heavier automation, more channels, or larger model/tool workloads
+ - Use more vCPU/RAM/disk for heavier automation, more channels, or larger model/tool workloads
- If a VM size is unavailable in your region or subscription quota, pick the closest available SKU
List VM sizes available in your target region:
@@ -95,42 +108,139 @@ You’ll need:
az vm list-skus --location "${LOCATION}" --resource-type virtualMachines -o table
```
- Check your current VM vCPU and OS disk size usage/quota:
+ Check your current vCPU and disk usage/quota:
```bash
az vm list-usage --location "${LOCATION}" -o table
```
+
+## Deploy Azure resources
+
+
```bash
az group create -n "${RG}" -l "${LOCATION}"
```
-
- This command applies your selected SSH key, VM size, and OS disk size.
+
+ Create the NSG and add rules so only the Bastion subnet can SSH into the VM.
```bash
- az deployment group create \
- -g "${RG}" \
- --template-uri "${TEMPLATE_URI}" \
- --parameters "${PARAMS_URI}" \
- --parameters location="${LOCATION}" \
- --parameters vmSize="${VM_SIZE}" \
- --parameters osDiskSizeGb="${OS_DISK_SIZE_GB}" \
- --parameters sshPublicKey="${SSH_PUB_KEY}"
+ az network nsg create \
+ -g "${RG}" -n "${NSG_NAME}" -l "${LOCATION}"
+
+ # Allow SSH from the Bastion subnet only
+ az network nsg rule create \
+ -g "${RG}" --nsg-name "${NSG_NAME}" \
+ -n AllowSshFromBastionSubnet --priority 100 \
+ --access Allow --direction Inbound --protocol Tcp \
+ --source-address-prefixes "${BASTION_SUBNET_PREFIX}" \
+ --destination-port-ranges 22
+
+ # Deny SSH from the public internet
+ az network nsg rule create \
+ -g "${RG}" --nsg-name "${NSG_NAME}" \
+ -n DenyInternetSsh --priority 110 \
+ --access Deny --direction Inbound --protocol Tcp \
+ --source-address-prefixes Internet \
+ --destination-port-ranges 22
+
+ # Deny SSH from other VNet sources
+ az network nsg rule create \
+ -g "${RG}" --nsg-name "${NSG_NAME}" \
+ -n DenyVnetSsh --priority 120 \
+ --access Deny --direction Inbound --protocol Tcp \
+ --source-address-prefixes VirtualNetwork \
+ --destination-port-ranges 22
+ ```
+
+ The rules are evaluated by priority (lowest number first): Bastion traffic is allowed at 100, then all other SSH is blocked at 110 and 120.
+
+
+
+
+ Create the VNet with the VM subnet (NSG attached), then add the Bastion subnet.
+
+ ```bash
+ az network vnet create \
+ -g "${RG}" -n "${VNET_NAME}" -l "${LOCATION}" \
+ --address-prefixes "${VNET_PREFIX}" \
+ --subnet-name "${VM_SUBNET_NAME}" \
+ --subnet-prefixes "${VM_SUBNET_PREFIX}"
+
+ # Attach the NSG to the VM subnet
+ az network vnet subnet update \
+ -g "${RG}" --vnet-name "${VNET_NAME}" \
+ -n "${VM_SUBNET_NAME}" --nsg "${NSG_NAME}"
+
+ # AzureBastionSubnet — name is required by Azure
+ az network vnet subnet create \
+ -g "${RG}" --vnet-name "${VNET_NAME}" \
+ -n AzureBastionSubnet \
+ --address-prefixes "${BASTION_SUBNET_PREFIX}"
```
+
+ The VM has no public IP. SSH access is exclusively through Azure Bastion.
+
+ ```bash
+ az vm create \
+ -g "${RG}" -n "${VM_NAME}" -l "${LOCATION}" \
+ --image "Canonical:ubuntu-24_04-lts:server:latest" \
+ --size "${VM_SIZE}" \
+ --os-disk-size-gb "${OS_DISK_SIZE_GB}" \
+ --storage-sku StandardSSD_LRS \
+ --admin-username "${ADMIN_USERNAME}" \
+ --ssh-key-values "${SSH_PUB_KEY}" \
+ --vnet-name "${VNET_NAME}" \
+ --subnet "${VM_SUBNET_NAME}" \
+ --public-ip-address "" \
+ --nsg ""
+ ```
+
+ `--public-ip-address ""` prevents a public IP from being assigned. `--nsg ""` skips creating a per-NIC NSG (the subnet-level NSG handles security).
+
+ **Reproducibility:** The command above uses `latest` for the Ubuntu image. To pin a specific version, list available versions and replace `latest`:
+
+ ```bash
+ az vm image list \
+ --publisher Canonical --offer ubuntu-24_04-lts \
+ --sku server --all -o table
+ ```
+
+
+
+
+ Azure Bastion provides managed SSH access to the VM without exposing a public IP. Standard SKU with tunneling is required for CLI-based `az network bastion ssh`.
+
+ ```bash
+ az network public-ip create \
+ -g "${RG}" -n "${BASTION_PIP_NAME}" -l "${LOCATION}" \
+ --sku Standard --allocation-method Static
+
+ az network bastion create \
+ -g "${RG}" -n "${BASTION_NAME}" -l "${LOCATION}" \
+ --vnet-name "${VNET_NAME}" \
+ --public-ip-address "${BASTION_PIP_NAME}" \
+ --sku Standard --enable-tunneling true
+ ```
+
+ Bastion provisioning typically takes 5-10 minutes but can take up to 15-30 minutes in some regions.
+
+
+
+
+## Install OpenClaw
+
+
```bash
- RG="rg-openclaw"
- VM_NAME="vm-openclaw"
- BASTION_NAME="bas-openclaw"
- ADMIN_USERNAME="openclaw"
VM_ID="$(az vm show -g "${RG}" -n "${VM_NAME}" --query id -o tsv)"
az network bastion ssh \
@@ -146,13 +256,12 @@ You’ll need:
```bash
- curl -fsSL https://openclaw.ai/install.sh -o /tmp/openclaw-install.sh
- bash /tmp/openclaw-install.sh
- rm -f /tmp/openclaw-install.sh
- openclaw --version
+ curl -fsSL https://openclaw.ai/install.sh -o /tmp/install.sh
+ bash /tmp/install.sh
+ rm -f /tmp/install.sh
```
- The installer script handles Node detection/installation and runs onboarding by default.
+ The installer installs Node LTS and dependencies if not already present, installs OpenClaw, and launches the onboarding wizard. See [Install](/install) for details.
@@ -165,11 +274,33 @@ You’ll need:
Most enterprise Azure teams already have GitHub Copilot licenses. If that is your case, we recommend choosing the GitHub Copilot provider in the OpenClaw onboarding wizard. See [GitHub Copilot provider](/providers/github-copilot).
- The included ARM template uses Ubuntu image `version: "latest"` for convenience. If you need reproducible builds, pin a specific image version in `infra/azure/templates/azuredeploy.json` (you can list versions with `az vm image list --publisher Canonical --offer ubuntu-24_04-lts --sku server --all -o table`).
-
+## Cost considerations
+
+Azure Bastion Standard SKU runs approximately **\$140/month** and the VM (Standard_B2as_v2) runs approximately **\$55/month**.
+
+To reduce costs:
+
+- **Deallocate the VM** when not in use (stops compute billing; disk charges remain). The OpenClaw Gateway will not be reachable while the VM is deallocated — restart it when you need it live again:
+ ```bash
+ az vm deallocate -g "${RG}" -n "${VM_NAME}"
+ az vm start -g "${RG}" -n "${VM_NAME}" # restart later
+ ```
+- **Delete Bastion when not needed** and recreate it when you need SSH access. Bastion is the largest cost component and takes only a few minutes to provision.
+- **Use the Basic Bastion SKU** (~\$38/month) if you only need Portal-based SSH and don't require CLI tunneling (`az network bastion ssh`).
+
+## Cleanup
+
+To delete all resources created by this guide:
+
+```bash
+az group delete -n "${RG}" --yes --no-wait
+```
+
+This removes the resource group and everything inside it (VM, VNet, NSG, Bastion, public IP).
+
## Next steps
- Set up messaging channels: [Channels](/channels)