---
summary: "Run OpenClaw Gateway 24/7 on an Azure Linux VM with durable state"
read_when:
- You want OpenClaw running 24/7 on Azure with Network Security Group hardening
- You want a production-grade, always-on OpenClaw Gateway on your own Azure Linux VM
- You want secure administration with Azure Bastion SSH
title: "Azure"
---
Set up an Azure Linux VM with the Azure CLI, apply Network Security Group (NSG) hardening, configure Azure Bastion for SSH access, and install OpenClaw.
## What you will do
- Create Azure networking (VNet, subnets, NSG) and compute resources with the Azure CLI
- Apply NSG rules so VM SSH is allowed only from Azure Bastion
- Use Azure Bastion for SSH access (no public IP on the VM)
- Install OpenClaw with the installer script
- Verify the gateway
## What you need
- An Azure subscription with permission to create compute and network resources
- Azure CLI installed (see [Azure CLI install steps](https://learn.microsoft.com/cli/azure/install-azure-cli))
- An SSH key pair (this guide covers generating one if needed)
- About 20-30 minutes
## Configure deployment
```bash
az login
az extension add -n ssh
```
The `ssh` extension is required for Azure Bastion native SSH tunneling.
```bash
az provider register --namespace Microsoft.Compute
az provider register --namespace Microsoft.Network
```
Verify registration; wait until both show `Registered`.
```bash
az provider show --namespace Microsoft.Compute --query registrationState -o tsv
az provider show --namespace Microsoft.Network --query registrationState -o tsv
```
```bash
RG="rg-openclaw"
LOCATION="westus2"
VNET_NAME="vnet-openclaw"
VNET_PREFIX="10.40.0.0/16"
VM_SUBNET_NAME="snet-openclaw-vm"
VM_SUBNET_PREFIX="10.40.2.0/24"
BASTION_SUBNET_PREFIX="10.40.1.0/26"
NSG_NAME="nsg-openclaw-vm"
VM_NAME="vm-openclaw"
ADMIN_USERNAME="openclaw"
BASTION_NAME="bas-openclaw"
BASTION_PIP_NAME="pip-openclaw-bastion"
```
Adjust names and CIDR ranges to fit your environment. The Bastion subnet must be at least `/26`.
Use your existing public key if you have one:
```bash
SSH_PUB_KEY="$(cat ~/.ssh/id_ed25519.pub)"
```
Otherwise, generate one:
```bash
ssh-keygen -t ed25519 -a 100 -f ~/.ssh/id_ed25519 -C "you@example.com"
SSH_PUB_KEY="$(cat ~/.ssh/id_ed25519.pub)"
```
```bash
VM_SIZE="Standard_B2as_v2"
OS_DISK_SIZE_GB=64
```
- Start smaller for light usage and scale up later.
- Use more vCPU/RAM/disk for heavier automation, more channels, or larger model/tool workloads.
- If a size is unavailable in your region or subscription quota, pick the closest available SKU.
List VM sizes available in your target region:
```bash
az vm list-skus --location "${LOCATION}" --resource-type virtualMachines -o table
```
Check your current vCPU and disk usage/quota:
```bash
az vm list-usage --location "${LOCATION}" -o table
```
## Deploy Azure resources
```bash
az group create -n "${RG}" -l "${LOCATION}"
```
Create the NSG and add rules so only the Bastion subnet can SSH into the VM.
```bash
az network nsg create \
-g "${RG}" -n "${NSG_NAME}" -l "${LOCATION}"
# Allow SSH from the Bastion subnet only
az network nsg rule create \
-g "${RG}" --nsg-name "${NSG_NAME}" \
-n AllowSshFromBastionSubnet --priority 100 \
--access Allow --direction Inbound --protocol Tcp \
--source-address-prefixes "${BASTION_SUBNET_PREFIX}" \
--destination-port-ranges 22
# Deny SSH from the public internet
az network nsg rule create \
-g "${RG}" --nsg-name "${NSG_NAME}" \
-n DenyInternetSsh --priority 110 \
--access Deny --direction Inbound --protocol Tcp \
--source-address-prefixes Internet \
--destination-port-ranges 22
# Deny SSH from other VNet sources
az network nsg rule create \
-g "${RG}" --nsg-name "${NSG_NAME}" \
-n DenyVnetSsh --priority 120 \
--access Deny --direction Inbound --protocol Tcp \
--source-address-prefixes VirtualNetwork \
--destination-port-ranges 22
```
Rules evaluate by priority, lowest number first: Bastion traffic is allowed at 100, then all other SSH is blocked at 110 and 120.
Create the VNet with the VM subnet (NSG attached), then add the Bastion subnet.
```bash
az network vnet create \
-g "${RG}" -n "${VNET_NAME}" -l "${LOCATION}" \
--address-prefixes "${VNET_PREFIX}" \
--subnet-name "${VM_SUBNET_NAME}" \
--subnet-prefixes "${VM_SUBNET_PREFIX}"
# Attach the NSG to the VM subnet
az network vnet subnet update \
-g "${RG}" --vnet-name "${VNET_NAME}" \
-n "${VM_SUBNET_NAME}" --nsg "${NSG_NAME}"
# AzureBastionSubnet: this exact name is required by Azure
az network vnet subnet create \
-g "${RG}" --vnet-name "${VNET_NAME}" \
-n AzureBastionSubnet \
--address-prefixes "${BASTION_SUBNET_PREFIX}"
```
The VM gets no public IP. SSH access goes exclusively through Azure Bastion.
```bash
az vm create \
-g "${RG}" -n "${VM_NAME}" -l "${LOCATION}" \
--image "Canonical:ubuntu-24_04-lts:server:latest" \
--size "${VM_SIZE}" \
--os-disk-size-gb "${OS_DISK_SIZE_GB}" \
--storage-sku StandardSSD_LRS \
--admin-username "${ADMIN_USERNAME}" \
--ssh-key-values "${SSH_PUB_KEY}" \
--vnet-name "${VNET_NAME}" \
--subnet "${VM_SUBNET_NAME}" \
--public-ip-address "" \
--nsg ""
```
`--public-ip-address ""` prevents a public IP from being assigned. `--nsg ""` skips a per-NIC NSG since the subnet-level NSG already handles security.
To pin a specific Ubuntu image version instead of `latest`, list available versions first:
```bash
az vm image list \
--publisher Canonical --offer ubuntu-24_04-lts \
--sku server --all -o table
```
Azure Bastion gives managed SSH access without exposing a public IP on the VM. The Standard SKU with tunneling enabled is required for CLI-based `az network bastion ssh`.
```bash
az network public-ip create \
-g "${RG}" -n "${BASTION_PIP_NAME}" -l "${LOCATION}" \
--sku Standard --allocation-method Static
az network bastion create \
-g "${RG}" -n "${BASTION_NAME}" -l "${LOCATION}" \
--vnet-name "${VNET_NAME}" \
--public-ip-address "${BASTION_PIP_NAME}" \
--sku Standard --enable-tunneling true
```
Bastion provisioning typically takes 5-10 minutes, but can take up to 15-30 minutes in some regions.
## Install OpenClaw
```bash
VM_ID="$(az vm show -g "${RG}" -n "${VM_NAME}" --query id -o tsv)"
az network bastion ssh \
--name "${BASTION_NAME}" \
--resource-group "${RG}" \
--target-resource-id "${VM_ID}" \
--auth-type ssh-key \
--username "${ADMIN_USERNAME}" \
--ssh-key ~/.ssh/id_ed25519
```
```bash
curl -fsSL https://openclaw.ai/install.sh -o /tmp/install.sh
bash /tmp/install.sh
rm -f /tmp/install.sh
```
The installer installs Node and dependencies if not already present, installs OpenClaw, and launches onboarding. See [Install](/install) for details.
After onboarding completes:
```bash
openclaw gateway status
```
If your organization already has GitHub Copilot licenses, you can choose the GitHub Copilot provider during onboarding instead of a separate model API key. See [GitHub Copilot provider](/providers/github-copilot).
## Cost considerations
Approximate monthly costs (verify current pricing in the Azure Pricing Calculator, since rates vary by region and change over time):
- Azure Bastion Standard SKU: roughly $140/month
- VM (`Standard_B2as_v2`): roughly $55/month
To reduce costs:
- Deallocate the VM when not in use. This stops compute billing (disk charges remain). The gateway is unreachable while deallocated.
```bash
az vm deallocate -g "${RG}" -n "${VM_NAME}"
az vm start -g "${RG}" -n "${VM_NAME}" # restart later
```
- Delete Bastion when not needed and recreate it when you need SSH access again; it is the largest cost component and provisions in a few minutes.
- Use the Basic Bastion SKU (roughly $38/month) if you only need Portal-based SSH and do not need CLI tunneling (`az network bastion ssh`).
## Cleanup
Delete all resources created by this guide:
```bash
az group delete -n "${RG}" --yes --no-wait
```
This removes the resource group and everything inside it (VM, VNet, NSG, Bastion, public IP).
## Next steps
- Set up messaging channels: [Channels](/channels)
- Pair local devices as nodes: [Nodes](/nodes)
- Configure the gateway: [Gateway configuration](/gateway/configuration)
- More detail on Azure deployment with the GitHub Copilot model provider: [OpenClaw on Azure with GitHub Copilot](https://github.com/johnsonshi/openclaw-azure-github-copilot)
## Related
- [Install overview](/install)
- [GCP](/install/gcp)
- [DigitalOcean](/install/digitalocean)