Apache SeaTunnel on Ubuntu 24.04 on Azure User Guide
Overview
Apache SeaTunnel is a high-performance, distributed, massively parallel data integration and ETL engine. It moves data from sources to sinks (databases, files, message queues, object stores) using its own Zeta engine, a Hazelcast-based distributed runtime, so you do not need a separate Spark or Flink cluster to run pipelines. The cloudimg image installs Apache SeaTunnel 2.3.13 from the official Apache binary distribution to /opt/seatunnel, installs OpenJDK 17 as the runtime, runs the Zeta engine as a single-node standalone cluster under a dedicated seatunnel system user, ships the demo connector plugins (connector-fake, connector-console, connector-jdbc), and keeps checkpoints, job history and sample output on a dedicated Azure data disk at /var/lib/seatunnel. Backed by 24/7 cloudimg support.
What is included:
- Apache SeaTunnel 2.3.13 (Apache-2.0) from the official Apache binary distribution at
/opt/seatunnel - The Zeta engine running as a
systemdservice (seatunnel.service) under a dedicated unprivilegedseatunneluser - OpenJDK 17 (Ubuntu 24.04 main) as the JVM runtime
- The
connector-fake,connector-consoleandconnector-jdbcplugins pre-installed - A loopback-only Zeta REST API on
127.0.0.1:8080with a Hazelcast health endpoint (not exposed publicly) - Checkpoints, job history and durable sample output on a dedicated 30 GiB Azure data disk at
/var/lib/seatunnel - Two bundled sample jobs (FakeSource to Console, and FakeSource to local file)
- 24/7 cloudimg support
This is an internal data-plane engine: the Zeta REST API and Hazelcast cluster port listen on 127.0.0.1 only and SeaTunnel has no built-in authentication, so loopback is the security boundary. The port is not opened to the internet - run jobs locally on the VM or reach the REST API over an SSH tunnel.
Prerequisites
An active Azure subscription, an SSH key pair, and a VNet + subnet in the target region. Standard_B4ms (4 vCPU / 16 GiB RAM) is a good starting point for the JVM-based Zeta engine. NSG inbound: allow 22/tcp from your management network. No inbound application ports are needed because the engine is reached locally or over the SSH tunnel.
Step 1 - Deploy from the Azure Marketplace
Sign in to the Azure Portal, choose Create a resource, search the Marketplace for Apache SeaTunnel by cloudimg, and select Create. On Basics pick your subscription, resource group, region and size; under Administrator account choose SSH public key and paste your key; under Inbound port rules allow SSH (22) only. Then Review + create -> Create.
Step 2 - Deploy from the Azure CLI
az vm create \
--resource-group <your-rg> \
--name seatunnel \
--image <marketplace-image-urn> \
--size Standard_B4ms \
--admin-username azureuser \
--ssh-key-values ~/.ssh/id_ed25519.pub \
--vnet-name <your-vnet> --subnet <your-subnet> \
--public-ip-sku Standard
Step 3 - Connect to your VM
ssh azureuser@<vm-public-ip>
Step 4 - Confirm SeaTunnel is installed and the engine is running
ls /opt/seatunnel/starter/seatunnel-starter.jar
systemctl is-active seatunnel.service
You should see the Zeta starter jar and active:
/opt/seatunnel/starter/seatunnel-starter.jar
active

Step 5 - Read the per-VM endpoint notes
Each VM writes its endpoint details on first boot to an information file (SeaTunnel has no per-VM secret because it has no built-in authentication):
cat /var/lib/cloudimg/apache-seatunnel-endpoints.notes
The file records SEATUNNEL_HOME, the loopback REST endpoint, the cluster member port, the public IP, and the SSH-tunnel guidance.
Step 6 - Check the Zeta engine REST health endpoint
The Zeta engine exposes a REST overview endpoint on 127.0.0.1:8080. It returns HTTP 200 with the engine version and worker count when the node is up:
curl -s http://127.0.0.1:8080/overview
{"projectVersion":"2.3.13","gitCommitAbbrev":"a399ae8","totalSlot":"...","runningJobs":"0","finishedJobs":"0","failedJobs":"0","workers":"1"}
The REST API binds to loopback only and is never exposed to the internet.

Step 7 - Review the bundled sample job
A sample FakeSource to Console job ships at /opt/seatunnel/config/cloudimg-sample.streaming.conf. It generates rows with the FakeSource connector and prints them with the Console sink:
cat /opt/seatunnel/config/cloudimg-sample.streaming.conf
env {
parallelism = 1
job.mode = "BATCH"
}
source {
FakeSource {
row.num = 10
schema = {
fields {
id = "int"
name = "string"
score = "double"
}
}
}
}
sink {
Console {
}
}

Step 8 - Run the sample job
Run the FakeSource to Console job through bin/seatunnel.sh in local mode. It submits the job to the engine, processes the rows and prints a completion summary:
sudo -u seatunnel /opt/seatunnel/bin/seatunnel.sh --config /opt/seatunnel/config/cloudimg-sample.streaming.conf -m local 2>&1 | tail -20
You should see the job reach a finished state with the read and write row counts reported:
***********************************************
Job Statistic Information
***********************************************
Start Time : ...
End Time : ...
Total Time(s) : ...
Total Read Count : 10
Total Write Count : 10
Total Failed Count : 0
***********************************************

Step 9 - Produce durable output on the data disk
A second sample job writes rows to a local-file sink under /var/lib/seatunnel/sample-output on the dedicated data disk. Run it and list the output:
sudo -u seatunnel /opt/seatunnel/bin/seatunnel.sh --config /opt/seatunnel/config/cloudimg-sample.file.conf -m local 2>&1 | tail -5
find /var/lib/seatunnel/sample-output -type f
The job writes JSON rows to a file on the data disk, so the output survives reboots and the volume is independently resizable.
Step 10 - Connect to the REST API remotely over an SSH tunnel
The Zeta REST API listens on 127.0.0.1:8080 only and is not exposed publicly - this is the secure default. To reach it from your workstation, open an SSH tunnel and point a local client at localhost:8080:
# On your workstation:
ssh -L 8080:127.0.0.1:8080 azureuser@<vm-public-ip>
# In another terminal:
curl http://127.0.0.1:8080/overview # -> {"projectVersion":"2.3.13",...}
SeaTunnel has no built-in authentication, so never expose 8080 to the internet without an authenticating reverse proxy or a private NIC.
Maintenance
- Data: checkpoints, job history and the sample output live on the dedicated data disk at
/var/lib/seatunnel, so engine state survives reboots and the volume is independently resizable. - Connectors: add more connector plugins by listing them in
/opt/seatunnel/config/plugin_configand runningsudo -u seatunnel /opt/seatunnel/bin/install-plugin.sh 2.3.13, then restart the engine. - Tuning: edit
/opt/seatunnel/config/seatunnel.yaml(for example checkpoint interval, slot service) and runsudo systemctl restart seatunnel.service. - Security patches: unattended-upgrades remains enabled so the OS continues to receive security updates automatically.
- Security boundary: the REST API and cluster port bind to loopback only and SeaTunnel has no built-in authentication - keep
8080off the public internet and reach it over the SSH tunnel.
Support
cloudimg provides 24/7 expert support for this image. Contact support@cloudimg.co.uk.
Apache SeaTunnel and the Apache feather logo are trademarks of The Apache Software Foundation. This image is provided by cloudimg and is not affiliated with or endorsed by The Apache Software Foundation.