Asterisk on Ubuntu 24.04 on Azure User Guide
Overview
This guide covers the deployment and configuration of Asterisk on Ubuntu 24.04 on Azure using cloudimg Azure Marketplace images. Asterisk is the world's most widely deployed open source communications engine: a SIP PBX, VoIP gateway, IVR, conferencing and voicemail toolkit. It runs as a headless daemon controlled through the Asterisk command line and the text configuration files in /etc/asterisk.
The image builds the pinned official Asterisk 22.10.1 LTS source release, downloaded from downloads.asterisk.org and verified against its SHA256 checksum, with the bundled pjproject stack that powers the modern chan_pjsip channel driver. Asterisk 22 is the current Long Term Support branch, security supported into 2029. It runs under systemd as the unprivileged asterisk user.
Security by design, no default SIP credential. An Asterisk shipped with its sample configuration files carries well known default SIP passwords and an open dialplan context, which makes it a toll fraud magnet: attackers register and place premium rate calls at the owner's expense. This image ships no sample configuration and a minimal hardened setup instead. The one example endpoint, demo, has its SIP password set to a per instance secret generated on the first boot of every VM (openssl rand -base64 24), written to /root/asterisk-credentials.txt (mode 0600, root only). The captured image ships only a placeholder, and the SIP stack never runs with that placeholder because the service is held disabled until first boot rotates the secret.
Security by design, no anonymous SIP and no toll fraud route. The legacy chan_sip driver, the historic source of the allowguest open registrar, was removed entirely in Asterisk 21 and later, so it is simply not present here. The modern PJSIP stack rejects unidentified requests: there is no anonymous endpoint, and an unauthenticated REGISTER or INVITE is refused. The shipped dialplan contains only local test extensions (an echo test) with no Dial application, no trunk, and no PSTN route, so even a compromised endpoint cannot dial out and run up a bill until you deliberately add a trunk and an outbound context yourself.
What is included:
-
Asterisk 22.10.1 LTS, built from the pinned official source release (SHA256 verified), run under systemd as the unprivileged
asteriskuser (asterisk.service) -
A minimal hardened
/etc/asterisk: no sample files, one exampledemoPJSIP endpoint, a UDP and TCP transport on port 5060, and a dialplan with local test extensions only -
A per instance SIP secret for the
demoendpoint generated on first boot, documented in/root/asterisk-credentials.txt(0600), so no image ever ships a usable or default credential -
No anonymous SIP and no PSTN or Dial catch all in the shipped dialplan, so there is no toll fraud exposure out of the box
-
Voicemail, call recordings, CDRs and the writable spool on a dedicated 20 GiB Azure data disk mounted at
/var/lib/asterisk, so call state survives independently of the OS disk -
external_media_addressandexternal_signaling_addressset from the VM public IP on first boot so SIP and RTP traverse NAT correctly -
A bundled SIP self test client (
sipexer) so you can prove registration and place the echo test call from the VM itself -
A tiny nginx on port
:80serving only an unauthenticated/healthzendpoint (HTTP 200) for Azure Load Balancer health probes, which is not a PBX management interface -
Ubuntu 24.04 LTS base with latest security patches applied at build time, and unattended security upgrades kept enabled
-
Azure Linux Agent for seamless cloud integration and SSH key injection
-
24/7 cloudimg support with a guaranteed 24 hour response SLA
Prerequisites
-
Active Azure subscription, SSH public key, VNet and subnet in the target region
-
Subscription to the Asterisk listing on Azure Marketplace
-
Network Security Group rules allowing TCP 22 (admin), UDP and TCP 5060 (SIP), the RTP media range UDP 10000 to 10100 (call audio), and TCP 80 (health probe)
Recommended virtual machine size: Standard_B2s (2 vCPU, 4 GB RAM) is a comfortable starting point for a small PBX with a handful of concurrent calls. Scale up for heavier call volumes, transcoding, or conferencing.
Step 1: Deploy from the Azure Portal
Search Asterisk in Marketplace, select the cloudimg publisher, and click Create. Configure the Network Security Group to allow TCP 22 for administration, UDP and TCP 5060 for SIP signalling, UDP 10000 to 10100 for RTP media, and TCP 80 for the health probe. Assign a public IP so remote softphones can register.
Step 2: Deploy from the Azure CLI
RG="pbx-prod"; LOCATION="eastus"; VM_NAME="asterisk1"
GALLERY_IMAGE_ID="/subscriptions/<sub-id>/resourceGroups/azure-cloudimg/providers/Microsoft.Compute/galleries/cloudimgGallery/images/asterisk-ubuntu-24-04/versions/<version>"
az group create --name "$RG" --location "$LOCATION"
az vm create --resource-group "$RG" --name "$VM_NAME" \
--image "$GALLERY_IMAGE_ID" --size Standard_B2s \
--admin-username azureuser --generate-ssh-keys --public-ip-sku Standard
# SIP signalling (UDP + TCP 5060), RTP media (UDP 10000-10100), health probe (TCP 80)
az vm open-port --resource-group "$RG" --name "$VM_NAME" --port 5060 --priority 1001
az vm open-port --resource-group "$RG" --name "$VM_NAME" --port 10000-10100 --priority 1002
az vm open-port --resource-group "$RG" --name "$VM_NAME" --port 80 --priority 1003
The Azure Marketplace recommended NSG declares a narrowed RTP range (UDP 10000 to 10019) to stay within the platform's per rule port limit. The image and this guide use the full UDP 10000 to 10100 range; widen your NSG rule to match the range you need for your expected concurrent call volume.
Step 3: First boot
On the first boot of every VM the asterisk-firstboot.service runs once. It resolves the VM public IP from Azure IMDS and writes it as the SIP and RTP external address, generates the per instance SIP secret for the demo endpoint, asserts that no sample configuration, anonymous endpoint or dial out route is present, then starts Asterisk and nginx. Allow about 30 seconds after the VM is first reachable.
Step 4: Confirm the service is running
SSH in and confirm Asterisk and nginx are active and Asterisk is running as the unprivileged asterisk user.
sudo systemctl is-active asterisk nginx
sudo asterisk -rx "core show version"
curl -s -o /dev/null -w "healthz: %{http_code}\n" http://127.0.0.1/healthz

Step 5: Inspect the PJSIP transports and endpoints
Asterisk listens for SIP on UDP and TCP port 5060 and ships one example endpoint, demo.
sudo asterisk -rx "pjsip show transports"
sudo asterisk -rx "pjsip show endpoints"

Step 6: Register a softphone as the demo endpoint
Read the per instance SIP secret (unique to this VM) from the root only credentials file, then register. The bundled sipexer client lets you prove registration from the VM itself; a desktop or mobile softphone (for example Zoiper, Linphone or MicroSIP) registers the same way from your network.
sudo cat /root/asterisk-credentials.txt
# register as demo using the per instance secret (substitute the value from the file above)
/usr/local/bin/sipexer -register -fuser demo -au demo -ap '<SIP_SECRET>' -ex 300 udp:127.0.0.1:5060
sudo asterisk -rx "pjsip show aor demo"
To register a softphone from your own device, point it at the VM public IP on port 5060, username demo, and the secret from the file above. A wrong secret is rejected, and an unauthenticated registration is refused, because there is no anonymous SIP.

Step 7: Place the echo test call
With the softphone registered, dial 600 for the announced echo test, or *43 for the bare echo test. You will hear your own audio played back, which proves registration, call setup and two way RTP media all work.
# authenticated self call to the echo test extension (from the VM, using the bundled client)
/usr/local/bin/sipexer --register-first --invite -fuser demo -au demo -ap '<SIP_SECRET>' -tuser 600 udp:127.0.0.1:5060 2>&1 \
| grep -aE 'SIP/2.0 (100|180|200)' || true
Step 8: The hardened, no toll fraud configuration
The shipped configuration is deliberately minimal. The demo endpoint requires authentication with the per instance secret, the secret itself lives in a root only include outside the main file, and the dialplan has only local test extensions with no Dial application and no PSTN route.
sudo sed -n '/^\[demo\]/,/^direct_media/p' /etc/asterisk/pjsip.conf
sudo grep -E '^\[demo-internal\]|^exten =>' /etc/asterisk/extensions.conf

Step 9: Add your own endpoints, trunks and outbound dialing
To build a real PBX, add your own PJSIP endpoints for each phone, and add a SIP trunk and an outbound context when you are ready to make external calls. Keep outbound dialing in its own context that only trusted, authenticated endpoints can reach, and always restrict the patterns a trunk will dial.
# example: add a new endpoint (edit as root, then reload)
sudo tee -a /etc/asterisk/pjsip.conf >/dev/null <<'EOF'
[alice]
type=aor
max_contacts=1
[alice]
type=auth
auth_type=userpass
username=alice
password=<new-password>
[alice]
type=endpoint
context=demo-internal
disallow=all
allow=ulaw
auth=alice
aors=alice
EOF
sudo asterisk -rx "pjsip reload"
Only introduce a Dial() to a SIP trunk from a context that your trusted endpoints use, and never expose an outbound trunk to an unauthenticated or guest context.
Step 10: Voicemail, recordings and the data disk
Voicemail, call recordings and CDRs are written under /var/lib/asterisk, which is a dedicated 20 GiB Azure data disk, so they persist independently of the OS disk and the volume is independently resizable.
findmnt /var/lib/asterisk
sudo ls -la /var/lib/asterisk/spool
Step 11: NAT, TLS and SRTP for production
First boot sets the SIP and RTP external addresses to the VM public IP so calls traverse NAT. For production, add a TLS transport on port 5061 and enable SRTP so signalling and media are encrypted, and terminate TLS with a certificate for your own domain.
-
Keep UDP and TCP 5060 and the RTP range open only to the networks that need them, and prefer TLS on 5061 for remote phones
-
Use strong, unique secrets for every endpoint, and never reuse the
democredential in production -
Restrict outbound dialing patterns on every trunk to limit the blast radius of any compromised endpoint
Step 12: Support and Licensing
Asterisk is licensed under the GPL 2.0 license. This image bundles the official Asterisk release plus a minimal hardened configuration and the open source sipexer self test client (MIT). cloudimg provides the packaging, hardening and Azure integration, with 24/7 support and a guaranteed 24 hour response SLA.
Trademark notice. Asterisk is a registered trademark of Sangoma Technologies. cloudimg is not affiliated with or endorsed by Sangoma Technologies. This image packages the open source Asterisk software for convenient deployment on Azure.
Deploy on Azure
Find Asterisk on Ubuntu 24.04 LTS by cloudimg on the Azure Marketplace and click Create, or deploy from the Azure CLI as shown above.
Need Help?
Contact cloudimg support at support@cloudimg.co.uk for deployment assistance, configuration guidance, or licensing questions.