Backrest on Ubuntu 24.04 on Azure User Guide
Overview
Backrest is a popular open source web interface and orchestrator for restic, the fast, secure, deduplicating backup program. From an ordinary browser it lets you configure backup repositories, define backup plans and schedules, set retention and forget policies, run integrity checks, and browse or restore any snapshot, all without touching the restic command line. Every operation Backrest runs is a real restic command, so your backups stay in the open, well documented restic repository format and can be read or restored with restic directly at any time.
The cloudimg image serves Backrest 1.14.1 behind an nginx reverse proxy on a hardened, fully patched Ubuntu 24.04 LTS base, with the matching restic 0.19.1 binary already installed so the appliance is ready offline. Backrest is a single self contained Go binary that embeds its own web UI and an embedded SQLite operation log. The server listens only on the loopback interface (127.0.0.1:9898) and nginx serves it on port 80. A unique administrator password is generated on the first boot of every VM and written to a root only file, so no shared or default login ever ships in the image. Backed by 24/7 cloudimg support.
What is included:
- Backrest 1.14.1 served behind nginx, managed by systemd
- restic 0.19.1 preinstalled at
/usr/local/bin/restic(the version Backrest expects), so the appliance needs no download on first use - The Backrest web interface on
:80with a per VM administrator login required - A per VM administrator password generated on first boot and recorded in a root only file
- A fresh per instance authentication signing key generated on first boot, so sessions cannot be forged across deployments
- The Backrest server bound to
127.0.0.1:9898only, never exposed directly to the network - A dedicated Azure data disk at
/var/lib/backrestfor the configuration, the operation log and any local restic repositories backrest.serviceandnginx.serviceas enabled systemd units- 24/7 cloudimg support
Backrest is licensed under the GNU General Public License v3.0. This image bundles the unmodified upstream Backrest and restic binaries and is not affiliated with or endorsed by the Backrest or restic projects.
Prerequisites
An active Azure subscription, an SSH key pair, and a VNet plus subnet in the target region. Standard_B2s (2 vCPU / 4 GiB RAM) is a sensible starting point; size up for heavier backup workloads or larger local repositories. NSG inbound: allow 22/tcp from your management network and 80/tcp for the web interface. Backrest serves plain HTTP on port 80; for production, terminate TLS in front of it with your own domain. The Backrest server is never exposed directly: it listens on 127.0.0.1:9898 only, so port 9898 stays off the network.
Step 1 - Deploy from the Azure Marketplace
Sign in to the Azure Portal, choose Create a resource, search the Marketplace for Backrest by cloudimg, and select Create. On Basics pick your subscription, resource group, region and size; under Administrator account choose SSH public key and paste your key; under Inbound port rules allow SSH (22) and HTTP (80). Review the dedicated data disk on the Disks tab, then Review + create then Create.
Step 2 - Deploy from the Azure CLI
az vm create \
--resource-group <your-rg> \
--name backrest \
--image <marketplace-image-urn> \
--size Standard_B2s \
--admin-username azureuser \
--generate-ssh-keys \
--public-ip-sku Standard
Then open port 80 to the web interface:
az vm open-port --resource-group <your-rg> --name backrest --port 80
Step 3 - Confirm the services are running
SSH in as azureuser and confirm Backrest and nginx are active. Note that the Backrest server listens only on 127.0.0.1:9898 while nginx serves the web interface on port 80.
systemctl is-active backrest nginx backrest-firstboot
ss -tlnp | grep -E ':80 |:9898 ' | awk '{print $1, $4}'

Step 4 - Retrieve the per VM administrator password
Every VM generates its own administrator password on first boot and writes it, along with the login user and URL, to a root only credentials file. Read it with sudo:
sudo cat /root/backrest-credentials.txt
You sign in to Backrest with username admin and the backrest.admin.pass value from this file. You can prove the login works from the command line by requesting an authentication token with those credentials:
PASS=$(sudo grep '^backrest.admin.pass=' /root/backrest-credentials.txt | cut -d= -f2-); curl -s -o /dev/null -w 'login HTTP %{http_code}\n' -m 20 -H 'Content-Type: application/json' -H 'Connect-Protocol-Version: 1' -d "{\"username\":\"admin\",\"password\":\"$PASS\"}" http://127.0.0.1/v1.Authentication/Login

Step 5 - Sign in to Backrest
Browse to http://<vm-public-ip>/. Backrest opens on its sign in screen. Enter username admin and the password from Step 4.

Once signed in you land on the summary dashboard, which shows the health of every plan at a glance: when each plan last backed up, how much data is protected, and a recent activity feed.

Step 6 - Add a backup repository
A repository is where restic stores your encrypted, deduplicated snapshots. Click Add Repo in the sidebar to open the repository form. Give the repository a name, set its location under Connection (a local path such as /var/lib/backrest/repos/main on the data disk, or a remote such as S3, Backblaze B2, SFTP or any restic supported backend), and set an encryption password. Use Test Configuration to validate access before saving.

Local repositories live on the dedicated data disk under /var/lib/backrest/repos, so they are captured with the disk and kept separate from the operating system disk.
Step 7 - Create a backup plan
A plan tells Backrest what to back up, where, and on what schedule. Click Add Plan, give it a name, select the repository from Step 6, add one or more paths to include under Scope, then set a Schedule (for example an hourly or daily cron) and a Retention policy to prune old snapshots automatically.

Step 8 - Browse and restore snapshots
Each time a plan runs it creates a snapshot in its repository. Open the plan from the sidebar to see its backup history as a browsable tree by date. From any snapshot you can inspect the files it captured, restore individual files or whole directories, or run restic operations such as check, prune and forget, all from the web UI.

Step 9 - Verify the stack
Confirm the Backrest and restic versions, that the services are enabled, and that authentication is enforced end to end through nginx:
/usr/local/bin/backrest --version | grep -i version:
/usr/local/bin/restic version | head -1
systemctl is-enabled backrest nginx
PASS=$(sudo grep '^backrest.admin.pass=' /root/backrest-credentials.txt | cut -d= -f2-); U=$(curl -s -o /dev/null -w '%{http_code}' -X POST -H 'Content-Type: application/json' -H 'Connect-Protocol-Version: 1' -d '{}' http://127.0.0.1/v1.Backrest/GetConfig); TOK=$(curl -s -H 'Content-Type: application/json' -H 'Connect-Protocol-Version: 1' -d "{\"username\":\"admin\",\"password\":\"$PASS\"}" http://127.0.0.1/v1.Authentication/Login | sed -n 's/.*"token":"\([^"]*\)".*/\1/p'); A=$(curl -s -o /dev/null -w '%{http_code}' -X POST -H "Authorization: Bearer $TOK" -H 'Content-Type: application/json' -H 'Connect-Protocol-Version: 1' -d '{}' http://127.0.0.1/v1.Backrest/GetConfig); echo "no token: $U with token: $A"
The unauthenticated request returns 401 and the request with the token returns 200, proving authentication is enforced on the API:
no token: 401 with token: 200

Step 10 - Where your data lives
The Backrest configuration, its operation log and any local restic repositories live on a dedicated Azure data disk mounted at /var/lib/backrest, separate from the OS disk. This disk is captured into the image and re provisioned on every VM. Confirm the mount and the filesystem:
df -h /var/lib/backrest | tail -1
findmnt -no SOURCE,TARGET,FSTYPE /var/lib/backrest
Security notes
- Backrest serves plain HTTP on port 80. For production, put it behind your own TLS terminating reverse proxy or an Azure Application Gateway with a certificate for your domain, and restrict port 80 in the NSG to trusted networks.
- The Backrest server listens on
127.0.0.1:9898only and is never exposed directly; only nginx on port 80 faces the network. - Authentication is required on the API. The per VM administrator password lives in
/root/backrest-credentials.txt, readable only by root. Sign in and add or change users from Settings if you wish, and keep a copy somewhere safe. - Choose a strong, unique encryption password for every repository. restic encrypts all data at rest with it, and losing it means the backups cannot be recovered.
- Keep the VM patched. The image ships fully patched with unattended security upgrades enabled.
Support
cloudimg images come with 24/7 support. If you have any questions about this Backrest image or need help with your deployment, contact us through the cloudimg website.