Ba
Artificial Intelligence (AI) Azure

big-AGI on Ubuntu 24.04 on Azure User Guide

| Product: big-AGI on Ubuntu 24.04 LTS on Azure

Overview

big-AGI is the open source, self-hosted AI chat and agent workspace. It gives you a polished web UI for talking to any OpenAI-compatible model - OpenAI, Anthropic, Google Gemini, OpenRouter, or a fully local backend such as llama.cpp or Ollama - with rich chat, AI personas, multi-model routing and voice, all running on your own VM. big-AGI itself stores no accounts and no API keys: every LLM credential you add is configured in the browser and kept in that browser's local storage, never on this server. The cloudimg image installs Docker CE from the official Docker repository and runs big-AGI 2.0.5 as a container (managed by Docker with a restart policy), bound to the loopback connector 127.0.0.1:3000 behind an nginx reverse proxy on port 80. nginx protects the whole app with HTTP Basic Auth, and a unique login password is generated on the first boot of every VM. Backed by 24/7 cloudimg support.

What is included:

  • big-AGI 2.0.5 running as a container managed by Docker
  • Docker CE preinstalled from the official Docker apt repository
  • The big-AGI chat UI on :80, fronted by nginx with HTTP Basic Auth
  • A unique login password generated on first boot and recorded in a root-only file
  • A dedicated Azure data disk at /var/lib/big-agi holding the per-VM auth credential
  • docker.service + nginx.service as systemd units, enabled and active
  • An unauthenticated /healthz endpoint for Azure Load Balancer health probes
  • Streaming-friendly nginx proxy configuration for chat completions
  • 24/7 cloudimg support

Prerequisites

An active Azure subscription, an SSH key pair, and a VNet + subnet in the target region. Standard_B2s (2 vCPU / 4 GiB RAM) is a reasonable starting point for the UI itself - big-AGI does not run any model locally, all inference happens on the remote or local API endpoint you configure. NSG inbound: allow 22/tcp from your management network and 80/tcp. big-AGI serves plain HTTP on port 80; for production, terminate TLS in front of it with your own domain and consider adding 443/tcp (see Maintenance). You will also need your own API key for whichever LLM provider you plan to use (OpenAI, Anthropic, Gemini, OpenRouter), or a reachable local inference server (llama.cpp, Ollama, LM Studio).

Step 1 - Deploy from the Azure Marketplace

Sign in to the Azure Portal, choose Create a resource, search the Marketplace for big-AGI by cloudimg, and select Create. On Basics pick your subscription, resource group, region and size; under Administrator account choose SSH public key and paste your key; under Inbound port rules allow SSH (22) and HTTP (80). Review the dedicated data disk on the Disks tab, then Review + create -> Create.

Step 2 - Deploy from the Azure CLI

az vm create \
  --resource-group <your-rg> \
  --name big-agi \
  --image <marketplace-image-urn> \
  --size Standard_B2s \
  --admin-username azureuser \
  --ssh-key-values ~/.ssh/id_ed25519.pub \
  --vnet-name <your-vnet> --subnet <your-subnet> \
  --public-ip-sku Standard

az vm open-port --resource-group <your-rg> --name big-agi --port 80 --priority 1010

Step 3 - Connect to your VM

ssh azureuser@<vm-public-ip>

Step 4 - Confirm the services are running

systemctl is-active docker.service nginx.service
docker ps --filter name=big-agi --format 'table {{.Names}}\t{{.Image}}\t{{.Status}}'

Both systemd units report active, and Docker shows the big-agi container Up. Docker manages the big-AGI container (bound to the loopback connector 127.0.0.1:3000), and nginx fronts it on port 80 behind HTTP Basic Auth.

docker.service and nginx.service active, and the big-agi container healthy on the loopback connector 3000

Step 5 - Retrieve your login credentials

big-AGI's access gate is HTTP Basic Auth (user admin). The password is generated uniquely on the first boot of your VM and written to a root-only file:

sudo cat /root/big-agi-credentials.txt

This file contains BIG_AGI_URL, BIG_AGI_USERNAME and BIG_AGI_PASSWORD. Store the password somewhere safe.

The pinned big-AGI image digest and the per-VM credentials file with the generated admin password and URL

Step 6 - Confirm the health endpoint

nginx serves an unauthenticated health endpoint for load balancers and probes:

curl -s http://localhost/healthz

It returns ok. This endpoint never requires authentication, so it is safe for an Azure Load Balancer health probe.

Step 7 - Confirm the login password is enforced

Because a password is set on first boot, an unauthenticated request to big-AGI is rejected (HTTP 401), so nobody reaches your chat sessions without the password:

curl -s -o /dev/null -w '%{http_code}\n' http://127.0.0.1/

It prints 401. A wrong password is also rejected with 401; only the per-VM password from Step 5 returns 200. You can confirm this in the browser in the next step.

nginx returning 401 for an unauthenticated request and 200 once the per-VM admin password is supplied, with a note that big-AGI stores no API keys server-side

Step 8 - Sign in to big-AGI

Browse to http://<vm-public-ip>/. Your browser prompts for HTTP Basic Auth credentials; enter admin and the password from Step 5. Once signed in, you land on the chat home: an AI Persona picker (Default, Developer, Scientist, Catalyst, Executive, Custom, or build your own with the Persona Creator) and an empty message composer.

The big-AGI chat home showing the AI Persona picker and an empty message composer, behind the nginx Basic Auth gate

Step 9 - Connect your own LLM API key

big-AGI has no server-side accounts or stored keys of any kind - the toolbar shows a "Models" warning until you add one. Click it (or the model/settings icon in the sidebar) to open Setup AI Models, where you can paste an OpenAI, Anthropic, Gemini or OpenRouter API key, or switch to the Local tab to point at a self-hosted OpenAI-compatible endpoint (llama.cpp server, Ollama, LM Studio). Whatever you enter here is saved only in your browser's local storage - it is never written to this VM, never logged, and never visible to cloudimg.

The Setup AI Models panel where you paste your own OpenAI, Anthropic, Gemini or OpenRouter API key, or switch to a Local self-hosted endpoint

Step 10 - Start a conversation

Pick a persona, type your message in the composer, and press Enter (or the Chat button) to send it to the model you configured in Step 9.

A prompt composed in the big-AGI chat box, ready to send to the configured model

Step 11 - Explore the Apps & Tools menu

The Apps & Tools icon in the left rail opens Create Personas, Compare Text, News, the AI Inspector and Clipboard History - big-AGI's built-in productivity tools alongside the core chat experience.

The big-AGI Apps & Tools sidebar showing Create Personas, Compare Text, News and the Quick Tools section

Step 12 - Confirm the auth credential lives on the dedicated disk

The per-VM .htpasswd for the nginx Basic Auth gate is stored under /var/lib/big-agi on the dedicated Azure data disk, so it survives OS changes and can be resized independently. big-AGI's own conversation history, personas and model settings live in your browser's local storage, not on the server:

findmnt /var/lib/big-agi

The mount is backed by a separate Azure data disk captured into the image and re-provisioned on every VM.

Maintenance

  • Password: the Basic Auth password is set on first boot. To change it, run sudo sh -c 'printf "admin:%s\n" "$(openssl passwd -apr1 NEW_PASSWORD)" > /var/lib/big-agi/.htpasswd' && sudo systemctl reload nginx.
  • LLM API keys: all provider keys and local-endpoint URLs are entered by you in Settings > Models and saved to your browser only - there is nothing server-side to back up, rotate or leak. Clearing your browser's site data for this VM's URL removes them; simply re-enter them.
  • Pairs well with: a cloudimg llama.cpp Server instance as a private, no-external-API-key backend - point big-AGI's Local tab at your llama.cpp Server's address for a fully self-hosted chat stack.
  • Upgrades: big-AGI runs as the big-agi container from the pinned ghcr.io/enricoros/big-agi:v2.0.5 image; to upgrade, pull a newer tag and re-run docker run with the same -p 127.0.0.1:3000:3000 binding.
  • TLS: big-AGI serves plain HTTP on port 80; front it with TLS (e.g. certbot with your own domain) before production use, especially before entering real API keys in the browser.
  • Security patches: unattended-upgrades remains enabled so the OS continues to receive security updates automatically.
  • License: big-AGI Open is MIT licensed. This image ships the free Open edition; some optional Big-AGI Pro features described in the upstream project are not included.

Support

cloudimg provides 24/7 expert support for this image. Contact support@cloudimg.co.uk.