draw.io on Ubuntu 24.04 LTS on Azure User Guide
Overview
This guide covers the deployment and configuration of draw.io (diagrams.net) on Ubuntu 24.04 LTS on Azure using cloudimg Azure Marketplace images. draw.io is a full featured, open source diagram editor that runs entirely in the browser. You draw flowcharts, UML and ER diagrams, network and cloud architecture diagrams, BPMN, org charts and mind maps on an infinite canvas with a huge shape library, then export to PNG, SVG, PDF or the open drawio format.
The image deploys the official draw.war v30.3.14 release on Apache Tomcat 9 running on OpenJDK 17, fronted by nginx which terminates HTTPS. Because draw.io is a client side application, your diagrams live in your browser and on your own device rather than on the server, which makes self hosting a natural fit for teams that want a private, in house alternative to a cloud diagramming service. Every downloaded artifact is pinned by exact version and verified against a checksum at build time.
Why Tomcat 9? The draw.war release ships a
javax.servletweb application, which is exactly what Tomcat 9 serves. This is the same runtime draw.io's own official Docker image uses. cloudimg hardens the container before capture, as described in the security section below.
What is included:
-
draw.io / diagrams.net v30.3.14 (official GitHub release
draw.war), sha256 pinned -
Apache Tomcat 9.0.120 (official Apache binary distribution), sha512 pinned
-
OpenJDK 17 JRE headless
-
drawio.servicesystemd unit auto starting on boot, running Tomcat as the unprivilegedtomcatsystem user -
drawio-server-firstboot.servicesystemd oneshot that generates a per VM TLS certificate, starts the editor, proves it is serving, then starts nginx -
Tomcat HTTP connector bound to loopback only (
127.0.0.1:8080); nginx terminates TLS on:443and reverse proxies to it -
:80redirects to HTTPS, plus an unauthenticated/healthzendpoint (nginx native, HTTP 200) for load balancer and probe checks -
Hardened Tomcat: the manager and host-manager webapps are removed,
tomcat-users.xmlis shipped empty, and the shutdown port is disabled, so there is no admin console and no default credential -
Ubuntu 24.04 LTS base with the latest security patches applied at build time
-
Azure Linux Agent for seamless cloud integration and SSH key injection
-
24/7 cloudimg support with a guaranteed 24 hour response SLA
Prerequisites
-
Active Azure subscription, an SSH public key, and a VNet plus subnet in the target region
-
A network security group that allows inbound TCP 22 (SSH), 80 (HTTP redirect) and 443 (HTTPS)
-
Important security note: draw.io has no login and no access control of its own. Anyone who can reach the editor can use it, and the built in image proxy can fetch remote URLs on the server's behalf. Restrict the inbound rule for ports 80 and 443 to trusted source ranges in your network security group, or place the VM behind an authenticating reverse proxy or VPN.
Deploy from the Azure Marketplace
-
In the Azure portal, choose Create a resource and search for draw.io on Ubuntu 24.04 LTS by cloudimg.
-
Select the plan and click Create.
-
On the Basics tab pick your subscription, resource group and region, give the VM a name, and choose a size.
Standard_B2sis a good starting point for evaluation and light use; scale up for heavier concurrent use. -
Set the authentication type to SSH public key, provide your key, then set the inbound ports to allow SSH (22), HTTP (80) and HTTPS (443).
-
Review and create. When the deployment finishes, note the VM's public IP address.
On first boot, drawio-server-firstboot.service generates a per VM self signed TLS certificate, starts the editor, waits until it is serving, then brings up nginx and writes a short access note. This usually completes within a minute of the VM reaching the running state.
Open the editor
Point a browser at https://<VM-public-IP>/. Because the image ships a self signed certificate, your browser will warn on first visit; accept the exception (or install your own certificate, see below). The full draw.io editor loads, with the shape palette on the left, the drawing canvas in the middle, and the format panel on the right.

The editor is the complete draw.io application. You can build any of its diagram types, for example a UML class diagram with fields, methods and associations:

Network and cloud architecture diagrams work the same way. Here is the architecture of this very appliance, drawn in draw.io: a browser talks HTTPS to nginx, which reverse proxies over the loopback interface to Apache Tomcat serving draw.war:

Flowcharts, UML, ER diagrams, network and cloud diagrams, BPMN, org charts and mind maps are all available out of the box from the built in shape libraries:

Your diagrams are stored client side. Use File → Save to download a .drawio (or .png/.svg/.pdf) file to your device, and File → Open to load one back. Nothing is written to the server, so there is nothing to back up on the VM.
Verify the deployment
SSH into the VM as azureuser and confirm both services are active. The Tomcat connector is bound to loopback only; nginx is the public listener that terminates TLS.
sudo systemctl start drawio.service nginx.service
for i in $(seq 1 60); do
code=$(curl -sk -o /dev/null -w '%{http_code}' -m 5 https://127.0.0.1/)
[ "$code" = "200" ] && break
sleep 2
done
systemctl is-active drawio.service nginx.service
Both services report active once first boot has completed.

Check the health endpoint, the editor page and a known editor asset over TLS. The health check needs no authentication and is ideal for a load balancer probe:
curl -sk -o /dev/null -w 'GET /healthz -> HTTP %{http_code}\n' https://127.0.0.1/healthz
curl -sk -o /dev/null -w 'GET / (editor) -> HTTP %{http_code}\n' https://127.0.0.1/
curl -sk -o /dev/null -w 'GET /js/app.min.js -> HTTP %{http_code}\n' https://127.0.0.1/js/app.min.js
All three return HTTP 200. The listeners confirm that only nginx (80 and 443) is exposed, while Tomcat stays on 127.0.0.1:8080:
ss -tln | grep -E ':80 |:443 |:8080 '
Security and hardening
A stock Tomcat ships the manager and host-manager web applications together with a tomcat-users.xml file. This image removes both admin webapps, ships an empty users file and disables the shutdown port, so there is no admin console to reach and no default Tomcat credential. You can confirm it directly on the VM: the only deployed webapp is ROOT (draw.io itself), /manager/html returns 404, and the users file has zero <user> elements.
sudo ls /opt/tomcat/webapps
curl -sk -o /dev/null -w 'GET /manager/html -> HTTP %{http_code}\n' https://127.0.0.1/manager/html
sudo grep -c '<user' /opt/tomcat/conf/tomcat-users.xml || echo '0 (empty - no default credential)'

Remember that draw.io itself has no login. The hardening above locks down the servlet container, but the editor is still open to anyone who can reach it, so keep the inbound network security group rules tight.
Runtime and versions
The runtime stack, the exact draw.io and Tomcat versions, and the units enabled for the customer's first boot can all be inspected on the VM:
java -version 2>&1 | head -1
cat /opt/tomcat/DRAWIO_VERSION
systemctl is-enabled drawio.service nginx.service drawio-server-firstboot.service

The access note
On first boot the image writes a short, secret free access note to /root/drawio-server-credentials.txt. draw.io has no login, so no credential is generated or stored; the note simply records the editor URL and a reminder to restrict inbound access.
sudo cat /root/drawio-server-credentials.txt

Bring your own TLS certificate
The image serves HTTPS with a self signed certificate that is regenerated per VM at first boot, so it is unique to your instance but not trusted by browsers. For production, replace it with a certificate for your own domain. Put your certificate and key in place and reload nginx:
-
Point a DNS record at the VM's public IP.
-
Copy your certificate chain to
/etc/nginx/tls/drawio.crtand your private key to/etc/nginx/tls/drawio.key(keep the key mode0600). -
Alternatively, place the VM behind an Azure Application Gateway or another reverse proxy that terminates TLS with a managed certificate.
After replacing the files, reload the web server so the new certificate is served:
sudo nginx -t
A successful nginx -t confirms the configuration is valid before you reload.
Support
This image is maintained by cloudimg with 24/7 support and a guaranteed 24 hour response SLA. draw.io / diagrams.net is free and open source software licensed under the Apache License 2.0; the cloudimg charge covers packaging, security patching, image maintenance and support. For help, contact support@cloudimg.co.uk.