Excalidraw on Ubuntu 24.04 on Azure User Guide

Overview

Excalidraw is an open-source virtual whiteboard for sketching hand-drawn-style diagrams. It is local-first: your drawings live privately in your own browser, and there is no account, login or password to manage. The cloudimg image self-hosts both halves of Excalidraw so you get a fully private, on-prem deployment with no dependency on the public excalidraw.com: the static web app is served by nginx on port 80, and the official real-time collaboration room server runs alongside it on loopback so the Share to Live collaboration feature connects to your own VM, not a public server. Built from Excalidraw 0.18.1, backed by 24/7 cloudimg support.

What is included:

• Excalidraw 0.18.1 static web app, built from the official source and served from /var/www/excalidraw
• nginx on :80 serving the single-page app, with a Socket.IO reverse proxy to the local collaboration server
• The official Excalidraw collaboration room server (excalidraw-room) on loopback 127.0.0.1:3002, never publicly exposed
• excalidraw-room.service + nginx.service as systemd units, enabled and active on every boot
• A first-boot service that writes an MOTD banner and a non-secret info note (Excalidraw has no credentials to rotate)
• 24/7 cloudimg support

Prerequisites

An active Azure subscription, an SSH key pair, and a VNet plus subnet in the target region. Standard_B2ms (2 vCPU / 8 GiB RAM) is a good starting point. NSG inbound: allow 22/tcp from your management network and 80/tcp for the whiteboard. Excalidraw serves plain HTTP on port 80; for production, terminate TLS in front of it with your own domain.

Step 1 - Deploy from the Azure Marketplace

Sign in to the Azure Portal, choose Create a resource, search the Marketplace for Excalidraw by cloudimg, and select Create. On Basics pick your subscription, resource group, region and size; under Administrator account choose SSH public key and paste your key; under Inbound port rules allow SSH (22) and HTTP (80). Then Review + create and Create.

Step 2 - Deploy from the Azure CLI

az vm create \
  --resource-group <your-rg> \
  --name excalidraw \
  --image <marketplace-image-urn> \
  --size Standard_B2ms \
  --admin-username azureuser \
  --ssh-key-values ~/.ssh/id_ed25519.pub \
  --vnet-name <your-vnet> --subnet <your-subnet> \
  --public-ip-sku Standard

az vm open-port --resource-group <your-rg> --name excalidraw --port 80 --priority 1010

Step 3 - Connect to your VM

ssh azureuser@<vm-public-ip>

Step 4 - Confirm the services are running

The whiteboard is served by nginx and the real-time collaboration server runs as excalidraw-room.service. Confirm both are active:

systemctl is-active excalidraw-room.service nginx.service

Both report active.

Step 5 - Verify the endpoints

Confirm nginx serves the Excalidraw app on port 80 and that the Socket.IO collaboration endpoint is reachable through nginx (it proxies to the loopback room server):

echo "SPA index:        $(curl -s -o /dev/null -w '%{http_code}' http://127.0.0.1/)"
echo "nginx /health:    $(curl -s -o /dev/null -w '%{http_code}' http://127.0.0.1/health)"
echo "Socket.IO (nginx):$(curl -s -o /dev/null -w '%{http_code}' 'http://127.0.0.1/socket.io/?EIO=4&transport=polling')"

All three return 200. The Socket.IO request returns an Engine.IO handshake payload (it contains a sid session id), which proves the live-collaboration server is wired up behind nginx.

Step 6 - Confirm the collaboration server is private

The collaboration room server is bound to loopback 127.0.0.1:3002 and is never exposed directly; only nginx on port 80 is public. A non-secret info note records the app URL:

ss -tlnp | grep 3002
cat /var/lib/cloudimg/excalidraw-info.txt

Step 7 - Open the whiteboard

Browse to http://<vm-public-ip>/ in any modern browser. The Excalidraw canvas loads with the drawing toolbar across the top. Because Excalidraw is local-first, there is no sign-in: your drawings are saved privately in your browser.

Step 8 - Draw

Pick a tool from the toolbar (rectangle, ellipse, diamond, arrow, line, freedraw, text and more) and draw on the canvas. Selecting a shape shows the style panel on the left for stroke colour, fill, font and layering.

The left-hand style panel lets you change stroke colour, fill style, font family and size, opacity and layer order for the selected element.

Step 9 - Live collaboration

Click Share in the top-right and choose Live collaboration. Excalidraw starts a collaborative session and gives you a room link to share. The collaboration link is served by this VM's own room server, so your whiteboard data never leaves your host. Anyone you send the link to joins the same canvas in real time.

Maintenance

• Data: Excalidraw is local-first; drawings are stored in each visitor's browser. There is no server-side database to back up. Use the in-app Save to file / Open to export and import .excalidraw scenes.
• Collaboration: the room server (excalidraw-room.service) holds an in-progress shared scene only while a session is active; nothing is persisted to disk.
• TLS: Excalidraw serves plain HTTP on port 80; front it with TLS (for example certbot) and your own domain before production use.
• Restart: sudo systemctl restart excalidraw-room.service nginx.service if you need to bounce the services.
• Security patches: unattended-upgrades remains enabled so the OS continues to receive security updates automatically.

Support

cloudimg provides 24/7 expert support for this image. Contact support@cloudimg.co.uk.

Excalidraw is a trademark of Excalidraw, Inc. cloudimg is not affiliated with, endorsed by, or sponsored by Excalidraw, Inc. This image packages the open-source Excalidraw software (MIT License) for convenient deployment on Microsoft Azure.