Networking Azure

NetBox on Ubuntu 24.04 on Azure User Guide

| Product: NetBox on Ubuntu 24.04 LTS on Azure

Overview

This image runs NetBox 4.6.5, the leading open source Network Source of Truth, on Ubuntu 24.04 LTS. NetBox is a combined IP address management (IPAM) and data centre infrastructure management (DCIM) platform: it holds the authoritative record of your IP space, VLANs and VRFs, devices, racks, sites, cabling, circuits and virtualisation, and exposes all of it through a full REST and GraphQL API, change logging, custom fields and a webhook automation engine.

cloudimg delivers NetBox fully installed and reverse proxied behind nginx, with the gunicorn application server, the background task worker, PostgreSQL 16 and Redis 7 already configured and managed by systemd, so a complete Network Source of Truth is operational within minutes of launch.

What is included:

  • NetBox 4.6.5 installed from the official release into /opt/netbox, running in a dedicated Python virtual environment
  • PostgreSQL 16 as the primary database and Redis 7 as the task queue and cache backend
  • gunicorn serving the Django application on 127.0.0.1:8001, fronted by nginx on port 80
  • A background request queue worker (netbox-rq.service) for webhooks and long running jobs
  • Five systemd units enabled and active: postgresql, redis-server, netbox, netbox-rq and nginx
  • Secure by default: no administrator account and no shared secret ship in the image. On first boot a unique Django secret key, a unique database password, a unique administrator account and a REST API token are generated and written to a root only file
  • A daily housekeeping task that keeps the database tidy automatically
  • A fully patched Ubuntu 24.04 LTS base with unattended security upgrades enabled
  • 24/7 cloudimg support

Prerequisites

An active Azure subscription, an SSH key pair, and a VNet plus subnet in the target region. Standard_B2s (2 vCPU / 4 GiB RAM) is the recommended size for evaluation and small deployments; for larger inventories choose a size with more memory. NSG inbound: allow 22/tcp from your management network and 80/tcp for the web interface. NetBox serves plain HTTP on port 80; for production or shared access, terminate TLS in front of it with your own domain (see the final step).

Step 1 - Deploy from the Azure Marketplace

Sign in to the Azure Portal, choose Create a resource, search the Marketplace for NetBox by cloudimg, and select Create. On Basics pick your subscription, resource group, region and size; under Administrator account choose SSH public key and paste your key; under Inbound port rules allow SSH (22) and HTTP (80). Then Review + create then Create.

Step 2 - Deploy from the Azure CLI

az vm create \
  --resource-group <your-rg> \
  --name netbox \
  --image <marketplace-image-urn> \
  --size Standard_B2s \
  --admin-username azureuser \
  --ssh-key-values ~/.ssh/id_ed25519.pub \
  --vnet-name <your-vnet> --subnet <your-subnet> \
  --public-ip-sku Standard

# Open the HTTP port so you can reach the web interface
az vm open-port --resource-group <your-rg> --name netbox --port 80 --priority 900

Step 3 - Retrieve the per VM admin credentials

Nothing secret is baked into the image. On the very first boot, a one shot service (netbox-firstboot.service) generates a fresh Django secret key, a fresh database password, a unique administrator account and a REST API token, all unique to your instance. It writes them to /root/netbox-credentials.txt, readable only by root. SSH in as azureuser and read them:

$ sudo cat /root/netbox-credentials.txt
# NetBox - generated on first boot by netbox-firstboot.service.
# These credentials are unique to THIS VM. Store them somewhere safe.

netbox.url=http://20.55.10.42/
netbox.admin.user=admin
netbox.admin.pass=Xq7pR2mK9wU4nZ8vB3hL6yD1
netbox.api.token=8f3c1e0a9b2d4c6e8f0a1b2c3d4e5f60718293a4

# Canonical keys consumed by the cloudimg smoke verifier + guide substitution:
NETBOX_ADMIN_PASSWORD=Xq7pR2mK9wU4nZ8vB3hL6yD1
NETBOX_API_TOKEN=8f3c1e0a9b2d4c6e8f0a1b2c3d4e5f60718293a4

The netbox-firstboot.service one shot is ordered before the application services, so the web UI only ever starts once every per VM secret has been generated. The values above are an example; your instance will have its own unique credentials.

The netbox first boot service is enabled and its script header describing the per VM secret rotation

Step 4 - Confirm the services are running

Check that PostgreSQL, Redis, the NetBox application, the request queue worker and nginx are all active:

sudo systemctl is-active postgresql redis-server netbox netbox-rq nginx

All five report active. gunicorn binds to loopback only (127.0.0.1:8001) and nginx publishes the interface on port 80:

sudo ss -tlnp | grep -E ':80 |:8001 '

The five NetBox services reporting active and the listening ports, nginx on 80 and gunicorn on 127.0.0.1:8001

Step 5 - Confirm the web endpoints

The sign in page is public and returns 200. NetBox requires authentication for everything else, so an anonymous request to the application is redirected to the login page and the REST API returns 403 without a token. This is the secure default.

curl -s -o /dev/null -w 'HTTP %{http_code}\n' http://localhost/login/
curl -s -o /dev/null -w 'HTTP %{http_code}\n' http://localhost/
curl -s -o /dev/null -w 'HTTP %{http_code}\n' http://localhost/api/dcim/devices/

The login page returning 200, an anonymous request redirected to login, and the REST API returning 403 without a token

Step 6 - Sign in to the web UI

Browse to http://<vm-ip>/ and sign in as admin with the password from /root/netbox-credentials.txt. NetBox opens on the login page.

The NetBox sign in page served on port 80

After signing in you land on your personal dashboard, with widgets summarising your organisation, IP space, devices, circuits and more. The screenshots in this guide show NetBox populated with a small set of example objects; a freshly deployed instance starts empty and ready for you to model your own network.

The NetBox dashboard after signing in, showing organisation, IPAM and DCIM summary widgets

Step 7 - Model your network: IPAM and DCIM

Under IPAM > Prefixes you record your IP space: aggregates, prefixes, IP ranges and individual addresses, each with a status, VRF, tenant, role and description. NetBox validates hierarchy and utilisation automatically.

The IPAM Prefixes list showing example prefixes with their status and utilisation

Under Devices you record your physical and virtual infrastructure: sites, racks, manufacturers, device types and the devices themselves, with roles, interfaces, cabling and console connections.

The DCIM Devices list showing example access switches with their site, role, manufacturer and type

Step 8 - Use the REST API

NetBox exposes a complete REST API under /api/. Use the token from /root/netbox-credentials.txt in the Authorization: Token <token> header to call any endpoint. Read the token into a shell variable and query your devices and prefixes:

$ TOKEN=$(sudo grep '^NETBOX_API_TOKEN=' /root/netbox-credentials.txt | cut -d= -f2-)

$ curl -s -H "Authorization: Token $TOKEN" http://<vm-ip>/api/dcim/devices/
count=2
 - sw-access-01 @ HQ
 - sw-access-02 @ DC1

$ curl -s -H "Authorization: Token $TOKEN" http://<vm-ip>/api/ipam/prefixes/
count=3
 - 10.0.0.0/8
 - 10.1.10.0/24
 - 192.168.1.0/24

The REST API returning the example devices and prefixes when called with the per VM token

A GraphQL endpoint is also available at /graphql/, and you can create additional scoped tokens from Admin > API Tokens in the web UI.

Step 9 - Enable HTTPS with your own domain

NetBox ships on plain HTTP on port 80 so it works immediately. For production, point a DNS record at the VM's public IP, add the hostname to ALLOWED_HOSTS and CSRF_TRUSTED_ORIGINS in /opt/netbox/netbox/netbox/configuration.py, and terminate TLS with a certificate. A common approach is to obtain a certificate with certbot and reverse proxy through nginx, or to place Azure Application Gateway in front of the VM. Restart the application after editing the configuration:

$ sudo systemctl restart netbox netbox-rq

Administration and support

The NetBox manage.py command is wrapped for convenience: run sudo netbox-manage <command> (for example sudo netbox-manage createsuperuser to add another administrator, or sudo netbox-manage housekeeping to run maintenance on demand). The application configuration lives in /opt/netbox/netbox/netbox/configuration.py, and NetBox and its request queue worker are managed with sudo systemctl restart netbox netbox-rq.

This image is a repackaged open source software product with additional charges for cloudimg support services. Our engineers provide 24/7 support for deployment, upgrades, TLS termination, LDAP and SSO integration, API automation and scaling. NetBox is a trademark of its respective owner; use of the name here is purely to identify the software this image packages.