ntopng on Ubuntu 24.04 on Azure User Guide
Overview
ntopng is a high speed, web based network traffic monitor: the next generation of the original ntop. It captures traffic directly from a network interface, identifies applications and protocols with deep packet inspection (nDPI), and presents per host and per flow statistics, top talkers, alerts and historical trends through an interactive web dashboard. It can also act as a flow collector for NetFlow, sFlow and IPFIX exported by routers, switches and firewalls. The cloudimg image serves the ntopng community edition (GPL-3.0) on a hardened, fully patched Ubuntu 24.04 LTS base, with its mandatory Redis backing store already installed and wired up, so the dashboard is monitoring traffic the moment the VM boots.
The image is secure by default. A stock ntopng install ships with the well known admin / admin login; the cloudimg image does not. No usable credential is baked into the image, and a one shot first boot service generates a unique administrator password on every VM's first boot and records it on the VM for you. Backed by 24/7 cloudimg support.
What is included:
- ntopng community edition (GPL-3.0), installed from the official ntop apt repository, managed by systemd
- The web UI on
:3000(HTTP; front it with a reverse proxy and TLS for production) - Redis as the mandatory in-memory backing store on
127.0.0.1:6379 - No default
admin/adminlogin: a unique admin password is generated on first boot - Deep packet inspection (nDPI) for Layer-7 application and protocol detection
- Real time and historical per host and per flow traffic analysis, top talkers and alerts
- Flow collection for NetFlow, sFlow and IPFIX
redis-server.serviceandntopng.serviceas enabled systemd unitsntopng-firstboot.servicethat rotates the admin password per VM- 24/7 cloudimg support
Prerequisites
An active Azure subscription, an SSH key pair, and a VNet plus subnet in the target region. Standard_B2s (2 vCPU / 4 GiB RAM) is a sensible starting point; size up for busier links or larger flow volumes. NSG inbound: allow 22/tcp from your management network and 3000/tcp for the web UI. Restrict 3000/tcp to trusted networks in production, since it is the administrative interface, and place TLS in front of it for encrypted access.
Step 1 - Deploy from the Azure Marketplace
Sign in to the Azure Portal, choose Create a resource, search the Marketplace for ntopng by cloudimg, and select Create. On Basics pick your subscription, resource group, region and size; under Administrator account choose SSH public key and paste your key; under Inbound port rules allow SSH (22), then add a custom rule for 3000. Review the defaults, then Review + create then Create.
Step 2 - Deploy from the Azure CLI
az vm create \
--resource-group <your-rg> \
--name ntopng \
--image <marketplace-image-urn> \
--size Standard_B2s \
--admin-username azureuser \
--generate-ssh-keys \
--public-ip-sku Standard
Then open the web UI port:
az vm open-port --resource-group <your-rg> --name ntopng --port 3000 --priority 900
Step 3 - Confirm the services are running
SSH in as azureuser and confirm that Redis and ntopng are active. ntopng requires Redis as its backing store, so both run as enabled systemd units; ntopng listens on port 3000 and Redis on loopback port 6379.
systemctl is-active redis-server ntopng ntopng-firstboot
sudo ss -tlnp | grep -E ':3000 |:6379 ' | awk '{print $1, $4}'

Step 4 - Retrieve your per-VM admin password
The cloudimg image ships with no usable login. On the first boot of every VM, ntopng-firstboot.service generates a unique administrator password, stores it in Redis and records it in a root only credentials file. Read it with sudo:
sudo cat /root/ntopng-credentials.txt
The file records the username (admin), the generated password, the port and the URL that points at this VM's own address. Keep it safe, and change the password from the UI once you are signed in if you prefer.

Step 5 - Sign in to the traffic dashboard
Browse to http://<vm-public-ip>:3000/ and sign in as admin with the password from the credentials file. ntopng opens on its traffic dashboard: top flow talkers, top local and remote hosts, top applications and a live traffic classification, all updating in real time from the monitored interface.

Step 6 - Explore the host inventory
Open Hosts from the left navigation to see every host ntopng has observed on the monitored interface, with per host traffic totals, throughput, the applications each host is using and an activity breakdown. Select any host to drill into its flows, ports, protocols and historical activity.

Step 7 - Inspect live flows with Layer-7 detection
Open Flows to watch active connections in real time. Each flow shows the client and server, the Layer-7 application detected by nDPI (for example TCP:SSH or TCP:HTTP), a risk score, duration and throughput. Use the filters at the top to narrow by host, protocol, application or traffic type.

Step 8 - Review interface statistics
Open Interface to see the monitored interface's overall statistics: packet and byte counters, traffic distribution by protocol, throughput over time and interface level charts. This is the top down view of everything crossing the interface ntopng is watching.

Step 9 - Verify the stack
Confirm the ntopng community version, that the binary reports its build, and that the Redis backing store answers:
dpkg-query -W -f='${Version}\n' ntopng
ntopng --version | head -3
redis-cli ping

Step 10 - Confirm the secure-by-default login
You can prove from the command line that only your per-VM credential works and that the stock admin / admin login has been disabled. The per-VM password authenticates against the ntopng REST API and returns 200; the default admin / admin is rejected and redirects to the login page (302):
curl -s -o /dev/null -w 'per-VM admin -> HTTP %{http_code}\n' -u 'admin:<ADMIN_PASSWORD>' http://127.0.0.1:3000/lua/rest/v2/get/ntopng/interfaces.lua
curl -s -o /dev/null -w 'default admin/admin -> HTTP %{http_code}\n' -u admin:admin http://127.0.0.1:3000/lua/rest/v2/get/ntopng/interfaces.lua

Step 11 - Choose the monitored interface (optional)
By default ntopng monitors the VM's primary network interface. To change which interface or interfaces it watches, edit /etc/ntopng/ntopng.conf (the -i= line), then restart the service:
sudo systemctl restart ntopng
To collect flows exported by other devices instead of, or in addition to, live capture, add a collector interface such as -i=tcp://0.0.0.0:6343 for sFlow or a zmq endpoint, and open the corresponding NSG port.
Security notes
- The web UI serves on port 3000 over plain HTTP. Restrict
3000/tcpin the NSG to trusted networks, place a reverse proxy with TLS in front of it for encrypted access, and consider putting the UI behind your own VPN. - The image ships with no usable login. A unique admin password is generated on first boot and stored in the root only file
/root/ntopng-credentials.txt; the stockadmin/adminlogin is disabled. Change the password from the UI after first sign in, and create additional per user accounts as needed. - ntopng captures traffic on the interface it monitors. Deploy it where it can see the traffic you care about (for example a mirrored or SPAN port, or as a flow collector), and be mindful of the privacy implications of packet inspection on your network.
- Keep the VM patched. The image ships fully patched with unattended security upgrades enabled.
Support
cloudimg images come with 24/7 support. If you have any questions about this ntopng image or need help with your deployment, contact us through the cloudimg website.