Databases Azure

Redis 8 on Ubuntu 24.04 on Azure User Guide

| Product: Redis 8 on Ubuntu 24.04 LTS on Azure

Overview

This guide covers the deployment and configuration of Redis 8 on Ubuntu 24.04 on Azure using cloudimg Azure Marketplace images. Redis 8 GA shipped in 2025 — the first major release that ships native Vector Sets, JSON, Time Series, and Bloom data types built into the core engine (no separate RedisStack modules required), alongside the long-standing strings / lists / sets / hashes / sorted sets / streams data types.

The image installs Redis 8 from the official packages.redis.io/deb APT repo (Ubuntu noble suite). At first boot, redis-firstboot.service generates a per-VM 32-char hex requirepass and writes a drop-in at /etc/redis/conf.d/cloudimg-auth.conf (mode 0640, redis:redis). The credential is mirrored to /stage/scripts/redis-credentials.log (mode 0600 root only). Anonymous access is rejected — every command must be authenticated with redis-cli -a '<password>'.

The default deployment listens on 127.0.0.1:6379 only. Customers reconfigure bind and protected-mode in /etc/redis/redis.conf (or as a drop-in in /etc/redis/conf.d/) for non-loopback access. RDB snapshots are enabled by default; AOF is off by default and customers enable appendonly yes for write-heavy durability requirements.

What is included:

  • Redis 8 (latest 8.x at build time, 8.6.2) from the official packages.redis.io APT repo

  • redis-server.service systemd unit auto-starting on boot

  • redis-firstboot.service systemd oneshot that generates the per-VM requirepass and writes /etc/redis/conf.d/cloudimg-auth.conf + /stage/scripts/redis-credentials.log

  • redis-tools package for redis-cli, redis-benchmark, redis-check-rdb, redis-check-aof

  • Default listener on TCP 6379 bound to 127.0.0.1 (loopback only)

  • RDB snapshots enabled (save 3600 1, 300 100, 60 10000)

  • AOF disabled by default — opt in with appendonly yes for write-heavy workloads

  • Per-VM requirepass enforced — anonymous connections rejected with NOAUTH

  • Native Vector Sets (8 GA), JSON, Time Series, and Bloom data types built into the engine

  • Data directory /var/lib/redis (NOT /mnt — Azure ephemeral resource disk does not survive SIG capture)

  • Ubuntu 24.04 LTS base with latest security patches applied at build time

  • Azure Linux Agent for seamless cloud integration and SSH key injection

  • 24/7 cloudimg support with guaranteed 24 hour response SLA

Prerequisites

  • An active Azure subscription

  • A subscription to the Redis 8 on Ubuntu 24.04 listing on Azure Marketplace

  • An SSH public key for VM authentication

  • A virtual network and subnet in the target region

Recommended virtual machine size: Standard_B2s (2 vCPU, 4 GB RAM) for development and small caches. Production deployments should use Standard_E4s_v5 (4 vCPU, 32 GB RAM) or larger — Redis is memory-bound, and the most useful sizing dimension is RAM, not cores. Set maxmemory in redis.conf to ~75% of the VM's RAM and pick an eviction policy (allkeys-lru for cache, noeviction for source-of-truth).

Step 1: Deploy from the Azure Portal

Navigate to Marketplace in the Azure Portal, search for Redis 8, select the cloudimg publisher entry, and click Create.

On the Networking tab attach a network security group that allows inbound TCP 22 from your management IP range and TCP 6379 from your application VMs. Do not expose port 6379 to the public internet — even with requirepass enabled, brute-force attacks against weak passwords are a real risk, and Redis without TLS leaks the password in cleartext on the wire.

Click Review + create, wait for validation, then Create. Deployment takes around two minutes.

Step 2: Deploy from the Azure CLI

RG="redis-prod"
LOCATION="eastus"
VM_NAME="redis-01"
ADMIN_USER="azureuser"
GALLERY_IMAGE_ID="/subscriptions/<sub-id>/resourceGroups/azure-cloudimg/providers/Microsoft.Compute/galleries/cloudimgGallery/images/redis-8-ubuntu-24-04/versions/<version>"
SSH_KEY="$(cat ~/.ssh/id_rsa.pub)"

az group create --name "$RG" --location "$LOCATION"

az network vnet create --resource-group "$RG" --name redis-vnet \
  --address-prefix 10.98.0.0/16 --subnet-name redis-subnet --subnet-prefix 10.98.1.0/24

az network nsg create --resource-group "$RG" --name redis-nsg

az network nsg rule create --resource-group "$RG" --nsg-name redis-nsg \
  --name allow-ssh --priority 100 \
  --source-address-prefixes "<your-mgmt-cidr>" \
  --destination-port-ranges 22 --access Allow --protocol Tcp

az network nsg rule create --resource-group "$RG" --nsg-name redis-nsg \
  --name allow-redis --priority 110 \
  --source-address-prefixes 10.98.0.0/16 \
  --destination-port-ranges 6379 --access Allow --protocol Tcp

az vm create \
  --resource-group "$RG" --name "$VM_NAME" \
  --image "$GALLERY_IMAGE_ID" \
  --size Standard_B2s --storage-sku StandardSSD_LRS \
  --admin-username "$ADMIN_USER" --ssh-key-values "$SSH_KEY" \
  --vnet-name redis-vnet --subnet redis-subnet --nsg redis-nsg \
  --public-ip-sku Standard

Step 3: Connect via SSH

ssh azureuser@<vm-ip>

redis-server.service will already be running and redis-firstboot.service will already have generated the requirepass.

Step 4: Verify the Redis Service

sudo systemctl status redis-server.service --no-pager

Expected: active (running). Confirm the firstboot sentinel:

sudo test -f /var/lib/cloudimg/redis-firstboot.done && echo FIRSTBOOT_DONE

Confirm the listener is bound on port 6379:

sudo ss -tln | grep 6379

By default Redis binds to 127.0.0.1 only — LISTEN 0 511 127.0.0.1:6379. To allow remote connections, edit /etc/redis/redis.conf and change bind 127.0.0.1 to bind 0.0.0.0 (or your VM's private IP), then sudo systemctl restart redis-server.

redis-server.service active (running) with TCP 6379 bound on 127.0.0.1 and authentication enforced

Step 5: Retrieve the Redis Password

The Redis requirepass has been rotated on this specific virtual machine and written to a root-only file. Read it with:

sudo cat /stage/scripts/redis-credentials.log

You will see lines similar to:

REDIS_USER=default
REDIS_PASSWORD=<REDIS_PASSWORD>
LISTEN_PORT=6379
LISTEN_ADDRESS=127.0.0.1

Store the password in your secret store. To rotate it, edit /etc/redis/conf.d/cloudimg-auth.conf and sudo systemctl restart redis-server — or use redis-cli -a '<old>' CONFIG SET requirepass '<new>' for a hot rotation (then update cloudimg-auth.conf to make it survive a restart).

/stage/scripts/redis-credentials.log (mode 0600 root); redis-cli -a '<password>' PING returns PONG

Step 6: Connect with redis-cli

PASS=$(sudo grep '^REDIS_PASSWORD=' /stage/scripts/redis-credentials.log | cut -d= -f2-)
redis-cli -a "${PASS}" --no-auth-warning PING

Expected: PONG. The --no-auth-warning flag suppresses the harmless "Using a password with '-a' or '-u' option on the command line interface may not be safe" warning — fine in scripts; for interactive sessions, prefer redis-cli then AUTH <password> at the prompt.

Confirm the version:

redis-cli -a "${PASS}" --no-auth-warning INFO server | grep redis_version

Confirm anonymous access is rejected:

redis-cli PING

Expected: (error) NOAUTH Authentication required.

Step 7: Round-trip Test

The default Redis user (with requirepass) has full access. Set / get / delete a sample key:

PASS=$(sudo grep '^REDIS_PASSWORD=' /stage/scripts/redis-credentials.log | cut -d= -f2-)
redis-cli -a "${PASS}" --no-auth-warning SET cloudimg:probe 'cloudimg-ok'
redis-cli -a "${PASS}" --no-auth-warning GET cloudimg:probe
redis-cli -a "${PASS}" --no-auth-warning DEL cloudimg:probe

Expected: OK then "cloudimg-ok" then (integer) 1.

Redis 8.6.2 INFO server confirms version; SET / GET / DEL round-trip on cloudimg:probe key returns OK / cloudimg-ok / 1

Step 8: Try Redis 8's New Native Data Types

Redis 8 ships with Vector Sets, JSON, Time Series, and Bloom filters built into the core engine — no separate RedisStack modules. A few quick demos:

Vector Sets (similarity search):

redis-cli -a "${PASS}" --no-auth-warning VADD myindex VALUES 4 0.1 0.2 0.3 0.4 alice
redis-cli -a "${PASS}" --no-auth-warning VADD myindex VALUES 4 0.5 0.5 0.5 0.5 bob
redis-cli -a "${PASS}" --no-auth-warning VSIM myindex VALUES 4 0.1 0.2 0.3 0.4 COUNT 2

JSON:

redis-cli -a "${PASS}" --no-auth-warning JSON.SET user:1 '$' '{"name":"alice","age":30}'
redis-cli -a "${PASS}" --no-auth-warning JSON.GET user:1 '$.name'

Time Series:

redis-cli -a "${PASS}" --no-auth-warning TS.CREATE temperature
redis-cli -a "${PASS}" --no-auth-warning TS.ADD temperature '*' 21.5
redis-cli -a "${PASS}" --no-auth-warning TS.RANGE temperature - +

Step 9: Connect from a Remote Application

From any host inside the same virtual network, install a Redis client library and connect on port 6379 with the rotated password.

Python (pip install redis):

import redis
r = redis.Redis(host='<vm-private-ip>', port=6379, password='<REDIS_PASSWORD>')
r.set('hello', 'world')
print(r.get('hello'))

Node.js (npm install redis):

import { createClient } from 'redis';
const client = createClient({ url: 'redis://default:<REDIS_PASSWORD>@<vm-private-ip>:6379' });
await client.connect();
await client.set('hello', 'world');
console.log(await client.get('hello'));

Do not open port 6379 to the public internet without TLS termination. Redis cleartext protocol leaks the AUTH password on the wire. For production, configure tls-port 6380 + cert files in redis.conf and bind the cleartext port to loopback only.

Step 10: Server Components

Component Path
Redis binary /usr/bin/redis-server
redis-cli /usr/bin/redis-cli
redis-benchmark /usr/bin/redis-benchmark
Main config /etc/redis/redis.conf
Drop-in conf.d /etc/redis/conf.d/*.conf (cloudimg-auth.conf written by firstboot)
Data directory /var/lib/redis
RDB file /var/lib/redis/dump.rdb
AOF directory /var/lib/redis/appendonlydir/ (when enabled)
Log file /var/log/redis/redis-server.log
Systemd unit /lib/systemd/system/redis-server.service
Firstboot script /usr/local/sbin/redis-firstboot.sh
Firstboot service /etc/systemd/system/redis-firstboot.service
Credentials file /stage/scripts/redis-credentials.log (mode 0600)
Firstboot sentinel /var/lib/cloudimg/redis-firstboot.done

Inspect the running version:

/usr/bin/redis-server --version

Redis 8 components inventory: redis-server binary, redis.conf + conf.d/cloudimg-auth.conf, /var/lib/redis data dir, redis-firstboot.service, native Vector Sets and JSON/TimeSeries demos working

Step 11: Managing the Redis Service

Status:

sudo systemctl status redis-server.service --no-pager

Stop / Start / Restart:

sudo systemctl stop redis-server.service
sudo systemctl start redis-server.service
sudo systemctl restart redis-server.service

View the log:

sudo tail -f /var/log/redis/redis-server.log

Hot config reload (some keys only):

PASS=$(sudo grep '^REDIS_PASSWORD=' /stage/scripts/redis-credentials.log | cut -d= -f2-)
redis-cli -a "${PASS}" --no-auth-warning CONFIG GET maxmemory
redis-cli -a "${PASS}" --no-auth-warning CONFIG SET maxmemory 1gb

For settings that don't support hot reload (e.g. bind), edit /etc/redis/redis.conf and systemctl restart redis-server.

Trigger an RDB snapshot:

redis-cli -a "${PASS}" --no-auth-warning BGSAVE

Enable AOF for write durability:

echo 'appendonly yes' | sudo tee /etc/redis/conf.d/cloudimg-aof.conf
sudo systemctl restart redis-server

Step 12: Troubleshooting

(error) NOAUTH Authentication required.

  • Always pass -a '<password>' or run AUTH <password> first

  • Confirm the password is current: sudo cat /stage/scripts/redis-credentials.log

Could not connect to Redis at 127.0.0.1:6379: Connection refused

  • Service down: sudo systemctl status redis-server

  • Listener on different port or address: sudo ss -tln | grep 6379

  • Disk full preventing AOF/RDB: df -h /var/lib/redis

OOM command not allowed when used memory > 'maxmemory'

  • The instance hit its memory cap and the eviction policy isn't evicting

  • Either raise maxmemory or change maxmemory-policy from noeviction to allkeys-lru

MISCONF Redis is configured to save RDB snapshots but currently is not able to persist on disk

  • RDB snapshot failed (usually disk full or permission error)

  • Check /var/log/redis/redis-server.log for the underlying error

  • Free disk: sudo journalctl --vacuum-time=7d and sudo apt-get clean

Step 13: Security Recommendations

  • Rotate the requirepass immediately after deployment — see Step 5

  • Restrict NSG so port 6379 is only reachable from your application VMs and admin networks; never expose to the public internet

  • Enable TLS (tls-port 6380 + cert files in redis.conf) for any cross-VM connection — Redis cleartext protocol leaks AUTH passwords

  • Disable / rename dangerous commands in production via rename-command FLUSHALL '', rename-command CONFIG '', etc.

  • Use ACLs (ACL SETUSER) for fine-grained per-application permissions instead of relying solely on requirepass

  • Set maxmemory + a sensible maxmemory-policy (allkeys-lru for caches, noeviction for source-of-truth)

  • Enable persistence (RDB snapshots are on by default; enable AOF for write-heavy durability)

  • Back up /var/lib/redis/dump.rdb and appendonlydir/ to Azure Blob Storage on a schedule

  • Patch the OS monthly with sudo apt-get update && sudo apt-get upgrade && sudo reboot

Step 14: Support and Licensing

Redis 8 ships under the AGPL-3.0 license (Redis Inc. switched from BSD-3 in 2024 and from RSALv2/SSPL in 2025). The AGPL adds copyleft requirements for modifications you distribute and network-accessible derivative services — for almost all customers running stock Redis as a backing store for an application, this changes nothing in practice. If you fork the source and distribute it, you must publish your changes; if you offer Redis-the-service to third parties as a managed product, you must publish source changes too.

cloudimg provides commercial support for this image separately from the upstream project.

  • Email: support@cloudimg.co.uk

  • Website: www.cloudimg.co.uk

  • Support hours: 24/7 with guaranteed 24 hour response SLA

Deploy on Azure

Launch Redis 8 on Ubuntu 24.04 with 24/7 support from cloudimg.

View on Marketplace

Need Help?

Our support team is available 24/7.

support@cloudimg.co.uk