Rocket.Chat Community on Ubuntu 24.04 on Azure User Guide
Overview
Rocket.Chat Community is an MIT-licensed, self-hosted team communication and chat platform - the open-source alternative to Slack. It gives your organisation channels, threads, direct messages, file sharing and a realtime web UI while keeping every conversation on infrastructure you control. The cloudimg image installs Rocket.Chat Community 8.6.0 (the free open-source build - no Enterprise license) to /opt/rocketchat and runs it as the dedicated non-root rocketchat system user on Node.js 22, backs it with a local MongoDB 8.0 single-node replica set, fronts it with nginx as a reverse proxy on port 80 (with the WebSocket upgrade headers Rocket.Chat's realtime channel needs), keeps all state on a dedicated Azure data disk, and generates a unique admin password on first boot. Backed by 24/7 cloudimg support.
What is included:
- Rocket.Chat Community 8.6.0 (MIT-licensed open-source build) served by
rocketchat.serviceas the non-rootrocketchatuser on the bundled-pinned Node.js 22 runtime - A local MongoDB 8.0 database running as a single-node replica set (
rs0, wiredTiger) on loopback127.0.0.1:27017- Rocket.Chat requires a replica set for its realtime oplog, even single-node - nginx reverse proxy on port
80, proxying to Rocket.Chat on127.0.0.1:3000with WebSocket upgrade headers for/websocketand/sockjs - All state on a dedicated 40 GiB Azure data disk at
/var/lib/rocketchat: the MongoDB data directory, which holds every message, user, setting and file upload - A unique per-VM admin account (
admin, emailadmin@cloudimg.local) created non-interactively on first boot, with the password written to a root-only credentials file - Open registration disabled by default so only the seeded admin exists until you invite users
- An unauthenticated
GET /healthendpoint on nginx for load-balancer and uptime checks - 24/7 cloudimg support
Rocket.Chat binds loopback 127.0.0.1:3000 only; customers reach it through the nginx reverse proxy on port 80. MongoDB is never exposed - it listens on 127.0.0.1:27017 only.
Prerequisites
An active Azure subscription, an SSH key pair, and a VNet + subnet in the target region. Standard_B4ms (4 vCPU / 16 GiB RAM) is a good starting point - Rocket.Chat and MongoDB both want RAM. NSG inbound: allow 22/tcp from your management network and 80/tcp from the clients that will use Rocket.Chat. For production, front the VM with TLS (see the final step) and allow 443/tcp instead of plain 80.
Step 1 - Deploy from the Azure Marketplace
Sign in to the Azure Portal, choose Create a resource, search the Marketplace for Rocket.Chat Community by cloudimg, and select Create. On Basics pick your subscription, resource group, region and size (Standard_B4ms); under Administrator account choose SSH public key and paste your key; under Inbound port rules allow SSH (22) and HTTP (80). Then Review + create -> Create.
Step 2 - Deploy from the Azure CLI
az vm create \
--resource-group <your-rg> \
--name rocketchat \
--image <marketplace-image-urn> \
--size Standard_B4ms \
--admin-username azureuser \
--ssh-key-values ~/.ssh/id_ed25519.pub \
--vnet-name <your-vnet> --subnet <your-subnet> \
--public-ip-sku Standard
az vm open-port --resource-group <your-rg> --name rocketchat --port 80 --priority 900
Step 3 - Connect to your VM
ssh azureuser@<vm-public-ip>
Step 4 - Confirm Rocket.Chat, MongoDB and nginx are running
systemctl is-active mongod rocketchat nginx
You should see three active lines:
active
active
active
Rocket.Chat binds loopback only and nginx fronts it on port 80 - confirm the listeners:
ss -tln | grep -E ':3000|:27017|:80'
LISTEN 0 511 0.0.0.0:80 0.0.0.0:*
LISTEN 0 511 127.0.0.1:3000 0.0.0.0:*
LISTEN 0 4096 127.0.0.1:27017 0.0.0.0:*
The Rocket.Chat API answers an unauthenticated info request with a 200, and nginx exposes a static /health endpoint for load balancers:
curl -s -o /dev/null -w '%{http_code}\n' http://127.0.0.1:3000/api/info
200
curl -s -o /dev/null -w '%{http_code}\n' http://localhost/health
200
Step 5 - Retrieve your per-VM admin password
Each VM generates its own unique admin password on first boot and writes it to a root-only credentials file:
sudo cat /root/rocketchat-credentials.txt
The file contains ROCKETCHAT_ADMIN_PASSWORD, the username (admin), the email (admin@cloudimg.local) and the web URL. Store the password in your secrets manager. In the commands below, <ROCKETCHAT_ADMIN_PASSWORD> stands for the value of ROCKETCHAT_ADMIN_PASSWORD.
Step 6 - Sign in to the Rocket.Chat web UI
Open http://<vm-public-ip>/ in a browser. Sign in with the username admin (or the email admin@cloudimg.local) and the per-VM password from Step 5.

Once signed in you land in your workspace home, ready to add users and create channels.

Rocket.Chat keeps every conversation self-hosted on your own Azure VM - create channels, threads and direct messages just like any modern team messenger. The default #general channel is ready to use.

Step 7 - Administer the workspace from the admin area
As the admin you can manage users, rooms, permissions, authentication and server settings from the administration area at http://<vm-public-ip>/admin. The Workspace page confirms you are running Rocket.Chat 8.6.0 Community.

Step 8 - Verify authentication from the API
The credentials file drives a real login round-trip. This reads the per-VM password from the file and posts it to the login API, which returns a JSON payload containing "status":"success" and an authToken for the correct password (and rejects a wrong one with 401):
PW=$(sudo grep '^ROCKETCHAT_ADMIN_PASSWORD=' /root/rocketchat-credentials.txt | cut -d= -f2-)
curl -s -o /dev/null -w 'login=%{http_code}\n' -X POST -H 'Content-Type: application/json' \
-d "{\"user\":\"admin\",\"password\":\"$PW\"}" \
http://127.0.0.1:3000/api/v1/login
login=200
Step 9 - Where your data lives
All Rocket.Chat state is in MongoDB, whose data directory is on the dedicated Azure data disk mounted at /var/lib/rocketchat, so it survives image updates and can be snapshotted independently:
df -h /var/lib/rocketchat | tail -1
/dev/sdc 40G 420M 37G 2% /var/lib/rocketchat
Every message, user, setting and uploaded file lives in MongoDB under /var/lib/rocketchat/mongo.
Step 10 - Put TLS in front for production
The image serves plain HTTP on port 80 so you can validate it immediately. Before exposing Rocket.Chat to real users, terminate TLS with your own domain and a certificate. A common approach is to point a DNS record at the VM, add a 443 inbound rule to the NSG, and use Certbot with the nginx plugin to obtain and install a certificate. Then set the admin area's Site URL (Administration -> Settings -> General) to your https:// URL so links and the realtime WebSocket use the correct host. You can also set the ROOT_URL in /etc/rocketchat/rocketchat.env and restart rocketchat.service.
Support
This image is maintained and supported by cloudimg with 24/7 support. Rocket.Chat Community is distributed under the MIT license. For product help, contact cloudimg support listed on the Azure Marketplace listing.