SFTPGo on Ubuntu 24.04 on Azure User Guide
Overview
SFTPGo is a fully featured, self hosted file transfer server. It provides SFTP as its core protocol and can additionally serve FTP, FTPS, WebDAV and an HTTP based web client, all from a single service with a browser based admin interface. Administrators define users, virtual folders, quotas, bandwidth limits and granular permissions, while a built in web client lets end users browse, upload, download and share files from a browser. The cloudimg image serves SFTPGo 2.7.4 with an embedded SQLite data provider on a hardened, fully patched Ubuntu 24.04 LTS base. The web admin and web client listen only on the loopback interface (127.0.0.1:8080) and nginx serves them on port 80, while the SFTP service listens on port 2022.
The image is secure by default: it ships with no administrator account, so the very first time you open it you create your own admin with your own password. Fresh SFTP host keys are generated per instance on first boot, and no shared or default login ever ships in the image. Backed by 24/7 cloudimg support.
What is included:
- SFTPGo 2.7.4 served behind nginx, managed by systemd
- The web admin and web client on
:80, the SFTP service on:2022 - No default administrator: you create your own admin on the first visit
- An embedded SQLite data provider, no external database to run
- The HTTP server bound to
127.0.0.1:8080only, never exposed directly to the network - Per instance SFTP host keys generated on first boot
- A dedicated Azure data disk at
/srv/sftpgofor the accounts database, served files and host keys sftpgo.serviceandnginx.serviceas enabled systemd units- 24/7 cloudimg support
Prerequisites
An active Azure subscription, an SSH key pair, and a VNet plus subnet in the target region. Standard_B2s (2 vCPU / 4 GiB RAM) is a sensible starting point; size up for more concurrent transfers. NSG inbound: allow 22/tcp from your management network, 80/tcp for the web admin and web client, and 2022/tcp for SFTP. The web admin serves plain HTTP on port 80; for production, terminate TLS in front of it with your own domain. The HTTP server is never exposed directly: it listens on 127.0.0.1:8080 only, so port 8080 stays off the network.
Step 1 - Deploy from the Azure Marketplace
Sign in to the Azure Portal, choose Create a resource, search the Marketplace for SFTPGo by cloudimg, and select Create. On Basics pick your subscription, resource group, region and size; under Administrator account choose SSH public key and paste your key; under Inbound port rules allow SSH (22) and HTTP (80), then add a custom rule for 2022 so clients can reach SFTP. Review the dedicated data disk on the Disks tab, then Review + create then Create.
Step 2 - Deploy from the Azure CLI
az vm create \
--resource-group <your-rg> \
--name sftpgo \
--image <marketplace-image-urn> \
--size Standard_B2s \
--admin-username azureuser \
--generate-ssh-keys \
--public-ip-sku Standard
Then open port 80 for the web admin and 2022 for SFTP:
az vm open-port --resource-group <your-rg> --name sftpgo --port 80 --priority 900
az vm open-port --resource-group <your-rg> --name sftpgo --port 2022 --priority 910
Step 3 - Confirm the services are running
SSH in as azureuser and confirm SFTPGo and nginx are active. Note that the HTTP server listens only on 127.0.0.1:8080 while nginx serves the web admin on port 80, and SFTP listens on 2022.
systemctl is-active sftpgo nginx sftpgo-firstboot
sudo ss -tlnp | grep -E ':80 |:8080 |:2022 ' | sed 's/ */ /g'

Step 4 - The first visit info note
SFTPGo ships with no administrator account. On the first boot of every VM a one shot service writes an instance info note recording the site URL and the create-admin instruction. There is no password in it, because you set your own on first visit. Read it with sudo:
sudo cat /root/sftpgo-credentials.txt
You can confirm the server is healthy from the command line; the health endpoint returns 200:
curl -s -o /dev/null -w 'GET /healthz -> HTTP %{http_code}\n' http://127.0.0.1/healthz

Step 5 - Create your admin on first visit
Browse to http://<vm-public-ip>/. Because the image ships with no administrator, SFTPGo opens on its create admin setup page. Choose a username and a strong password and select the create button. This one screen is where you secure the instance: there are no default credentials to change, because none ship.

Step 6 - The admin dashboard
Once your admin is created you sign in to the web admin. The status page confirms the enabled protocols and the running version, and the left navigation lets you manage users, groups, folders, roles, events and connections.

Step 7 - Create users and set permissions
Open Users to see the accounts list, then add a user. For each user you set a home directory, a login method (password or public key), granular per directory permissions, quotas and bandwidth limits, so every account is scoped to exactly what it needs.


Step 8 - Connect over SFTP
Once you have created a user in the web admin, connect from any SFTP client on port 2022. From a workstation with OpenSSH:
sftp -P 2022 <your-user>@<vm-public-ip>
You can then put and get files, and the same accounts also work over FTPS and WebDAV once you enable those protocols (Step 11). SFTPGo enforces the per user permissions, quotas and bandwidth limits you configured.
Step 9 - Verify the stack
Confirm the SFTPGo version, that the services are enabled, the web admin responds through nginx, and the dedicated data disk mount:
/usr/local/bin/sftpgo --version
systemctl is-enabled sftpgo nginx
curl -s -o /dev/null -w 'GET /web/admin/login -> HTTP %{http_code}\n' -L http://127.0.0.1/web/admin/login
findmnt -no SOURCE,TARGET,FSTYPE /srv/sftpgo

Step 10 - Where your data lives
The accounts database, every served file and the per instance SFTP host keys all live on a dedicated Azure data disk mounted at /srv/sftpgo, separate from the OS disk. This disk is captured into the image and re provisioned on every VM, and you can snapshot and resize it independently. Confirm the mount and the free space:
df -h /srv/sftpgo | tail -1
sudo du -sh /srv/sftpgo/data
Step 11 - Enable FTP, FTPS and WebDAV (optional)
SFTP is enabled out of the box. FTP, FTPS and WebDAV ship disabled and can be turned on by giving their bindings a non zero port in /etc/sftpgo/sftpgo.json, then restarting the service. For example, to enable WebDAV on port 10080 set webdavd.bindings[0].port to 10080, open that port in the NSG, and run:
sudo systemctl restart sftpgo
The same user accounts, permissions and quotas apply across every protocol you enable.
Security notes
- The web admin serves plain HTTP on port 80. For production, put it behind your own TLS terminating reverse proxy or an Azure Application Gateway with a certificate for your domain, and restrict port 80 in the NSG to trusted networks. A common approach is
certbotwith your-domain on a front end proxy. - The HTTP server listens on
127.0.0.1:8080only and is never exposed directly; only nginx on port 80 and the SFTP service on port 2022 face the network. - The image ships with no administrator. You create the first admin on first visit, so there are no shared or default credentials to rotate. Fresh SFTP host keys are generated per instance on first boot, so no host key identity is shared across deployments.
- Keep the VM patched. The image ships fully patched with unattended security upgrades enabled.
Support
cloudimg images come with 24/7 support. If you have any questions about this SFTPGo image or need help with your deployment, contact us through the cloudimg website.