Applications Azure

Apache Tomcat 11 on Ubuntu 24.04 on Azure User Guide

Last updated: 2026-04-26 | Product: Apache Tomcat 11 on Ubuntu 24.04 LTS on Azure

Overview

This guide covers the deployment and configuration of Apache Tomcat 11 on Ubuntu 24.04 on Azure using cloudimg Azure Marketplace images. Tomcat 11 is the latest major release of the canonical Java servlet container, supporting Jakarta EE 11 (jakarta.* namespace), Servlet 6.1, JSP 4.0, and EL 6.0 — the workhorse runtime for Java web apps and REST APIs.

The image installs Tomcat 11.0.21 from the official Apache tarball at downloads.apache.org/tomcat/tomcat-11/ (Ubuntu 24.04 noble does not ship Tomcat 11 — its stock package is tomcat10). Running under OpenJDK 21. At first boot, tomcat-firstboot.service generates per-VM manager and admin user passwords, writes /opt/tomcat/conf/tomcat-users.xml with the standard manager / admin role mappings, starts Tomcat, and writes credentials to /stage/scripts/tomcat-credentials.log (mode 0600 root only).

The Manager and Host Manager web apps have their default localhost-only RemoteAddrValve patched to also allow Azure private IP ranges (10.0.0.0/8, 172.16/12, 192.168/16) — so customers can reach /manager/html from VMs in the same VNet without disabling the IP allowlist entirely.

What is included:

Apache Tomcat 11 (latest 11.0.x at build time, 11.0.21) from the official Apache tarball
OpenJDK 21 JRE headless (Tomcat 11 requires Java 17+; 21 used)
tomcat.service systemd unit auto-starting on boot, running as tomcat:tomcat
tomcat-firstboot.service systemd oneshot generating per-VM manager + admin passwords
HTTP connector on TCP 8080 bound to all interfaces; shutdown port on 127.0.0.1:8005 only
Manager web app at /manager/html (manager-gui + manager-script + manager-jmx + manager-status roles)
Host Manager web app at /host-manager/html (admin-gui + admin-script roles)
VNet allowlist patched into manager/META-INF/context.xml and host-manager/META-INF/context.xml
CATALINA_HOME=/opt/tomcat (NOT /mnt — Azure ephemeral resource disk does not survive SIG capture)
CATALINA_OPTS="-Xms512M -Xmx1024M -server -XX:+UseParallelGC" (customers tune for production)
Examples + docs web apps included for first-deploy verification
Ubuntu 24.04 LTS base with latest security patches applied at build time
Azure Linux Agent for seamless cloud integration and SSH key injection
24/7 cloudimg support with guaranteed 24 hour response SLA

Prerequisites

Active Azure subscription, SSH public key, VNet + subnet in target region
Subscription to the Apache Tomcat 11 listing on Azure Marketplace

Recommended virtual machine size: Standard_B2s (2 vCPU, 4 GB RAM) for development. Production servlet workloads should use Standard_D4s_v5 (4 vCPU, 16 GB RAM) or larger and bump CATALINA_OPTS heap to -Xms2g -Xmx4g.

Step 1: Deploy from the Azure Portal

Search Tomcat 11 in Marketplace, select cloudimg publisher, click Create. NSG rules: TCP 22 (admin) and TCP 8080 (HTTP) from your client networks. Do not expose 8080 to the public internet — front Tomcat with a reverse proxy that terminates TLS (cloudimg ships nginx-ssl-certbot-ubuntu-24-04 as a one-step option).

Step 2: Deploy from the Azure CLI

RG="tomcat-prod"; LOCATION="eastus"; VM_NAME="tomcat-01"
GALLERY_IMAGE_ID="/subscriptions/<sub-id>/resourceGroups/azure-cloudimg/providers/Microsoft.Compute/galleries/cloudimgGallery/images/tomcat-11-ubuntu-24-04/versions/<version>"
SSH_KEY="$(cat ~/.ssh/id_rsa.pub)"
az group create --name "$RG" --location "$LOCATION"
az network vnet create -g "$RG" --name tomcat-vnet --address-prefix 10.100.0.0/16 --subnet-name tomcat-subnet --subnet-prefix 10.100.1.0/24
az network nsg create -g "$RG" --name tomcat-nsg
az network nsg rule create -g "$RG" --nsg-name tomcat-nsg --name allow-ssh --priority 100 \
  --source-address-prefixes "<your-mgmt-cidr>" --destination-port-ranges 22 --access Allow --protocol Tcp
az network nsg rule create -g "$RG" --nsg-name tomcat-nsg --name allow-http --priority 110 \
  --source-address-prefixes 10.100.0.0/16 --destination-port-ranges 8080 --access Allow --protocol Tcp
az vm create -g "$RG" --name "$VM_NAME" --image "$GALLERY_IMAGE_ID" \
  --size Standard_B2s --storage-sku StandardSSD_LRS \
  --admin-username azureuser --ssh-key-values "$SSH_KEY" \
  --vnet-name tomcat-vnet --subnet tomcat-subnet --nsg tomcat-nsg --public-ip-sku Standard

Step 3: Connect via SSH

ssh azureuser@<vm-ip>

Both tomcat.service and tomcat-firstboot.service run automatically.

Step 4: Verify the Tomcat Service

sudo systemctl status tomcat.service --no-pager
sudo test -f /var/lib/cloudimg/tomcat-firstboot.done && echo FIRSTBOOT_DONE
sudo ss -tln | grep -E ':(8080|8005)'

tomcat.service active (running) with HTTP 8080 on 0.0.0.0 and shutdown port 8005 on 127.0.0.1

Step 5: Retrieve the Manager and Admin Passwords

sudo cat /stage/scripts/tomcat-credentials.log

You will see:

TOMCAT_MANAGER_USER=manager
TOMCAT_MANAGER_PASSWORD=<TOMCAT_MANAGER_PASSWORD>
TOMCAT_ADMIN_USER=admin
TOMCAT_ADMIN_PASSWORD=<TOMCAT_ADMIN_PASSWORD>
HTTP_PORT=8080
CATALINA_HOME=/opt/tomcat

/stage/scripts/tomcat-credentials.log shows per-VM manager + admin passwords; manager API /text/list returns OK and lists all 5 default web apps

Step 6: Use the Manager API from the Command Line

MGR_PASS=$(sudo grep '^TOMCAT_MANAGER_PASSWORD=' /stage/scripts/tomcat-credentials.log | cut -d= -f2-)

# List all deployed apps
curl -fsS -u "manager:${MGR_PASS}" http://localhost:8080/manager/text/list

# Server info — version, JVM, OS
curl -fsS -u "manager:${MGR_PASS}" http://localhost:8080/manager/text/serverinfo

# Deploy a WAR file
curl -fsS -u "manager:${MGR_PASS}" \
    -T /tmp/myapp.war \
    "http://localhost:8080/manager/text/deploy?path=/myapp&update=true"

# Undeploy
curl -fsS -u "manager:${MGR_PASS}" \
    "http://localhost:8080/manager/text/undeploy?path=/myapp"

Manager API serverinfo returns Tomcat Version: [Apache Tomcat/11.0.21], JVM 21.0.10, plus an example WAR deploy via curl

Step 7: Open the Tomcat Default Page in a Browser

From your workstation (assuming NSG allows TCP 8080):

open http://<vm-ip>:8080/

You'll see the Tomcat default landing page confirming the install:

Tomcat 11 default landing page on a freshly deployed cloudimg VM

Step 8: Open the Manager Web App

Navigate to http://<vm-ip>:8080/manager/html. Browser will prompt for HTTP Basic credentials — use manager / <TOMCAT_MANAGER_PASSWORD> from /stage/scripts/tomcat-credentials.log. The Manager dashboard lists all deployed web apps (ROOT, manager, host-manager, examples, docs by default), with start/stop/reload/undeploy controls and a WAR upload form:

Tomcat Manager web app dashboard showing the 5 default web apps deployed and running, with a WAR file upload form for deploying new applications

Step 9: View Server Status

The /manager/status page shows JVM memory usage, all configured connectors, request stats, and per-thread state — useful for production monitoring:

Tomcat /manager/status page showing JVM memory pools (Heap, Non-Heap, Metaspace, Code Cache), HTTP/1.1 connector stats, thread pool state, and request processing metrics

Step 10: Deploy Your First WAR

Drop a .war into /opt/tomcat/webapps/ (Tomcat auto-deploys with no restart) or use the Manager web upload at /manager/html:

# Build your WAR (locally)
mvn package -DskipTests
# Copy to the VM
scp target/myapp.war azureuser@<vm-ip>:/tmp/
# Deploy via Manager API
ssh azureuser@<vm-ip>
MGR_PASS=$(sudo grep '^TOMCAT_MANAGER_PASSWORD=' /stage/scripts/tomcat-credentials.log | cut -d= -f2-)
curl -fsS -u "manager:${MGR_PASS}" \
    -T /tmp/myapp.war \
    "http://localhost:8080/manager/text/deploy?path=/myapp&update=true"
# Visit http://<vm-ip>:8080/myapp/

Step 11: Server Components

Component	Path
CATALINA_HOME	`/opt/tomcat`
`startup.sh` / `shutdown.sh`	`/opt/tomcat/bin/`
Server config	`/opt/tomcat/conf/server.xml`
Default web.xml	`/opt/tomcat/conf/web.xml`
User database	`/opt/tomcat/conf/tomcat-users.xml`
Web apps	`/opt/tomcat/webapps/`
Logs	`/opt/tomcat/logs/` (catalina.out, localhost_access_log)
Systemd unit	`/etc/systemd/system/tomcat.service`
Firstboot script	`/usr/local/sbin/tomcat-firstboot.sh`
Firstboot service	`/etc/systemd/system/tomcat-firstboot.service`
Credentials file	`/stage/scripts/tomcat-credentials.log` (mode 0600)
Firstboot sentinel	`/var/lib/cloudimg/tomcat-firstboot.done`

/opt/tomcat/bin/version.sh

Tomcat components inventory: /opt/tomcat layout (bin/conf/lib/logs/temp/webapps/work), version.sh confirms Apache Tomcat/11.0.21 on JVM 21.0.10

Step 12: Managing the Tomcat Service

sudo systemctl status tomcat.service --no-pager
sudo systemctl restart tomcat.service
sudo tail -f /opt/tomcat/logs/catalina.out
sudo tail -f /opt/tomcat/logs/localhost_access_log.$(date +%Y-%m-%d).txt

Step 13: Security Recommendations

Rotate manager + admin passwords by editing /opt/tomcat/conf/tomcat-users.xml and restarting Tomcat
Restrict NSG so 8080 is only reachable from your client networks; never the public internet
Front Tomcat with a TLS reverse proxy (Nginx, Apache, or cloudimg's nginx-ssl-certbot-ubuntu-24-04) — never expose 8080 directly with HTTP basic auth
Tighten the RemoteAddrValve allowlist in /opt/tomcat/webapps/manager/META-INF/context.xml to only your admin CIDRs
Disable / remove unused web apps in /opt/tomcat/webapps/ (examples, docs) for production
Run Tomcat as a non-privileged user (already done — tomcat:tomcat system user)
Enable JMX over SSH tunnel for monitoring; do not expose JMX RMI to the network
Patch the OS monthly with apt-get update && apt-get upgrade && reboot

Step 14: Support and Licensing

Apache Tomcat is licensed under the Apache License 2.0. There is no per-CPU or per-deployment fee.

cloudimg provides commercial support for this image separately from the upstream project.

Email: support@cloudimg.co.uk
Website: www.cloudimg.co.uk
Support hours: 24/7 with guaranteed 24 hour response SLA

Deploy on Azure

Launch Apache Tomcat 11 on Ubuntu 24.04 with 24/7 support from cloudimg.

View on Marketplace

Need Help?

Our support team is available 24/7.

support@cloudimg.co.uk