Zabbix on Ubuntu 24.04 on Azure User Guide
Overview
Zabbix is a leading open source enterprise monitoring platform. From an ordinary browser your team can collect metrics from networks, servers, virtual machines, cloud services and applications, define flexible triggers and alerts, and build dashboards, graphs and reports on top of a rich library of templates. The cloudimg image ships Zabbix 7.0 LTS (the zabbix server daemon plus the PHP web frontend and the zabbix agent) served by nginx and PHP 8.3 FPM on a hardened, fully patched Ubuntu 24.04 LTS base, together with a bundled local MariaDB server so the appliance is complete and useful on its own. The frontend runs behind an nginx reverse proxy on port 80. The bundled MariaDB listens only on the loopback interface (127.0.0.1:3306) and keeps its data on a dedicated Azure data disk. The bundled agent monitors the appliance itself, so live data flows the moment the VM boots. A unique administrator password is generated on the first boot of every VM, the well known default super admin is secured, and guest access is disabled. Backed by 24/7 cloudimg support.
What is included:
- Zabbix 7.0 LTS: the
zabbix-serverdaemon, the PHP web frontend andzabbix-agent2, all managed by systemd - A bundled MariaDB server holding the Zabbix database, already installed with the schema and templates imported
- The Zabbix web frontend on
:80served from/usr/share/zabbix - A per VM administrator password generated on first boot and recorded in a root only file
- The well known default super admin (
Admin/zabbix) secured: its password is rotated to a unique per VM secret, and guest access is disabled - The bundled agent monitoring the appliance itself, so the Zabbix server host shows live data out of the box
- MariaDB bound to
127.0.0.1only, never exposed to the network - A dedicated Azure data disk holding the Zabbix database at
/var/lib/mysql nginx.service,php8.3-fpm.service,mariadb.service,zabbix-server.serviceandzabbix-agent2.serviceas enabled systemd units- An unauthenticated
/healthzendpoint for Azure Load Balancer health probes - 24/7 cloudimg support
Prerequisites
An active Azure subscription, an SSH key pair, and a VNet plus subnet in the target region. Standard_B2s (2 vCPU / 4 GiB RAM) is a sensible starting point; size up for more monitored hosts, higher metric volumes or longer history retention. NSG inbound: allow 22/tcp from your management network and 80/tcp for the web frontend. To collect metrics from remote agents, also allow 10051/tcp (the Zabbix server trapper). Zabbix serves plain HTTP on port 80; for production, terminate TLS in front of it with your own domain. The bundled MariaDB is never exposed: it listens on 127.0.0.1 only, so port 3306 stays off the network.
Step 1 - Deploy from the Azure Marketplace
Sign in to the Azure Portal, choose Create a resource, search the Marketplace for Zabbix by cloudimg, and select Create. On Basics pick your subscription, resource group, region and size; under Administrator account choose SSH public key and paste your key; under Inbound port rules allow SSH (22) and HTTP (80). Review the dedicated data disk on the Disks tab, then Review + create then Create.
Step 2 - Deploy from the Azure CLI
az vm create \
--resource-group <your-rg> \
--name zabbix \
--image <marketplace-image-urn> \
--size Standard_B2s \
--admin-username azureuser \
--generate-ssh-keys \
--public-ip-sku Standard
Then open port 80 to the web frontend:
az vm open-port --resource-group <your-rg> --name zabbix --port 80
Step 3 - Confirm the services are running
SSH in as azureuser and confirm nginx, PHP FPM, MariaDB, the Zabbix server and the Zabbix agent are all active. Note that MariaDB listens only on 127.0.0.1:3306 while nginx serves the web frontend on port 80, the agent listens on 10050 and the server trapper on 10051.
systemctl is-active nginx php8.3-fpm mariadb zabbix-server zabbix-agent2
ss -tlnp | grep -E ':80 |:3306 |:10050 |:10051 ' | sed 's/ */ /g'

Step 4 - Retrieve the per VM administrator password
Every VM generates its own Zabbix administrator password on first boot and writes it, along with the login user and URL, to a root only credentials file. Read it with sudo:
sudo cat /root/zabbix-credentials.txt

You sign in to the Zabbix web frontend as user Admin with the ZABBIX_ADMIN_PASSWORD from this file. On the box itself you can also run sudo mariadb to reach the database directly over the local socket without a password.
Step 5 - Sign in to the Zabbix web frontend
Browse to http://<vm-public-ip>/ and sign in with username Admin and the password from Step 4.

Once signed in you land on the Global view dashboard. Because the appliance monitors itself out of the box, the dashboard already shows live data: the Zabbix server status, its version, host and item counts, CPU utilisation, host availability and problems by severity. The left menu gives you Monitoring, Services, Inventory, Reports, Data collection, Alerts, Users and Administration.

Step 6 - Explore the monitored hosts and live data
Open Monitoring then Hosts to see every monitored host. Out of the box the Zabbix server host is present and reporting: its agent interface at 127.0.0.1:10050 shows a green ZBX availability marker, and you can jump straight to its Latest data, Problems, Graphs and Dashboards. This is the appliance monitoring itself.

Step 7 - Add and configure hosts
Open Data collection then Hosts to manage what Zabbix monitors. Here you can add a new host, assign it templates (Zabbix ships hundreds, for Linux, Windows, network devices, databases, cloud services and more), set its interfaces, and review its items, triggers, graphs and discovery rules. The bundled Zabbix server host is already linked to the Linux by Zabbix agent and Zabbix server health templates.

To add a remote host, install a Zabbix agent on the target machine, point it at this appliance's public IP on port 10051, open 10051/tcp in the NSG, then create the host here and link the appropriate template.
Step 8 - The secured default account
A stock Zabbix install ships a well known default super admin, Admin with the password zabbix, and an anonymous guest. The cloudimg image secures both before capture: the Admin password is rotated to a unique per VM secret, and guest access is disabled. You can confirm guest is disabled and run the built in round trip check, which proves the per VM administrator signs in through both the API and the web form while the default Admin / zabbix login is rejected:
mariadb --protocol=socket -uroot -N -e "SELECT CONCAT('guest disabled via group ',g.name,' (gui_access=',g.gui_access,', users_status=',g.users_status,')') FROM zabbix.usrgrp g JOIN zabbix.users_groups ug ON g.usrgrpid=ug.usrgrpid JOIN zabbix.users u ON ug.userid=u.userid WHERE u.username='guest' AND (g.gui_access=3 OR g.users_status=1) LIMIT 1"
sudo bash /usr/local/sbin/zabbix-cred-roundtrip.sh

Step 9 - Verify the stack and where your data lives
Confirm the Zabbix version, the health endpoint, the dedicated data disk and that the server is collecting live self monitoring data. The MariaDB database lives on the data disk mounted at /var/lib/mysql, so all of your monitoring history is kept separate from the operating system disk and rides with the VM:
dpkg-query -W -f='Zabbix ${Version}\n' zabbix-server-mysql
curl -sI http://127.0.0.1/healthz | head -1
findmnt -no SOURCE,TARGET,FSTYPE,SIZE /var/lib/mysql
mariadb --protocol=socket -uroot -N -e "SELECT CONCAT((SELECT COUNT(*) FROM zabbix.history)+(SELECT COUNT(*) FROM zabbix.history_uint),' self monitoring values collected') AS collected"

Adding your own domain and TLS
The appliance serves plain HTTP on port 80. For production, front Zabbix with your own domain and a TLS certificate. You can terminate TLS with Azure Application Gateway, an nginx or Caddy reverse proxy, or a managed load balancer with a certificate for your domain, and point it at the appliance on port 80.
Security notes
- Zabbix serves plain HTTP on port 80. For anything beyond a trusted network, put it behind your own TLS terminating reverse proxy or Azure Application Gateway with a certificate for your domain.
- The bundled MariaDB listens on
127.0.0.1only and is never reachable from the network. Administer it through the Zabbix frontend or over SSH. - The default super admin is secured on every VM: the
Adminpassword is unique per VM and guest access is disabled. Keep/root/zabbix-credentials.txtprotected and change the password from within Zabbix under Users if you share access. - The server trapper on port 10051 is only reachable if you open it in the NSG. Open it when you add remote monitored agents, and restrict it to the networks those agents live on.
- Restrict inbound
80/tcpin your NSG to the networks that need the web frontend.
Support
This image is maintained by cloudimg with 24/7 support. If you need help deploying or operating Zabbix on Azure, contact us at cloudimg.co.uk.