Skip to content

Update azure-vm.mdx #2173

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
robert-inkeep merged 1 commit into from
Feb 19, 2026
Merged

Update azure-vm.mdx #2173

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 23 additions & 1 deletion agents-docs/content/deployment/(docker)/azure-vm.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ icon: LuServerCog
- Use image: `Ubuntu Server 24.04 LTS - x64 Gen2`
- Recommended size is at least `Standard_D2s_v3` (2 vcpus, 8 GiB memory).
- Configure SSH (you will need to SSH into the VM)
- In the "Disks" tab, confirm the OS disk size is at least 100 GiB.
- In the "Disks" tab, confirm the OS disk size is at least 128 GiB (P10).
- In the "Networking" tab, assign public IP address
- Click on "Review + create"
- After the VM is running, go to the "Network Settings" page under "Networking"
Expand Down Expand Up @@ -191,3 +191,25 @@ docker compose up -d
```

Then open `http://<vm_external_ip>:3000` in a browser!

## Production

For a production deployment, you will want to restrict access to the VM and only expose 3002. To do this, we'll setup an Application Gateway and a Front Door (with https).

### Application Gateway
- On the VM page, under "Networking" > "Load balancing", click on "Add load balancing" and create a new "Application Gateway"
- Provide a name for the gateway and a name for the routing rule. The routing rule should be configured to Port 80 HTTP.
- Wait for the gateway to deploy (can take >5 mins)
- On the gateway page, under "Settings" > "Backend pools", click on the pool. Under "Backend targets", add a target of type "Virtual machine" and select your VM.
- On the gateway page, under "Settings" > "Backend Settings", change the "Backend port" to 3002.
- On the gateway page, under "Settings" > "Health probes", add a new health probe. Provide a name, select HTTP for protocol. For the host use `127.0.0.1`, `3002` for the port, and `/health` for the path. "Pick host name from backend settings" and "Pick port from backend settings" should be "No". Then select your "Backend settings".
Copy link
Contributor

@claude claude bot Feb 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟡 Minor: Health probe host configuration may confuse users

Issue: The instruction to use 127.0.0.1 as the host for the health probe, combined with setting "Pick host name from backend settings" to "No", may confuse users about how Azure Application Gateway probes work. Users might expect 127.0.0.1 means "probe from localhost" rather than understanding it sets the HTTP Host header while the probe actually targets the VM's private IP.

Why: While this configuration likely works (the Inkeep API /health endpoint doesn't validate Host headers), the combination of settings is non-obvious and could lead to debugging confusion if users try to replicate this pattern elsewhere.

Fix: Consider clarifying this instruction with one of:

  • Use the VM's private IP address as the host (more intuitive)
  • Add a brief note explaining that 127.0.0.1 is the Host header value, not the probe target
  • Example: "For the host, enter the VM's private IP (found on the VM Overview page), or use 127.0.0.1 as the Inkeep API health endpoint responds regardless of Host header."

Refs:


### Front Door
- Create an Azure Front Door. Continue with "Quick create".
- For the origin, select the "Application Gateway" you created.
- Disable caching.
- You will be assigned an autogenerated url with https from Azure. To add a custom domain, go to "Settings" > "Domains".

### Restrict VM Access
- Modify the inbound security rules, for example, to only specific IPs. You will need this for building agents.
- All external access should only use the gateway and front door.