Skip to main content
Version: 23.2.0

Azure prerequisites

This page describes the infrastructure and other prerequisites for deploying Tower on Microsoft Azure.

Tower container images

Nextflow Tower is distributed as a collection of Docker containers available through the Seqera Labs container registry ( Contact support to get your container access credentials. Once you have received your credentials, log in to the registry using these steps:

  1. Retrieve the username and password you received from Seqera Labs support.

  2. Run the following Docker command to authenticate to the registry (using the username and password values copied in step 1):

    docker login -u '/\<USERNAME\>/' -p '/\PASSWORD\>/'
  3. Pull the Nextflow Tower container images with the following commands:

docker pull {{ images.tower_be_image }}

docker pull {{ images.tower_fe_image }}

The Seqera Labs container registry is the default Tower container image registry from version 22.4. Use of the AWS, Azure, and Google Cloud Tower image registries in existing installations is still supported but will be deprecated for new installations starting June 2023. See here for steps to use the Seqera Labs private Azure registry.

Mandatory prerequisites

Resource group and storage account

A resource group and a storage account are required to use Azure. See the detailed instructions to provision these resources.

SMTP server

If you do not have an email server, you can use Microsoft 365 or a third party service such as SendGrid (recommended by Microsoft) for sending emails from Azure VMs.

MySQL database

An external database (i.e. external to your Docker Compose or Kubernetes deployment) is highly recommended for production deployments. If you don't have your own database service, you can use Azure Database for MySQL.

If you decide to use an external database, you must create a MySQL user and database manually. See Configuration for more details.

When creating a MySQL user, use the USER@HOSTNAME format for the TOWER_DB_USER environment variable.

For Azure managed MySQL, it is recommended to pass an explicit serverTimezone to the TOWER_DB_URL environment variable, which (depending on your configuration) may be UTC. The connection string should therefore look like jdbc:mysql://

VM instance (Docker Compose)

A Linux VM instance is required to deploy Tower via Docker Compose. See the detailed instructions to provision a VM instance for this purpose.

AKS cluster (Kubernetes)

An Azure Kubernetes Service (AKS) cluster is required to deploy Tower via Kubernetes. See the AKS documentation to provision your own cluster.

To customize your cluster's Ingress Controller to support HTTPS redirects and TLS certificates, see these instructions.

Optional prerequisites

SSL certificate

An SSL certificate is required for your Tower instance to handle HTTPS traffic.

From Tower 22.1.1, HTTP-only implementations must set the TOWER_ENABLE_UNSAFE_MODE=true environment variable in the Tower hosting infrastructure to enable user login.

While there are many ways to implement DNS and TLS-termination, Seqera recommends using the specialized native services offered by your cloud provider. In the case of Azure:

  • Use Application Gateway for TLS-termination and load-balancing.
  • Use App Service Domains for domain acquisition.
  • Use Azure DNS for domain record management.
  • Use Azure Vault for PKI certificate storage.

These decisions should be made before you continue as they impact how Tower configuration files are updated.

Detailed instructions

This section provides step-by-step instructions for some commonly used Azure services for Tower deployment. See the Azure documentation for up-to-date instructions and contact Azure support if you have any issues with provisioning Azure resources.

Azure Resource Group

  1. Sign in to the Azure portal.

  2. Select Resource groups.

  3. Select Add.

  4. Enter the following values:

    • Subscription: Select your Azure subscription.

    • Resource group: Enter a new resource group name (e.g. nftowerrg).

    • Region: Select the Region where your assets will exist (e.g. East US).

  5. Select Review and Create.

  6. Select Create.

Azure Storage Account

  1. Sign in to the Azure portal.

  2. Select Storage accounts.

  3. Select Create.

  4. Enter the following values:

    • Subscription: Select your Azure subscription.

    • Resource group: Enter your resource group name.

    • Storage account name: Enter a new storage account name (e.g. nftowerstorage).

    • Region: Select the Region where your Resource Group exists (e.g. East US).

    • Performance: Select Standard.

    • Redundancy: Select Geo-redundant storage (GRS)

  5. Select Review + create. Note that the default values are used in the other tabs. See the Azure documentation for further details on each setting.

  6. Select Create.

Azure Linux VM

We recommend the following VM settings:

  1. Use default values unless otherwise specified.
  2. Provision at least 2 CPUS and 8GB RAM.
  3. Use the Ubuntu Server 20.04 LTS - Gen2 image.
  4. Ensure your VM is accessible by SSH.
  5. Do not implement DNS or Load Balancing directly against the VM (do so via Azure Application Gateway instead).

To create a VM:

  1. Configure the Basics tab:

    • Ensure your Region is the same as your Resource group.
    • Do not set the VM as an Azure Spot instance.
    • Ensure your Security Group allows ingress on Port 8000.
  2. Configure the Disks tab:

    • Ensure your OS disk type is Standard SSD.
  3. Configure the Network tab:

    • Ensure that a Public IP is assigned to the VM.
    • Do not place the VM in the backend pool of an existing load balancing solution.
  4. Select Review + create.

  5. Select Create.

To make the VM's IP address static:

  1. Enter Public IP addresses in the search.

  2. Under Services, select Public IP addresses.

  3. On the Public IP addresses page, select the entry containing your VM name. A page opens with that IP's details.

  4. Select Configuration from the left-hand navigation panel.

  5. Ensure that your IP address assignment is Static.

  6. Do not add a custom DNS name label to the VM.

To allow ingress on port 8000:

  1. Enter Virtual Machines in the search bar.

  2. Under Services, select Virtual machines.

  3. On the Virtual machines page, select your VM name to navigate to the VM details.

  4. Select Networking from the left-hand navigation panel.

  5. Add inbound port rule for port 8000.

To install Docker:

  1. Complete the steps for the Install using the apt repository instructions.

  2. Confirm that Docker Compose is installed:

    docker compose version
    Docker Compose version v2.24.1