Deploy UniFi Controller in Azure

Jonas EriksonAzure47 Comments

Deploy Unifi AZure

If you know what you want, click button below to Deploy UniFi controller.
For instructions keep reading on.

UniFI Controller Azure

Here is a ARM template I created to deploy an UniFi Controller in Azure.
The template deploys a fully configured and working environment with minimal user interaction.

It creates all necessary Resources within Azure in Resource Manager model and installs UniFi Controller.

  • StorageAccount
  • Virtual Network
  • Subnet
  • Virtual Machine (Ubuntu)
  • PublicIP
  • Nic
  • Network Security Group
    • Ports Allowed inbound
      • 22 TCP
      • 8443 TCP
      • 8080 TCP
      • 8088 TCP
      • 8843 TCP
      • 3478 UDP
  • Installs the Unifi Controller software

All inbound traffic is only allowed from the IP you specify in the Edit Parameters section “ExternalIPofDevices”

You need to have a Azure subscription before you can deploy this UniFi Controller.
If you dont, you can register for a free trial here (Or contact us, and we will help)
The cost for running the controller in Azure will be a couple of dollars per month.

Ok, lets deploy the Controller.

Hit this button to fire away the deployment script.
Or see my Github repo

UniFI Controller Azure

See below for the values that you need to put in.
You need to set the parameters in the Edit Parameters section and set which subscription and location you want to use.
If you are unsure on a what to input in a parameter, click the “i” to right of the parameter.

Azure Custom Script

So here you go.

A one click install of a fully configured and functional UniFi Controller.
The only thing left after the deployment is done is to surf in to https://ip:8443 and do your set up.
Then SSH to your Unifi devices (with an ssh client, if windows for example putty or mac use the ssh command from the terminal), APs, Switches, USG and do the following

mca-cli
set-inform http://ip:8080/inform

47 Comments on “Deploy UniFi Controller in Azure”

  1. Thanks this looks interesting.
    I have created the controller using your template and everything appears to be running in Azure however I cannot access the controller on https://ip:8443 (I am using the public IP provided in Azure)

    What have I missed?

    1. Hi Chris.
      Have you logged in to the machine and verified that the controller software is running ?
      Also verify that the Network Security Groups rule for port 8443 is correct.

      It all should be working out of the box.

      1. Hi Jonas,

        I have been able to log into the controller software but I had to remove the external IP address that I set during the installation. This is our static external IP address. And set to allow connections from Any source.
        That still would not work so I set the Source port to * for the 8443 rule and then I could log in.
        However I suspect by doing that none of the other ports will work?

  2. This is the error message I’ve received while trying to deploy via the template

    “The template deployment ‘Microsoft.Template’ is not valid according to the validation procedure.”

  3. Hi Shannon,

    At what stage do you get that error message?
    Is it at the stage when you have agreed to the legal terms and clicked on “create” ?
    Have you filled out all the values in the parameter section?

    BR, Risto

    1. Sometimes Azure has restrictions on username, for example you can’t use “Administrator” in Windows.
      Have you tried different usernames?

  4. Great article Jonas!
    Works great. I just cannot access captive portal. It is enabled in settings but not showing. Any ideas would be much appreciated.

    Regards,
    Dzenan

    1. Hi, did you get this solved?
      You can’t access your external Azure IP of the server on port 8080 or?

      1. Hi,

        I solved this by creating new Outbound rule “100 Captive Any Any Custom (Any/8880)”.

        Thank you.
        Dzenan
        Did you try to overwrite configuration with the same process. For example when you ruin your fully functional configuration and have no idea what you did 🙂

  5. I am looking to manage something like 50 clients with this. Is there a way around specifying the IP or how do I deal with this?

    1. Hi Adam,

      If you’re going to have 50 external IP accessing the same unifi controller. My suggestion is running this script once. And then adding the rest of the IP’s to the network security group in the Azure portal afterwards https://azure.portal.com

      Let me know if you need further assistance.

  6. I feel like the instructions should be more clear. I keep getting this error (not sure what im doing wrong (i just clicked on the redeploy link).

    The template deployment ‘Microsoft.Template’ is not valid according to the validation procedure. The tracking id is ’31d592aa-2e0f-43bb-afa5-9dc283cb5f63′. See inner errors for details. Please see https://aka.ms/arm-deploy for usage details. (Code: InvalidTemplateDeployment) Preflight validation failed. Please refer to the details for the specific errors. (Code: PreflightValidationCheckFailed) The storage account named unifisa is already taken. (Code: StorageAccountAlreadyTaken) Security rule has invalid Address prefix. Value provided: x.x.x.x. (Code: SecurityRuleInvalidAddressPrefix)

    1. Hi Thomas.
      If we look at the error you get.

      (Code: InvalidTemplateDeployment) Preflight validation failed. Please refer to the details for the specific errors. (Code: PreflightValidationCheckFailed) The storage account named unifisa is already taken. (Code: StorageAccountAlreadyTaken) Security rule has invalid Address prefix. Value provided: x.x.x.x. (Code: SecurityRuleInvalidAddressPrefix)

      There are two things going wrong here.
      The templates naming convention for the resources is built with predefined suffixes.
      So in this case, you choosed to call the machine unifi, and therefor the storage account that is also deployed gets the name unifisa.
      Azure works that way that all storage accounts must me globally unique in naming, couse it is its FQDN name.
      And unifisa is already taken if we look at the error message.
      So i would change the name to something that probably is not taken instead of unifi.

      The other error is because you didnt enter an ip adress that will be allowed to manage the controller from.
      you entered x.x.x.x.

      /Jonas

  7. Hi,

    I moved my controller from one Azure tenant to another. Did everything like before, re-deployed.
    I can access my controller and can log in. But what I dcan not to do, is “to adopt APs”. After setting inform devices are not showing in controller witch is hosted on Azure.
    Any ideas?

    Dzenan

    1. Hi Dzenan, sounds like a network issue, did you enter the inbound allowed IP correctly? and did you also ssh into the AP’s and ran the commands?

      //Risto

  8. Does this deployment wizard still work? (With all the updates that Azure has been doing)

    Will it install the latest Unifi software? i.e. v5?

    Thanks

  9. I’m getting two failures during the one-click install:

    1 – statusCode:Conflict statusMessage:{“status”:”Failed”,”error”:{“code”:”ResourceDeploymentFailure”,”message”:”The resource operation completed with terminal provisioning state ‘Failed’.”,”details”:[{“code”:”VMExtensionProvisioningError”,”message”:”VM has reported a failure when processing extension ‘newuserscript’. Error message: \”Enable failed:HTTP Error 404: Not Found\”.”}]}}

    The above is followed immediately by a second failure: “OPERATION NAME Microsoft.Resources/deployments/write – STATUS Failed” message. I can give you more details if needed.
    Any thoughts on why this might happen? Anything that can be fixed/worked around? – or should I build my own machine from the bottom to the top?

    Thanks for any help you can offer. Much appreciated!

  10. Hello,

    This looks great, however whatever I put in the “Dns Name For Public IP” field, it says that the value is invalid. I’m sure I’m missing something obvious I can’t figure what.

    What are the prerequisite for this field ?

    Thanks and regards,
    Vincent.

  11. Please disregard my previous post: it happens that everything I tried was not globally unique, I knew this was something stupid… !

    Cheers,
    Vincent.

  12. Hello,

    I’m getting this error on the resource (chunificontroller/newuserscript)

    {
    “status”: “Failed”,
    “error”: {
    “code”: “ResourceDeploymentFailure”,
    “message”: “The resource operation completed with terminal provisioning state ‘Failed’.”,
    “details”: [
    {
    “code”: “VMExtensionProvisioningError”,
    “message”: “VM has reported a failure when processing extension ‘newuserscript’. Error message: \”Script returned an error.\n—stdout—\n\n—errout—\nUnifi_Controller.sh: 6: Unifi_Controller.sh: Syntax error: newline unexpected\n\n\”.”
    }
    ]
    }
    }

    Is there any thing I can do to solve this?

    Thanks

    1. Hi, I tried this and it worked for me. Have you tried again recently or is it still the same error?

  13. Hey! So this is really cool – I am very interested in ARM templates and I am currently setting up my physical homelab with a Unifi AP, so I need the controller running somewhere. What better way than doing this! Plus with my MSDN account using that A0 machine I shouldn’t really hurt too much. My issue is that I’m not super good with consumer-level networking workarounds, but I do have a dynamic DNS account I can leverage. Any ideas how I might update the static IP settings here when my home IP changes? I’ll be honest I haven’t done much / any real research about it, but thought I might check with you first.

    Thanks!

      1. Hi Oliver,

        glad you seemed to solved it. ARM and Azure is pretty nifty and cool. Good lock with your future endeavours! 🙂

        BR, Risto

  14. I am a total newbie looking for help. I managed to deploy the script. the virtual machine is running and no error messages. I can reach the Unifi setup page, but it is not seeing my APs. I guess I need to do this but I have no clue what SSH or any of the other instructions mean:

    Then SSH to your Unifi devices, APs, Switches, USG and do the following
    1
    2
    mca-cli
    set-inform http://ip:8080/inform

  15. I have dynamic DNS at home with an FQDN like xxxxxxx.ddns.whatever. Can I use that rather than an explicit external IP for the devices I need to manage? Otherwise, can the controller work in a pull configuration somehow, so every so often the AP just checks in with the controller to pull relevant config changes?

    1. Hi, the reason for entering a IP is to allow only that IP to acces the unifi controller. You can afterwards change the IP to another or put in an IP range to allow a bigger block to have access. The NSG (Network Security Group) in Azure does not support to allow or deny traffic by dns. Only IP, IP ranges or whole “Internet”.

      1. Do you know how you might use dynamic DNS and dynamically update the NSG rules when my public IP changes? Sounds like I might need to write something that could help that, because otherwise I’ll just have to redeploy when my IP changes.

  16. Final question – can anyone speak to the amount of traffic generated? In Azure you’re charged for egress data, and I know I read someone’s comment somewhere where he had about $90/month in data from AWS. Otherwise the A0 is like $13/per month, so all in what are you guys seeing for cost?

    1. Regarding your question for network cost, Is that all inbound data to Azure are free. Between Azure regions are also free. Outbound data up to 5GB (Gigabyte) data are included. All data above that are charged per GB and month according to the current price list here https://azure.microsoft.com/en-us/pricing/details/bandwidth/
      But when running low internet traffic services you rarely reach the 5GB limit.

      1. In regards to this, yeah I haven’t seen really any significant charges yet so I think the traffic is negligible enough to be basically free. Very nice!

  17. OK, I solved my question above. The answer is Putty. One more issue. I cant get it to grab the latest 5.3.8. release. The update routine described above only accesses the 4… version. Ideas?

    1. The problem is the first line in the script. SSH into your instance and issue the following command:

      echo ‘deb http://www.ubnt.com/downloads/unifi/debian unifi5 ubiquiti’ | sudo tee /etc/apt/sources.list.d/100-ubnt.list

      This will change it from stable (which is currently UniFi 4.x) to unifi5 (which will download UniFi 5.x). At which point you can run the update commands.

      1. Thanks for the clarification. This is correct, the latest stable version is being installed. If you need 5.X please follow ITSourcePro suggestion.

  18. Pingback: Coolest ARM templates? - How to Code .NET

  19. Hi Jonas,

    I try too install The unifi contoller but i get this error when i click on subscription did you know how i caan solved this

    The template implementation Microsoft.Template is invalid according to the validation procedure. The tracer ID is a3f7dc16-56b2-464f-ac15-b778b519495a. See the internal errors for more information. For information about usage, visit https://aka.ms/arm-deploy. (Code: InvalidTemplateDeployment)

    regards,

  20. I was able to get everything up and working but how would i go about updating the controller when it needs to be updated?

  21. Hi,
    I get an error regarding the storage account when trying to deploy the server. Do you know what could cause this?

    Please refer to the details for the specific errors.”,”details”:[{“code”:”AccountNameInvalid”,”target”:”unifi-edgarsa”,”message”:”unifi-edgarsa is not a valid storage account name. Storage account name must be between 3 and 24 characters in length and use numbers and lower-case letters only.”}]}]}

    1. Hi Edgar. It is now allowed to have special characters in storage account name so “-” is not allowed. Remove that and it should work.

      BR
      //Risto

Leave a Reply

Your email address will not be published. Required fields are marked *