How to Deploy n8n on Azure VMs: A Complete Production Setup Guide

Workflow automation is transforming how businesses streamline operations, reduce manual errors, and accelerate business processes. n8n, an open-source workflow automation platform, offers a powerful, self-hosted alternative to commercial RPA tools - but deploying it correctly requires careful planning and security hardening. If you're still evaluating automation platforms, our comparison of n8n, Make, and Zapier explains why n8n often wins for enterprises requiring data sovereignty and self-hosting. This guide walks you through a production-ready deployment of n8n on Azure Virtual Machines, designed to be cost-effective, secure, and operationally resilient.

Why Deploy n8n on Azure?

Organizations choosing n8n for workflow automation face a critical decision: cloud-hosted or self-hosted? Self-hosted deployments on Azure offer several advantages that align with proven cloud migration patterns:

• Cost control: Pay only for compute resources, avoiding per-seat licensing fees associated with managed platforms.
• Data sovereignty: Keep sensitive workflow data within your Azure environment, supporting compliance requirements.
• Flexibility: Customize the entire stack - database, networking, storage - to match your operational needs.
• Scalability: Grow from a single VM to multi-instance deployments as automation demands increase.

Architecture Overview: What We're Building

The deployment strategy balances simplicity with production-grade reliability:

Core Components

• Azure Linux VM (Ubuntu 24.04 LTS) as the compute foundation
• Docker & Docker Compose for containerized application deployment
• n8n (official Docker image) for workflow execution
• SQLite for data persistence in single-instance deployments
• Nginx as reverse proxy and TLS termination point
• Let's Encrypt (via Certbot) for automated HTTPS certificate management
• Azure Blob Storage for automated, off-VM backups

Key Security Principles

• n8n never exposed directly to the internet; all traffic flows through Nginx
• Internal port 5678 bound to localhost only, preventing direct access
• TLS encryption enforced at the Nginx layer
• SQLite database encrypted with a fixed encryption key (critical: never rotate after initial setup)
• Automated nightly backups to secure Azure Blob Storage
• SSH access restricted by Network Security Group rules

This architecture is intentionally lean - suitable for teams running 1–3 concurrent users and dozens of active workflows. It can evolve to PostgreSQL and multi-instance setups as demand grows.

Step 1: Provision Azure Infrastructure

Create a Resource Group

First, organize your resources in a dedicated resource group:

az login
az account set --subscription "<SUBSCRIPTION_ID>"
az group create \
  --name rg-n8n-prod \
  --location <REGION>

Replace <REGION> with your nearest Azure region (e.g., eastus, australiaeast, northeurope).

Provision a Cost-Optimized Virtual Machine

The Standard_B2s VM is the sweet spot for n8n deployments - reliable burstable compute with sufficient CPU and 4 GB RAM:

az vm create \
  --resource-group rg-n8n-prod \
  --name n8n-vm-prod \
  --image Ubuntu2404 \
  --size Standard_B2s \
  --admin-username azureuser \
  --ssh-key-values ~/.ssh/id_rsa.pub \
  --public-ip-sku Standard \
  --os-disk-size-gb 64

What this does:

• Deploys Ubuntu 24.04 LTS (latest LTS release with extended support)
• Allocates a 64 GB managed OS disk (sufficient for logs, backups, and workflow data)
• Enables SSH key authentication (more secure than passwords)
• Creates a public IP for management access

Harden Network Security

Lock down inbound traffic ruthlessly. Only HTTP/HTTPS and SSH should be accessible:

az vm open-port --resource-group rg-n8n-prod --name n8n-vm-prod --port 80
az vm open-port --resource-group rg-n8n-prod --name n8n-vm-prod --port 443

Critical: Manually restrict the SSH rule (port 22) in the Azure Portal to your organization's IP range. Never leave SSH open to 0.0.0.0/0.

Step 2: Bootstrap the VM with Required Tools

SSH into your newly created VM:

ssh azureuser@<PUBLIC_IP>

Create a bootstrap script to install Docker, Nginx, Certbot, and UFW firewall:

sudo tee /opt/bootstrap.sh > /dev/null <<'EOF'
#!/bin/bash
set -e

# Update system packages
sudo apt update && sudo apt upgrade -y

# Install core dependencies
sudo apt install -y \
  ca-certificates \
  curl \
  gnupg \
  lsb-release \
  unzip \
  ufw

# Install Docker
curl -fsSL https://get.docker.com | sh
sudo usermod -aG docker $USER

# Install Docker Compose plugin
mkdir -p ~/.docker/cli-plugins
curl -SL https://github.com/docker/compose/releases/download/v2.27.0/docker-compose-linux-x86_64 \
  -o ~/.docker/cli-plugins/docker-compose
chmod +x ~/.docker/cli-plugins/docker-compose

# Install Nginx and Certbot for TLS
sudo apt install -y nginx certbot python3-certbot-nginx

# Enable UFW firewall
sudo ufw allow OpenSSH
sudo ufw allow 80
sudo ufw allow 443
sudo ufw --force enable

echo "Bootstrap complete. System will reboot."
reboot
EOF

sudo chmod +x /opt/bootstrap.sh
sudo /opt/bootstrap.sh

Reconnect after the reboot completes (wait ~2 minutes).

Step 3: Deploy n8n with Docker Compose

Create Directory Structure

sudo mkdir -p /opt/n8n
sudo chown -R $USER:$USER /opt/n8n
cd /opt/n8n

Configure Docker Compose

Create the core deployment manifest:

cat > docker-compose.yml <<'EOF'
version: "3.9"

services:
  n8n:
    image: n8nio/n8n:latest
    container_name: n8n
    restart: always
    ports:
      - "127.0.0.1:5678:5678"
    environment:
      - NODE_ENV=production
      - N8N_HOST=your-domain-name.com
      - N8N_PORT=5678
      - N8N_PROTOCOL=https
      - WEBHOOK_URL=https://your-domain-name.com/
      - N8N_TRUST_PROXY=true
      
      # Security hardening
      - N8N_DIAGNOSTICS_ENABLED=false
      - N8N_PERSONALIZATION_ENABLED=false
      - N8N_VERSION_NOTIFICATIONS_ENABLED=false
      - N8N_TEMPLATES_ENABLED=false
      
      # Encryption key (generate once, never change)
      - N8N_ENCRYPTION_KEY=<GENERATED_SECRET>
    
    volumes:
      - ./data:/home/node/.n8n
EOF

Before deploying, generate a strong encryption key:

openssl rand -base64 48

Replace <GENERATED_SECRET> with the output. Critical security note: This key encrypts sensitive credentials in n8n. Once set, changing it will break all stored connections. Store this value securely (e.g., Azure Key Vault or a password manager).

Also replace your-domain-name.com with your actual domain (e.g., automation.example.com).

Start n8n

docker compose up -d

Verify the container is running:

docker ps

You should see the n8n container in the output with status "Up".

Step 4: Configure Nginx Reverse Proxy

Nginx sits in front of n8n, handling TLS termination and traffic routing. This shields n8n from direct internet exposure.

Create the Nginx site configuration:

sudo tee /etc/nginx/sites-available/n8n > /dev/null <<'EOF'
server {
    listen 80;
    server_name your-domain-name.com;

    location / {
        proxy_pass http://127.0.0.1:5678;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
}
EOF

Enable the site and reload Nginx:

sudo ln -s /etc/nginx/sites-available/n8n /etc/nginx/sites-enabled/
sudo rm -f /etc/nginx/sites-enabled/default
sudo nginx -t
sudo systemctl reload nginx

The nginx -t command validates your configuration syntax before reloading.

Step 5: Enable HTTPS with Let's Encrypt

Secure your n8n instance with automated HTTPS certificates:

sudo certbot --nginx -d your-domain-name.com

Certbot will:

• Validate domain ownership
• Generate and install a certificate
• Automatically redirect HTTP traffic to HTTPS
• Set up auto-renewal (runs daily)

Once complete, verify your instance:

https://your-domain-name.com

You should see the n8n login screen with a valid SSL certificate (green lock icon in your browser).

Step 6: Automate Database Backups

SQLite databases must be backed up off-VM to survive hardware failures. Azure Blob Storage is cost-effective and reliable.

Create Azure Storage Account

az storage account create \
  --name n8nbackup$(date +%s) \
  --resource-group rg-n8n-prod \
  --location <REGION> \
  --sku Standard_LRS

az storage container create \
  --account-name <STORAGE_ACCOUNT_NAME> \
  --name n8n-backups

Replace <STORAGE_ACCOUNT_NAME> with your storage account name (must be globally unique).

Create Backup Script

cat > /opt/n8n/backup.sh <<'EOF'
#!/bin/bash
set -e

TS=$(date +"%Y%m%d-%H%M%S")
SRC="/opt/n8n/data/database.sqlite"
ACCOUNT_NAME="<STORAGE_ACCOUNT_NAME>"
CONTAINER_NAME="n8n-backups"
BLOB_NAME="database-backup-${TS}.sqlite"

# Create temporary backup
cp $SRC /tmp/n8n-backup-${TS}.sqlite

# Upload to Azure Blob Storage
az storage blob upload \
  --account-name $ACCOUNT_NAME \
  --container-name $CONTAINER_NAME \
  --file /tmp/n8n-backup-${TS}.sqlite \
  --name $BLOB_NAME \
  --overwrite

# Cleanup
rm -f /tmp/n8n-backup-${TS}.sqlite

echo "Backup completed: $BLOB_NAME"
EOF

chmod +x /opt/n8n/backup.sh

Schedule Nightly Backups

crontab -e

Add this line to run backups at 2 AM daily:

0 2 * * * /opt/n8n/backup.sh >/dev/null 2>&1

Step 7: Post-Deployment Security Checklist

Before handing off to users, verify:

• ✅ Port 5678 is localhost-only: netstat -tlnp | grep 5678 should show 127.0.0.1
• ✅ HTTPS is enforced: HTTP requests redirect to HTTPS
• ✅ Diagnostics are disabled: N8N_DIAGNOSTICS_ENABLED=false in docker-compose.yml
• ✅ Encryption key is set: N8N_ENCRYPTION_KEY environment variable is populated
• ✅ Backups are running: Check /var/log/syslog for successful cron executions
• ✅ SSH is IP-restricted: NSG rules in Azure Portal limit port 22 to your IP range

Scaling Beyond Single-Instance Deployments

As automation demand grows, plan for evolution:

Upgrade to PostgreSQL when:

• Multiple concurrent users (>2) need simultaneous access
• Heavy workflow execution causes SQLite locking contention
• You need advanced backup and replication capabilities

Add Azure Application Gateway when:

• Traffic exceeds ~500 requests/minute
• You need Web Application Firewall (WAF) protection
• SSL termination should offload from the VM

Move to AKS (Kubernetes) when:

• You require high availability with zero-downtime deployments
• Multi-region failover is non-negotiable
• Cost optimization through resource sharing becomes critical

Common Deployment Pitfalls

Forgetting to rotate encryption keys strategically: n8n's encryption key cannot be rotated without data loss. Generate a strong key on day one and treat it like a database password.

Exposing port 5678 to the internet: Never open n8n directly to 0.0.0.0/0. Always route through Nginx with TLS.

Skipping automated backups: SQLite is reliable but not immune to VM failure. Off-VM backups are non-negotiable for production use.

Leaving SSH open: Restrict port 22 to your organization's IP range immediately. Unprotected SSH is the #1 vector for VM compromise.

Next Steps

Once your n8n instance is live:

1. Create workflows aligned to your automation priorities (invoice processing, data sync, alert routing, etc.) - see our guide to building AI agents with n8n for advanced implementation patterns
2. Configure credential storage securely - never hardcode API keys in workflows
3. Set up monitoring using Azure Monitor to track container health and resource utilization
4. Plan database growth by monitoring SQLite file size; move to PostgreSQL if growth exceeds 500 MB
5. Document runbooks for common operations: container restarts, backup recovery, certificate renewal

Get Help with n8n Deployment

Deploying production automation platforms involves significant architectural and operational considerations. If your organization lacks in-house Azure expertise or wants to accelerate time-to-value, consider engaging a cloud consulting partner. Hrishi Digital specializes in Azure deployments and AI automation implementations across Australian organizations - we can handle VM provisioning, security hardening, monitoring setup, and day-2 operations so your team focuses on automation strategy, not infrastructure. For broader enterprise AI strategy, we help organizations move beyond basic automation to agentic intelligence.

---

Related Articles

• Building AI Agents with n8n: Complete 2026 Implementation Guide - Take your n8n deployment further with intelligent automation
• n8n vs Make vs Zapier: Enterprise Automation Decision Framework - Compare platforms before committing to infrastructure
• Autonomous AI Agents in 2026: From Automation to Agentic Intelligence - Understand the broader AI automation landscape
• The 2025 Cloud Migration Reality: What Actually Works - Proven patterns for Azure deployments

---

Tags: n8n, Azure, Docker, Workflow Automation, DevOps, Cloud Infrastructure

Need expert help deploying n8n or optimizing your Azure infrastructure? Schedule a free 30-minute consultation with our cloud automation specialists. We'll assess your automation needs, review your current setup, and recommend a deployment strategy tailored to your business.