Skip to content


This page describes the infrastructure and other prerequisites for deploying Tower on Microsoft Azure.

Tower container images#

Seqera Labs publishes Nextflow Tower Enterprise containers to a private Azure Container Registry instance.

  1. Acquire credentials from Seqera Labs

    Customers who chose to retrieve their Tower Enterprise containers from Seqera's Azure Container Registry will be supplied with a user id and authentication token during the onboarding process.

  2. Retrieve a local copy of the container

    Clients using the docker-compose deployment method must retrieve container copies for local use.

    1. Authenticate Docker against the Seqera Azure Container Registry.

      # Replace USER and TOKEN with the credentials supplied by Seqera Labs
      docker login -u USER -p TOKEN

    2. Pull the containers to your local instance

      export REPOSITORY_URL=""
      export TAG="v22.1.5"
      docker pull ${REPOSITORY_URL}/backend:${TAG}
      docker pull ${REPOSITORY_URL}/frontend:${TAG}

Mandatory prerequisites#

Azure Resource Group#


Learn more about Azure Resource Group

  1. Sign in to the Azure portal.

  2. Select Resource groups.

  3. Select Add.

  4. Enter the following values:

    • Subscription: Select your Azure subscription.

    • Resource group: Enter a new resource group name (Seqera documentation uses nftowerrg).

    • Region: Select the Region where your assets will exist (e.g. East US).

  5. Click Review and Create.

  6. Click Create.

Azure Storage Account#


Learn more about Azure Storage Account

Create an Azure Storage Account.

  1. Sign in to the Azure portal.

  2. Select Storage accounts.

  3. Select Create.

  4. Enter the following values:

    • Subscription: Select your Azure subscription.

    • Resource group: Enter your resource group name (e.g. nftowerrg).

    • Storage account name: Enter a new storage account name (_Seqera documentation uses nftowerstorage).

    • Region: Select the same Region as where your Resource Group exists (e.g. East US).

    • Performance: Select Standard.

    • Redundancy: Select `Geo-redundant storage (GRS)

  5. Click Review + create. Please note that the default values are used in the other tabs. See the Azure documentation for further details on each setting.

  6. Click Create.

SMTP server#

If you do not have an email server, you may wish to use configure Microsoft 365 service or choose to integrate with 3rd party service such as SendGrid as recommend my Microsoft for sending emails from Azure VMs.

MySQL database#

If you do not have a database, you may wish to use Azure Database for MySQL.


You might have to generate the schema and user manually in the database. The instructions are mentioned in the database configuration section. Once this setup is done, please the USER@HOSTNAME format to specify the in TOWER_DB_USER env variable.


For Azure managed MySQL, it is recommended to pass an explicit serverTimezone to the TOWER_DB_URL env variable which depending on your configuration could be UTC and therefore the connection string should look like jdbc:mysql://

VM instance (Docker Compose)#

A Linux VM instance is required to deploy Tower via Docker Compose.

We recommend the following VM settings:

  1. Use default values unless otherwise specified.
  2. Provision at least 2 CPUS and 8GB RAM.
  3. Use the Ubuntu Server 20.04 LTS - Gen2 image.
  4. Ensure your VM is accessible by SSH.
  5. Do not implement DNS or Load Balancing directly against the VM (do so via Azure Application Gateway).

During VM creation, please ensure the following:

  1. Click the Basics Tab:

    1. Ensure your Region is the same as your Resource group.
    2. Do not set the VM as an Azure Spot instance.
    3. Ensure your Security Group allows ingress on Port 8000.
  2. Click the Disks Tab:

    1. Ensure your OS disk type is Standard SSD.
  3. On the Network Tab:

    1. Ensure that a Public IP is assigned to the VM.
    2. Do not place the VM in the backend pool of an existing load balancing solution.
  4. Click the Review + create button.

  5. Click the Create button.

Make VM IP Static#

  1. Type Public IP addresses in the search.

  2. Under Services, select Public IP addresses.

  3. In the Public IP addresses page, select the entry containing your VM name. A page opens with that IP's details.

  4. Click the Configuration setting from lefthand navigation panel. The Configuration page opens.

  5. Modify as follows:

    1. Ensure that your IP address assignment is Static.
    2. Do not add a custom DNS name label to the VM.

Allow Ingress on Port 8000#

  1. Type Virtual Machines in the search.

  2. Under Services, select Virtual machines.

  3. In the Virtual machines page, select your VM name to navigate to the VM details.

  4. Click the Networking setting from lefthand navigation panel.

  5. Modify as follows:

    1. Add inbound port rule for Port 8000

AKS cluster (Kubernetes)#

An Azure Kubernetes Service (AKS) cluster is required to deploy Tower via Kubernetes. Refer to the AKS documentation for instructions on how to provision your own cluster.

HTTPS redirects

If you'd like to customize your cluster's Ingress Controller to support HTTPS redirects and TLS certificates, please refer to the instructions.

Optional prerequisites#

SSL certificate#

Required to handle HTTPS to your Tower instance.


As of Tower Enterprise v22.1.x, HTTP-only implementations must set the following environment variable in their Tower hosting infrastructure in order for users to be able to successfully log in: TOWER_ENABLE_UNSAFE_MODE=true.

While there are many ways to implement DNS and TLS-termination, Seqera recommends using the specialized native services offered by your cloud provider. In the case of Azure:

  • Use Application Gateway for TLS-termination and load-balancing.
  • Use App Service Domains for domain acquisition.
  • Use Azure DNS for domain record management.
  • Use Azure Vault for PKI certificate storage.

These decisions should be made now because they impact how Tower configuration files are updated.

Back to top