Deploy an ArcGIS Server site on Microsoft Azure—ArcGIS Enterprise in the cloud

You can deploy a stand-alone ArcGIS Server site on Microsoft Azure and publish to it from ArcGIS Pro clients deployed in Microsoft Azure.

You can deploy one of the following stand-alone ArcGIS Server sites for the following roles:

GIS Server—Publish map, feature, geocoding, geometry, geoprocessing, network, and print services.
ArcGIS GeoEvent Server—Stream real-time data through GeoEvent services.
ArcGIS Image Server—Publish image services.

You need the following to deploy a stand-alone ArcGIS Server site on Microsoft Azure:

Microsoft Azure subscription
Esri images
ArcGIS Enterprise Cloud Builder for Microsoft Azure
ArcGIS Enterprise Cloud Builder for Microsoft Azure
The type of ArcGIS Server license needed for the server role—ArcGIS GIS Server, ArcGIS GeoEvent Server, or ArcGIS Image Server
An SSL certificate from a certifying authority that you have exported to a .pfx file and for which you have set up CNAME mapping to the domain you specify in Cloud Builder (optional, but recommended)

Get a Microsoft Azure subscription

A Microsoft Azure subscription and account are required to use Microsoft Azure infrastructure and services. Contact Microsoft to purchase a subscription.

Enable programmatic deployment of ArcGIS images

Before you can use the images from the Azure Marketplace, you must enable the programmatic deployment of ArcGIS. An administrator of your Azure subscription must enable programmatic deployment once for each type of ArcGIS image. This enables all current and future ArcGIS images of that type on the Azure Marketplace.

Sign in to the Azure portal.
Browse to the ArcGIS image in the Virtual Machine Marketplace.
1. Click Marketplace on the home screen.
2. Choose Virtual Machines.
3. Type arcgis in the search text box.
Choose the ArcGIS image you need from the search results.
Click Want to deploy programatically? Get Started at the bottom of the pane.
The Configure Programmatic Deployment pane appears.
Read the legal terms and Azure Marketplace Terms. If you accept the conditions, proceed with enabling programmatic deployment.
Click Enable for your subscription.
Click Save.

Your Azure subscription is now set to use an Esri image from Cloud Builder.

Configure a Windows Domain controller in your Azure environment (optional)

To use a Windows Domain controller with your deployment, you must configure it before you create the deployment.

To use a domain account to run the Windows services used by ArcGIS software, create that domain account before you create your deployment.

Obtain a license from Esri

To deploy an ArcGIS Server site, you need an ArcGIS Server license for the server role you are configuring.

Once these licenses are available to your account, you can download them from My Esri.

Install ArcGIS Enterprise Cloud Builder for Microsoft Azure

Download and install ArcGIS Enterprise Cloud Builder for Microsoft Azure 11.4.

Deploy a stand-alone site

Use ArcGIS Enterprise Cloud Builder for Microsoft Azure to deploy a stand-alone ArcGIS GeoEvent Server, GIS, or ArcGIS Image Server site on Microsoft Azure.

Steps are organized into subsections to help you navigate through Cloud Builder.

Connect and begin configuration of the ArcGIS Server site

Start Cloud Builder, sign in to your Microsoft Azure account, and choose to create a stand-alone ArcGIS Server site.

Start ArcGIS Enterprise Cloud Builder for Microsoft Azure.
Sign in to Microsoft Azure.
If you want to use the Microsoft Azure Government cloud and have an Azure Government subscription, check U.S. Government Cloud.
Note:
The account you use to connect must be assigned the following roles at a minimum:
- The Azure Reader role at the subscription scope level
- The Azure Contributor role at the resource group scope level if you will use resource groups that you create outside Cloud Builder
Choose an Entra ID tenant, click Next, choose a subscription in which to create a deployment, and click Next.
Ensure that the V2 Sites option is selected, and click Deploy a new site.
Choose Stand-Alone Server and choose the ArcGIS Server site role you require:
- GIS Server
- GeoEvent Server
- Image Server
Click Next to proceed to the Site Options settings.

Specify site options

Specify a resource group, choose how many machines to include in the site, choose the virtual machine image that will be used to create the machines, and, optionally, add user-assigned managed identities.

Choose a resource group or click the Add button to create a resource group for your site.
A resource group is a container that holds related resources for an application.
1. Provide an intuitive name for the resource group.
  The name can contain alphanumeric characters, dashes (-), underscores (_), parentheses (()), and dots (.).
2. Click Check availability to ensure that the name is unique and can be used for your resource group.
3. Choose a region for the resource group.
4. Click Create.
5. Once the resource group is created, click Close.
To avoid duplication of Azure resource names in resource groups, Cloud Builder allows you to prefix resources with a specified string. Check Prefix Azure Resource Manager (ARM) resource names with and provide up to three alphanumeric characters.
Cloud Builder automatically populates this value with a random two-character string. To change the string, type a different prefix to add to Azure resource names such as load balancers and availability sets.
Prefixes must start with an alphabetic character.
Adding a prefix avoids duplication of resource names and allows you to categorize resources according to your requirements for managing in the Azure portal or billing.
For disaster recovery configurations, create multiple resource groups with the same prefix.
Choose the machine image to use: an image provided by Esri, a managed image, an image in the Azure Compute Gallery, or an image you create.
The image must exist in the region in which you will create the deployment.
- To use an Esri image, choose the image from the drop-down list.
- To use an image from the image list, choose Managed images, and choose the image from the drop-down list.
- To use a machine image in the Azure Compute Gallery, choose the gallery from the Select gallery drop-down list, choose the machine image from the Select image drop-down list, choose the ArcGIS software version to include on the image from the Select version drop-down list, and choose the Azure region from the Select region list. The region should be the same as where your resource group is deployed.
- To create an image from a source VHD file, choose Managed images, and do the following:
1. Click the Add button next to Select image.
2. Provide a name for the image and click Check availability to ensure that the name is unique.
  The image name can contain only letters, numbers, underscores (_), dots (.), and hyphens (-). The name must start with a letter or number and end with a letter, number, or underscore.
3. Choose or create a resource group in which to store the image.
4. Choose the region in which to create the image.
  Use the same region that contains the .vhd file from which you create the image.
5. For Source disk, click the button to browse to the .vhd file in your storage account. Choose the storage account that contains the file, choose the file, and click OK.
  The storage accounts available on the Select image disk dialog box are based on the region you chose in the previous step.
6. Choose the type of image to create.
  HDD uses magnetic storage. SSD images use faster, solid-state drives.
7. For Size, choose the image size.
  The image size determines the minimum size of the operating system disk (C:\) of the virtual machine created from the image. You can increase the size of the provisioned disk for the virtual machine created from the image, but you cannot decrease the size below the image size.
  See the Microsoft Azure documentation for more information about Azure managed disks.
8. Click Create to create the image.
Once created, the image is available in the list of images the next time you create a deployment.
Optionally, add one or more user-assigned managed identities for authentication purposes when accessing an Azure Blob storage container used for the configuration store or cloud storage data stores.
1. Click the Add button in the Assign User Assigned Managed Identity section.
2. Choose the subscription that contains the identity.
3. Choose the user-assigned managed identity from the Identity drop-down list and click Add.
Tip:
A user-assigned managed identity is required if you will enable Azure Monitor Log Analytics.
The Azure Storage Blob Data Owner role and Storage Table Data Contributor role must be assigned to the user-assigned managed identity to access the configuration store. See the Microsoft Azure documentation for instructions to assign a role to a user-assigned managed identity.
Click Next to proceed to the Networking Options settings.

Set networking options

Choose or create a virtual network, its subnets, and IP address, and define how the site will communicate with external clients.

Choose an existing virtual network from the drop-down list or click the Create button to create a virtual network.
To create a virtual network using Cloud Builder, do the following:
1. Provide a name for the virtual network.
  Names must be unique within your Azure subscription.
2. Click Check availability to ensure that the name you provided is unique.
  If the name is unique, a check mark appears in the Name field.
3. Choose the range of TCP/IP addresses (the address space class) to be used by your virtual network.
  See the Microsoft documentation for more information about address classes.
4. Choose the CIDR value from the VM subnet IP count drop-down list to determine the maximum number of addresses to be used in your address space.
5. Click Create.
6. Once the virtual network is created, click Close.
Choose or create a subnet for your virtual network.
If you create a subnet, you must provide a unique name and an address range. See the Microsoft Azure documentation for information about virtual network subnet addresses.
Choose or create a second subnet for the Application Gateway subnet setting.
All V2 deployments are accessed through an Azure Application Gateway. Azure Application Gateways require a dedicated subnet.
The application gateway requires an IP address provided by Microsoft Azure, and the IP address must have a DNS name associated with it. Use one of the following:
- Existing public IP—Choose an IP address from the drop-down list.
  If you use an existing public IP address, the IP address must use a standard SKU. See the Microsoft Azure documentation for more information about public IP addresses and SKU.
- New public IP—Type a name for a public domain that ArcGIS Enterprise Cloud Builder for Microsoft Azure will create.
- New private IP—Type a name for a private IP address that Cloud Builder will create.
  Note:
  Before you can use this option, you must configure your Azure subscription to use preview features. See the Azure help for information.
  Also, you must configure DNS entries for the private IP that will be allocated dynamically from the Application Gateway subnet before you use this option.
The domain name is in the format mydomain.<location>.cloudapp.azure.com.
Domain names must be unique in an Azure region. A green check mark appears if your domain name is unique.
Note:
To use a certificate authority-issued SSL certificate, the domain name must match the CNAME mapping you configured for the certificate.
Choose one of the following options for external communication:
- Use a Network Address Translaton (NAT) service—To use this option, the NAT service must already exist in your account. Choose the service from the drop-down list.
- Load balancer—Cloud Builder will create a load balancer to use for outbound communication.
Read Microsoft Azure documentation for information about these options.
Click Next to proceed to the Certificate Options settings.

Use SSL certificates

For sites used in production environments, use an SSL certificate issued by a certificate authority (CA).

Specify the SSL certificate to use for the ArcGIS Server site.
Esri recommends that you use a certificate issued by a CA.
- To use a CA certificate, choose Certificate issued by a Certificate Authority and proceed to the next step.
- If you are setting up an ArcGIS Server site for testing purposes and choose not to use a CA certificate, choose Self Signed Certificate (Automatically generated) and click Next to proceed to the Machine Options settings.
  Cloud Builder will generate a self-signed certificate for your virtual machines. People connecting to your ArcGIS Server site and services will receive warnings that the site is not trusted if you use a self-signed certificate.
Choose one of the following to specify the .pfx file that you exported from your certificate:
- From file—Type or browse to the .pfx file in the Pfx file field, and, in the Password field, type the password configured for the file.
- From key vault—Specify the Azure key vault where the CA certificate is stored, and choose the certificate file using the Certificate drop-down list.
  Note:
  You can only choose a CA certificate that you uploaded to the key vault using Cloud Builder when you created another deployment. If this is the first time using this certificate, choose the key vault from the drop-down list, click the Create button next to the Certificate drop-down list, and upload the certificate.
Click Next to proceed to the Machine Options settings.

Specify machine options

Specify credentials for the virtual machine administrator and enable optional machine settings such as remote desktop access, automatic shutdown, and automatic operating system updates. You can also add the machines to an existing domain in Azure.

Additional options on this Cloud Builder window vary depending on whether you create a single-machine or multiple-machine site and what type of site you create.

Provide a username and password for Machine administrator.
This is the Windows login you will use to administer the virtual machines in the site, and you will need it when you upgrade the deployment. The same login and password are used for all machines in the site.
The username must contain three or more characters and contain no spaces, and it cannot be admin or administrator. The password must meet Windows Server complexity requirements.
Choose the time zone you want your virtual machines to use.
If you have an existing Windows Domain in your Azure environment to which you want to add your machine (or machines), click Domain join options.
1. On the Domain Join Options dialog box, check the Join existing Windows domain check box.
2. Provide the name of the Entra ID domain.
3. Provide the username and password for the domain administrator.
4. Click Apply.
If you check the Enable automatic operating system updates check box, Microsoft Azure will apply updates to the operating systems on your virtual machines.
Optionally, check Enable trusted launch to secure the virtual machines in the deployment.
This option is only available if you use a compute gallery image or Esri image to create the deployment. Refer to Microsoft Azure documentation for a description of trusted launch functionality.
You can additionally enable the following options for trusted launch:
- Enable secure boot
- Enable vTPM
If you do not require access to your deployment during specific hours of the day, you can configure the machines to shut down at a specific time each day. To do this, check the Enable daily automatic shutdown check box and set the shutdown time from the drop-down list.
The time is in the time zone you chose for the virtual machines.
Shutting down machines allows you to save money because the machines are not running when you do not need them. However, the machines do not automatically restart; you must restart each machine in the deployment when you need them again. You can restart the machines from Cloud Builder or the Microsoft Azure portal.
Optionally, check the Remove extra artifacts and setups from virtual machines to uninstall and delete files for an ArcGIS Enterprise component that is not used.
Esri imaged contain all ArcGIS Enterprise components. Checking this option will remove the unused components from each machine in the site, such as ArcGIS Data Store and Portal for ArcGIS.
To directly sign in to your virtual machines, check Enable remote desktop access using a jumpbox host and port 3389.
In a deployment that contains multiple machines, the remote desktop connection provides access to the file share machine. To access the other machines in the deployment, connect to the file share machine and, from there, use remote desktop connections to the other machines using the machine host names, fully qualified domain names, or IP addresses.
Click Next to define where system directories will persist.

Define the location of ArcGIS Server directories

Choose where to create the ArcGIS Server configuration store and directories.

To keep the ArcGIS Server configuration store and directories in a shared directory on a virtual machine, follow these steps:
1. Choose Store server configuration store and server directories on a file share.
2. Choose one of the following options for the virtual machine.
  - File share on first machine—Uses a shared directory on the first machine created for the ArcGIS Server site.
  - File share on separate virtual machine—Uses a shared directory on an additional virtual machine that Cloud Builder will create.
  - Existing file share path—Provide the path to a file share on an existing virtual machine.
To keep the ArcGIS Server configuration store in a cloud storage location and the ArcGIS Server directories in a shared directory, follow the steps below:
1. Choose Store server configuration store in cloud storage and the server directories on a file share.
2. Choose one of the following options for the virtual machine for the ArcGIS Server directories.
  - File share on first machine—Uses a shared directory on the first machine created for the ArcGIS Server site.
  - File share on separate virtual machine—Uses a shared directory on an additional virtual machine that Cloud Builder will create.
  - Existing file share path—Provide the path to a file share on an existing virtual machine.
3. In the Cloud Storage Options section, choose a storage account from the drop-down list, or click the Create button and define a new storage account.
4. Choose an authentication type to access the storage account.
  - ServicePrincipal—If you configured a service principal for the account specified in the previous step, provide the tenant ID, client ID, and client secret for the service principal. See Microsoft Azure help for an explanation of service principals.
    The Azure Storage Blob Data Owner role and Storage Table Data Contributor role must be assigned to the service principal.
  - AccessKey—When you choose this option, Cloud Builder will obtain the access key for the account.
  - UserAssignedIdentity—To use this option, you must have added a user-assigned managed identity when you defined site options. Choose the identity from the drop-down list.
Click Next.
- If you're creating a GIS Server site or ArcGIS Image Server site, clicking Next takes you to the Database Options settings.
- If you're creating a GeoEvent Server, clicking Next takes you to the Machine Specifications settings.

Choose database options

You can register a database with a GIS Server site or ArcGIS Image Server site when you create the site. Use the database to store source data for ArcGIS Server web services.

When you register a database when you create the site, the database always contains an enterprise geodatabase.

You can upload data to this enterprise geodatabase on Azure to use with ArcGIS Pro and ArcGIS Server sites on Azure.

Tip:

You can use Cloud Builder to add a database to an ArcGIS Server site after you deploy the site. When you register the database after creating the site, you have additional options for registration. When registering a database with an ArcGIS Image Server site, the database must contain a geodatabase and it cannot be registered as a managed database.

Choose the type of database to register with the site.
- If you do not want to register a database with the site at this time, choose None from the Database type drop-down menu and proceed to the next step.
- If you choose a database service (Microsoft Azure SQL Database, Microsoft Azure SQL Managed Instance, or Microsoft Azure Database for PostgreSQL), create or choose an existing database server and database, and provide a username and password for the database administrator and a username and password for a user who has permissions to create data in the database.
  If these resources don't exist, Cloud Builder will create them.
  Note:
  Cloud Builder only creates Flexible Server instances of Microsoft Azure Database for PostgreSQL. However, if you have an existing single-server instance, you can choose it from the Database server drop-down menu.
- If you choose Microsoft SQL Server, follow these steps to create and register a database:
1. In the Database server field, provide a name for the virtual machine that will host the Microsoft SQL Server database.
2. In the Database field, provide a name for the database.
  The name must meet SQL Server requirements.
3. Choose a SQL Server version from the Image drop-down menu.
4. Use the default machine type and size, or click the Configure virtual machine button to specify the disk types, machine type, and disk sizes for the virtual machine. Click Apply to save the machine settings.
5. Type a username and password for the database administrator.
  This username and password will also be used for the machine administrator.
6. Type a username and password for a database user who will have permissions to create objects in the database.
Click Next.

Add a cloud storage data store

If you're creating a GIS Server site or ArcGIS Image Server site, you can register a cloud storage location with the site. This is similar to registering a cloud store in ArcGIS Server Manager.

Click the Add button .
Click the Browse button to choose a folder in an existing Blob storage container or create a container.
The Select Blob Container window appears.
Choose an existing storage account from the Storage account drop-down list or click the Create button to create an account.
From the Authentication type drop-down list, choose the method to use to authenticate connections to the container.
- AccessKey—When you choose this option, Cloud Builder will obtain the access key for the account.
- UserAssignedIdentity—This option is available if you added a user-assigned managed identity to the machines in the deployment when you configured the site options. If you choose this option, choose one of the identities from the Identity drop-down list.
- SASToken—Provide the token in the SAS Token field. See the Microsoft Azure help for information about SAS tokens for Blob storage containers.
- ServicePrincipal—If you configured a service principal for the account used for the deployment, provide the tenant ID, client ID, and client secret for the service principal. See the Microsoft Azure help for an explanation of service principals.
  To use the storage location as a raster store or to store service caches, the Azure Storage Blob Data Contributor role must be assigned to the service principal. To use the storage location as a user-managed cloud storage data store, the Azure Storage Blob Data Reader role must be assigned to the service principal.
Choose an existing folder or subfolder in the storage account or click the Create a container button to define a new container name.
Click OK to close the Select Blob Container window.
Optionally, for ArcGIS Image Server sites, check the box next to one of the following options to register the cloud storage location for additional uses:
- Register as raster store—Registers the cloud storage location to store output from raster analysis tools.
- Register as cache directory—Registers the cloud storage location to be used by the ArcGIS Image Server site to build and store caches for the cached image services that are published to the site.
Optionally, for GIS Server sites, check the Register as cache directory check box to use the cloud storage location to build and store caches for cached map services (map image layers) that are published to the GIS Server site.
Click Add to register the cloud storage location with the site as a data store.
Click Next to proceed to Machine Specifications settings.

Customize machine names, numbers, and sizes

You can specify the number of machines in the ArcGIS Server site, the names of the machines in the site, the name of the file server machine, and the specifications for each of the machines.

Note:

ArcGIS GeoEvent Server sites always contain only one machine.

Click the plus (+) or minus (-) buttons to change the number of machines in the ArcGIS Server site.
You can type a different name for any of the machines in the deployment.
Note:
All machines in the same deployment should include the same two- or three-character prefix.
To change the type and size of any of the virtual machines, and to add disks to any of the machines, click the Configure virtual machine button .
Click Next to proceed to the License and Credentials settings.

Specify the license and credentials

Specify the ArcGIS Server license file, a URL context for the site, as well as authentication information for the site and Windows service administrators.

Browse to the location of your ArcGIS GIS Server, ArcGIS GeoEvent Server, or ArcGIS Image Server license file.
Provide a context name for the ArcGIS Server site's URL. The context is the identifier in the URL that routes you to the correct site.
For example, in the following URL, mygisserver is the context: https://mydeployment.example.com/mygisserver.
Provide a username and password for the site administrator.
This is the ArcGIS Server primary site administrator account. Keep track of this information, because you will need it when you manage the deployment.
Provide a username and password for the ArcGIS service account, which is the Windows login under which the ArcGIS Server service will run.
Keep track of this information, because you will need it when you manage the deployment.
Click Next to proceed to the Deployment Options settings.

Specify deployment options

Deployment options include specifying storage locations for deployment artifacts and choosing logging settings.

Choose or create a storage account for your deployment. To create a storage account, do the following:
1. Provide a name for the storage account.
  Names must be unique. Click Check availability to confirm that the storage account name is unique.
2. Choose the Azure region where your storage will reside.
3. Choose an existing resource group for the storage account or click the Create button to create one.
4. Choose the type of redundancy for your storage account: Geo-Redundant, Locally Redundant, or Read-Access Geo-Redundant.
  See Azure Storage redundancy in the Microsoft Azure documentation for a description of each option.
5. Specify the kind of Azure storage account to use: Storage (a legacy account type), StorageV2 (a basic account type), or BlobStorage (only supports Azure Blob storage).
6. Once the storage account is created, click Close.
Optionally, enable monitoring for the site by checking the box next to Enable monitoring using Azure Monitor Log Analytics.
1. Choose or create a workspace where log analytics will be stored.
2. Optionally check the box next to Enable ArcGIS Server logs that can be transferred to Azure Monitor to copy ArcGIS Server log files to Azure Monitor.
3. From the Azure monitoring agent user ID drop-down list, choose the user-assigned managed identity you specified with the site options.
  This information is required to enable Azure Monitor Log Analytics.
Click Next to view a summary of your settings.

Review the summary and deploy the site

Ensure the stand-alone ArcGIS Server deployment contains what you need and create the deployment.

You can also estimate costs for the infrastructure you chose and export the deployment options so you can automate the creation of future stand-alone sites.

Review the settings in the Summary pane. If anything needs to be changed, click Back to go to the page where you need to change the information.
Tip:
Click Save summary to save your site configuration information to a text file so you can refer to it for information such as usernames or machine names.
Click Generate cost estimate to calculate the approximate cost of the Azure infrastructure you will use in your deployment. When you finish generating the estimate, click Close.
This estimate does not include data storage costs.
Click Save automation artifacts to export an archive file (.zip file) containing information and files you can use in automation scripts to re-create this deployment.
1. Browse to a location on the local disk where the archive file will be created and type a name for the file.
2. Choose the type of automation format you will use.
3. Click Generate to create the file.
When all settings are correct and you have saved the files you need, click Finish to create your ArcGIS Server site.

When the site successfully deploys, a link to ArcGIS Server Manager appears in the message box. To connect to Server Manager at a later time, use the URL format https://<DNS_name>.<region>.cloudapp.azure.com/arcgis/manager.

If you created an ArcGIS GeoEvent Server site, open Global Settings in ArcGIS GeoEvent Manager and set the REST Receiver Base URL to the external fully qualified domain name for the site (https://<fqdn>/).

If you want to configure Entra ID as a SAML-based identity provider for your ArcGIS Server site, do so now. See Configure Entra ID in the ArcGIS/idp GitHub repository for instructions.

Feedback on this topic?

Get a Microsoft Azure subscription

Enable programmatic deployment of ArcGIS images

Configure a Windows Domain controller in your Azure environment (optional)

Obtain a license from Esri

Install ArcGIS Enterprise Cloud Builder for Microsoft Azure

Deploy a stand-alone site

Connect and begin configuration of the ArcGIS Server site

Note:

Specify site options

Tip:

Set networking options

Note:

Note:

Use SSL certificates

Note:

Specify machine options

Define the location of ArcGIS Server directories

Choose database options

Tip:

Note:

Add a cloud storage data store

Customize machine names, numbers, and sizes

Note:

Note:

Specify the license and credentials

Specify deployment options

Review the summary and deploy the site

Tip:

In this topic