ZeroTier on Microsoft Azure
This guide covers basic configuration and troubleshooting for deploying ZeroTier on Microsoft Azure. For connecting Azure to on-premise resources, see Bridging.
Network Security Groups Configuration
Required Ports
ZeroTier requires specific ports for optimal connectivity:
Inbound Rules:
- UDP 9993 - ZeroTier agent peer-to-peer communication (required)
- TCP 443 - ZeroTier Central REST API for network management (optional, not required by agent)
- ICMP - For network diagnostics (optional but recommended)
Outbound Rules:
- All traffic - ZeroTier needs to connect to various ports for peer discovery
- Or specific UDP 1-65535 if all traffic is not allowed
Example Network Security Group Configuration
For general firewall guidance, see Corporate Firewalls.
# Create Network Security Group for ZeroTier
az network nsg create \
--resource-group myResourceGroup \
--name zerotier-nsg \
--location eastus
# Allow ZeroTier protocol port
az network nsg rule create \
--resource-group myResourceGroup \
--nsg-name zerotier-nsg \
--name allow-zerotier \
--protocol Udp \
--priority 1000 \
--destination-port-range 9993 \
--access Allow
# Allow HTTPS for ZeroTier Central API (optional - only if using REST API)
az network nsg rule create \
--resource-group myResourceGroup \
--nsg-name zerotier-nsg \
--name allow-https \
--protocol Tcp \
--priority 1001 \
--destination-port-range 443 \
--access Allow
Basic Virtual Machine Setup
VM Configuration
Install ZeroTier on Azure VM:
# Ubuntu/Debian
curl -s https://install.zerotier.com | sudo bash
sudo zerotier-cli join [NETWORK_ID]
# CentOS/RHEL
curl -s https://install.zerotier.com | sudo bash
sudo systemctl enable zerotier-one
sudo zerotier-cli join [NETWORK_ID]
Verify Installation:
# Check ZeroTier status
sudo zerotier-cli info
# List networks
sudo zerotier-cli listnetworks
# Check peers
sudo zerotier-cli peers
NAT Gateway Considerations
Azure NAT Gateways can impact ZeroTier's peer-to-peer connectivity:
Issues:
- Symmetric NAT may prevent direct peer-to-peer connections
- Increased latency due to relay traffic
- Higher bandwidth costs for relayed connections
Solutions:
- Deploy in public subnets where direct connectivity is needed
- Configure routing to bypass NAT for ZeroTier traffic
- Use bridge nodes to provide VNet access without NAT Gateway dependency
Testing NAT Connectivity
# Check current network status
sudo zerotier-cli listnetworks
# Verify connectivity type
sudo zerotier-cli peers | grep -E "DIRECT|RELAY"
Simple Integration Examples
Basic Database Connectivity
Test connectivity to Azure SQL or other VNet resources:
# Test Azure SQL connectivity
sqlcmd -S [SERVER_NAME].database.windows.net -U [USERNAME] -P [PASSWORD] -d [DATABASE]
# Test PostgreSQL connectivity
psql -h [SERVER_NAME].postgres.database.azure.com -U [USERNAME] -d [DATABASE]
File Share Access
# Mount Azure Files via SMB
sudo mount -t cifs //[STORAGE_ACCOUNT].file.core.windows.net/[SHARE] /mnt/azure \
-o username=[USERNAME],password=[PASSWORD]
# Test blob storage access
az storage blob list --container-name [CONTAINER] --account-name [ACCOUNT]
Troubleshooting
Connectivity Issues
Check ZeroTier Status:
# View network status
sudo zerotier-cli listnetworks
# Check peers
sudo zerotier-cli peers
# View system logs
sudo journalctl -u zerotier-one -f
Verify Azure Network Security Groups:
# Check NSG rules
az network nsg show --resource-group [RESOURCE_GROUP] --name [NSG_NAME]
# Test connectivity
telnet [TARGET_IP] [PORT]
nc -zv [TARGET_IP] [PORT]
Performance Issues
Monitor Connection Types:
- Direct connections - Optimal performance
- Relayed connections - Higher latency, check NSG rules
Optimization Steps:
- Verify NSG rules allow UDP 9993
- Check for symmetric NAT issues
- Ensure VMs have direct internet access when possible
- Monitor CPU and network utilization
Common Issues
- Connection timeouts: Check NSGs and route tables
- Relayed traffic: Deploy in subnets with direct internet access
- High latency: Verify direct peer-to-peer connectivity
- Service unreachable: Confirm target services are listening on ZeroTier interface
This basic setup provides secure connectivity between Azure resources and other ZeroTier network members while maintaining simplicity and reliability.